One of the many questions we are asked by clients is “what is a proportionate approach to operational resilience?" This blog will provide some useful direction to help firms answer this question.
Looking at the Operational Resilience policies, the regulators have indicated that they expect different firms will approach operational resilience with varying levels of programme complexity and investment, but they do not outline any specific measures or criteria to guide firms in defining what is appropriate to them.
A common mistake is to assume that there is a direct correlation between firm headcount or customer numbers and the appropriate level of programme complexity and investment. This is only one element in the decision process.
We suggest firms look at four key considerations:
- The level of risk your important business services pose to customers, the market and the firm. If your customer base includes high percentages of vulnerable customers or particularly time-sensitive deliverables as evidenced by short impact tolerances (< 24 hours); then it would be appropriate to invest more in preventative measures to reduce the likelihood of disruption as there is less margin for error in the event of a disruptive scenario.
- The purpose of the operational resilience programme is to identify risks and enable decision-making and tracking of remediation activities. Is the Operational Resilience programme capable of developing appropriate reporting based on up-to-date data and metrics to enable stakeholders to make informed decisions in a timely fashion? Of note is how quickly new information or risks can be escalated through the governance framework. Prolonged reporting cycles can leave firms unacceptably exposed to risks before stakeholders become aware or are able to make decisions on remediation.
- The complexity of the firm itself. This is where the size of an organisation will be a factor. Firms with more Important Business Services or with more complex resource environments (more technologies, third- parties or outsourcing) will require a greater ability to gather and manipulate data to enable the governance programme. This should also consider the stability of internal operations. Firms with significant change agendas where processes or resources are likely to change more regularly should ensure that their OR programmes are sufficiently capable to have visibility and engagement within these change processes to ensure IBS reporting remains current, effective and accurate.
- The volatility of the markets and operating environments, that the firm is exposed to. Firms need to ensure that their programme can react to changes in their operating environment. This may include a regulatory change which may impact the intolerable harm and impact tolerance definitions, geo-political risk affecting not only the firm but also critical 3rd parties which may significantly impact operating environments (e.g. Ukraine) or environmental factors which may cause increased frequency or scale of surge events (e.g severe weather events).
Overall the considerations can be summarised into the following questions:
- Does our programme sufficiently protect our customers and the market we operate in?
- Can we identify risks, and report and manage them in an effective and timely fashion?
- Can we track and respond to changes to our operating environment from both internal and external sources?
The overall responsibility to answer these questions remains with the business but hopefully, these principles will help firms consider their proportionality in a structured, repeatable and documentable way.