The pandemic demonstrated the importance of ensuring that resilience is now an integral part of supporting organisations and customers, not just during a crisis, but continuously, through all the challenges of normal operations.
The recent FCA & PRA policy statements are designed to give firms flexibility and proportionality in applying the new Operational Resilience regulations to their respective businesses.
Effective resilience is about having systems and controls in place to enable firms, where possible, to prevent incidents from occurring and having tools in place to help them adapt, respond to, recover, and learn from operational disruptions if they do happen.
A considerable number of business models across the financial service industry are either function, team or process-driven. As a consequence of these approaches, there is a real risk of silos developing, which is where a number of failures materialise.
Business Benefits
The following are just some of the benefits of having an operational resilience framework in place:
In addition, the above benefits help to build customer trust and reduce the costs of disruption.
Business Challenges
When creating a business case for operational resilience it is worth considering some of the challenges that clients are experiencing:
Management Information (Metrics)
Firms are typically focused on the post disruption metrics - impact to the firm either financially, reputationally or regulatory, as a result of an event or incident occurring, rather than measures taken to prevent a disruption and its subsequent impact on consumers, the firm itself or the market.
Identifying Important Business Services (IBSs)
Governance, Management Information (MI) and Reporting Requirements
Another important consideration is how operational resilience will be governed.
A robust Operational Resilience governance framework will enable firms to streamline their priorities and allow them to focus on the Pillars (people, facilities, IT, data and outsourcers) that support their Important Business Services (IBSs).
A clear line of sight is particularly important for senior managers to understand any issues or weaknesses in the Pillars that support their IBSs.
Resilience MI and reporting are essential to becoming more operationally resilient as a firm, as well as meeting evolving regulatory expectations.When the above are in place, key stakeholders will have clearer visibility, enabling effective evaluation and monitoring of resilience performance and key risks.
Viewing the firm through a service lens engenders better coordination across silos, as brings together teams across business and technology to work towards achieving goals, reaching better resilience outcomes, reducing duplication and inefficiencies.
Deploying a strategic approach to operational resilience enables senior management and boards to evolve their structures and support mechanisms to ensure that individual and collective accountabilities are met, and robust evidence is maintained to demonstrate that reasonable steps have been taken to address areas of weakness.
The inclusion of appropriate resilience MI is critical when establishing a firm's reporting framework. It is not uncommon for firms, in the early stages of developing their resilience MI, to have some limitations with regards to their current MI suite, in terms of it being focused in the right areas.
Many firms are discovering that their existing risk management systems are not configured for the demands of operational resilience.
They are typically focused on the post disruption metrics - impact to the firm either financially, reputationally or regulatory, as a result of an event or incident occurring, rather than measures taken to prevent a disruption and its subsequent impact on consumers, the firm itself or the market.
As a starting point, firms should review their risk data, MI and reporting that they currently capture and track to consider whether, when viewed through the business service/Pillar lens, it could be used as a basis for resilience.
For further insights on Operational Resilience, go to our Operational Resilience micro-site