search menu icon-carat-right cmu-wordmark

Carnegie Mellon Software Engineering Institute CERT® Program and FSTC Introduce Resiliency Engineering Framework to Help Organizations Manage Operational Resiliency


Media Contact:

   SEI Public Relations
  Tel: 412-268-4793


PITTSBURGH, PA, September 24, 2007—Requirements-driven security and business continuity are key contributors to operational resiliency according to a recently published report by the Carnegie Mellon Software Engineering Institute CERT Program. The report is a result of ongoing work at CERT and collaboration with the Financial Services Technology Consortium (FSTC) that began in 2005.

FSTC member institutions were looking for innovations in improving and benchmarking operational risk management practices following a series of wake-up calls that occurred with 9/11, regional power outages, increased cyber attacks, and threats of global terrorism. CERT and FSTC realized that the methods being used today by organizations to manage operational risks could be dramatically improved with this new approach.

This report outlines the need for organizations to adopt a process-focused approach for managing operational resiliency, as represented by the CERT Resiliency Engineering Framework (REF). REF is intended to help organizations like financial institutions to improve their ability to adapt to and manage risks from day-to-day operations. The framework identifies the essential enterprise-wide processes for managing operational resiliency and provides a structure from which an organization can begin process improvement of its security and business continuity efforts.


Rich Caralli, senior member of the technical staff at CERT, states that organizations face increasingly complex operating environments that demand new approaches to managing operational resiliency (or operational risk). As such, the report advocates that organizations must refocus their efforts toward taking active control of operational resiliency rather than reacting to operational risks as they are encountered.

“Managing operational resiliency demands continuous improvement to keep up with the evolving risk environment. Traditional security and business continuity efforts cannot sustain these demands without significant convergence,” Caralli says. “To that end, we (CERT) believe that organizations can vastly improve their operational resiliency by viewing it as an engineering-based process that incorporates security and business continuity activities and can be defined, managed, measured, and improved.”

Charles Wallen, FSTC Managing Executive of FSTC's Business Continuity Standing Committee, says that financial services companies recognize the importance of business continuity, managing risks and optimizing resources. He stresses that while REF has been initiated and driven by the financial sector, it is applicable and recommended to all organizations.


“Our partnership with CERT has been extremely valuable. Together we are working to develop and evangelize the concept of resiliency engineering to private and public organizations worldwide,” Wallen said.

“The financial industry needs a common basis for objectively benchmarking and communicating organizational competencies related to operational resiliency. That's what this project is providing,” says Randy Till from MasterCard Worldwide, one of the project participants.

Lastly, the report outlines the future research plans to fully populate the CERT Resiliency Engineering Framework, and its accompanying tools, techniques, and methods. Activities include refining and detailing the framework, working with organizations to pilot the framework, providing training, and developing benchmarking techniques.


“To date, we have outlined the framework that represents our research efforts and our collaboration with FSTC,” Caralli said. “It currently exists as a resiliency engineering body of knowledge. It is our intent to move this from a body of knowledge to a framework and accompanying assessment methodology that can be adopted in organizations worldwide. Organizations have a tendency to state their competency for managing operational risk by bragging that they haven’t been affected. This is not an adequate benchmark of competency, particularly since the range of potential disruptions is vast and unknown.”


About the Carnegie Mellon Software Engineering Institute CERT Program
The CERT Program is part of the Carnegie Mellon Software Engineering Institute (SEI), a federally funded research and development center sponsored by the U.S. Department of Defense. CERT is a center of enterprise and network security research, analysis, and training within the SEI. For more information, visit the CERT Web site at and the SEI Web site at


About FSTC
FSTC brings together diverse, and often competitive financial institutions, industry services providers, government agencies, and others to collaborate and find solutions to key industry challenges. Project topics come from member financial institutions and are driven by participating members with the support of FSTC staff.

# # #


For more information

Media Contacts: 

Richard Lynch