Operational Resilience inertia set in for many firms amid competing priorities, and they spent Q1 2023 remobilising their Operational Resilience programmes to get through the 2023 self-assessment process. In refreshing the programme and taking a view on how to gear up for the 2025 deadline, firms have accepted that developing maturity is essential in creating resilient operations that protect the firm, and the firm’s customers.
For firms remobilising their programmes, and looking for direction on maturity activities between now and 2025, we suggest three good places to start:
- Review current capability, resilience documents and supporting processes and enhance those in line with regulatory and operationally effective objectives
- Develop and implement a Resilience Target Operating Model
- Focus on ensuring regular, repeatable reporting to evidence ongoing management of Operational Resilience
This blog focuses on a suggested review process, with a follow up to support your Target Operating Model development.
The review will provide a point in time assessment of your current resilience capability. It should help to identify where you have programme vulnerabilities, and how you will need to prioritise your resources to meet the required improvements.
Your review should focus on the subject areas that combine to make an operationally effective resilience programme.
Therefore, you should be broad in scope, and consider not only your FCA / PRA Operational Resilience policy response, but also:
- Business Continuity Plans and BIAs aligned to Important Business Services
- A sample of typical Business Continuity Plans and BIAs for wider business services (internal and external)
- Technology Incident Management
- Crisis & Incident Management
- IT Risk Management
- Third-Party Risk
- People Risk
- Process Risk
- Cyber Risk Management
- Change Management
- Data Risk
- Physical Risk
For each subject area, you should consider how this could impact or consider operational resilience objectives.
Firms should conduct a desktop assessment of:
- strategy,
- plans,
- assessments,
- frameworks,
- policies,
- governance,
- roles and responsibilities,
- risk appetite,
- reporting and associated artefacts,
- and processes...
...to determine compliance gaps, maturity considerations, data quality in the documents, and completeness and quality of documents and general approach.
Once you have a clear view on any artefact gaps, you should spend time with the business to find out how effective your approach and processes are in supporting resilience.
You should conduct workshops with key stakeholders to understand how the documents are understood and used by the team. This will give you a pulse on the operationalisation of your programme, and how integrated your approach is in positively creating resilient outcomes.
Suggested outputs are a high level report which summarises any artefact and capability gaps with recommendations fed into a project plan to support any remediation activity.
To enquire how our Operational Resilience specialists can help your firm with moving to Operational Resilience maturity, enquire here or book a time with one of our consultants here now
