Operational Resilience has been a significant change management focus for financial services firms.
As firms transition resilience into BAU, there are divergent priorities across the sector:
- Less mature firms are creating a resilience framework and understanding how best to manage resilience through appropriate governance
- Some firms are considering how to integrate operational resilience into their wider ERMF with many focused on the integration with other protective and recovery disciplines
- Many firms think tooling is the answer to managing resilience longer term and are carrying out vendor selection processes
- Larger firms have chosen to “eat the frog” first, and tackle legacy technology vulnerabilities through new architecture adoption
- Advanced firms are considering how they can introduce “resilience by design” into change management, new products, and services by creating “resilience principles”
- There are also those firms, that still don’t realise the true value of resilience and focus only on refreshing their Important Business Services and updating the Self-Assessment
However, as we move to the next deadline of March 2025, the most common priority is to establish an appropriate method to monitor, measure, and report on Operational Resilience.
Through our review engagements and client interactions, we see three reporting challenges more commonly than any others:
- Our advisory reviews have seen several non-existent resilience controls environments. The starting point for maturity is to ensure that resilience-related risks and risk disciplines are linked together through standards and controls. In many cases, Resilience has been implemented in a silo and firms need to create an integrated, controls-led relationship to deliver effective resilience. Some firms have made the mistake of implementing a tool into an immature or non-existent control environment which creates poor ROI and puts the onus on the tool, not the firm, to fix and manage resilience.
- Resilience MI should be forward-looking, a Key Risk Indicator rather than a Key Performance Indicator. In most firms we’ve reviewed, resilience MI does not exist, or is backward-looking. This point-in-time reporting provides a snapshot of how resilient the firm was over the last reporting period. This is important for assessing control effectiveness. However, it does not give your board or Risk Committee a view of how resilient you are today, next week, or next month.
- Where Resilience MI is non-existent, firms often cite a lack of resilience data as a barrier to reporting. For these firms, the challenge is often about understanding which existing data they can use to report on resilience. They may need to apply a different lens, slice the data differently or aggregate existing MI to produce a “resilience view”.