Operational Resilience - The key business benefits and challenges

The pandemic demonstrated the importance of ensuring that resilience is now an integral part of supporting organisations and customers, not just during a crisis, but continuously, through all the challenges of normal operations.

The recent FCA & PRA policy statements are designed to give firms flexibility and proportionality in applying the new Operational Resilience regulations to their respective businesses. 

Effective resilience is about having systems and controls in place to enable firms, where possible, to prevent incidents from occurring and having tools in place to help them adapt, respond to, recover, and learn from operational disruptions if they do happen.

A considerable number of business models across the financial service industry are either function, team or process-driven.  As a consequence of these approaches, there is a real risk of silos developing, which is where a number of failures materialise.

Business Benefits
The following are just some of the benefits of having an operational resilience framework in place:

  • Increase customer retention and attraction, as customers value resilience and reliability
  • Effective prioritisation of investment decisions and allocation of resources in accordance with the demands of the business
  • Stable IT systems and platforms, based on sound investment decisions, enable firms and employees to focus on value-adding innovation, rather than constantly dealing with fixes, security issues and remediation

In addition, the above benefits help to build customer trust and reduce the costs of disruption.

Business Challenges
When creating a business case for operational resilience it is worth considering some of the challenges that clients are experiencing:

Management Information (Metrics)

  • Sourcing / defining resilience metrics for each of the Pillars (people, facilities, IT, data and outsourcers)

Firms are typically focused on the post disruption metrics - impact to the firm either financially, reputationally or regulatory, as a result of an event or incident occurring, rather than measures taken to prevent a disruption and its subsequent impact on consumers, the firm itself or the market.

Identifying Important Business Services (IBSs)

  • Lack of a defined methodology in the identification phase
  • Insufficient evidence/justification to support IBS status
Mapping Important Business Services (IBSs)
  • Distinguishing between product lines, processes and services, especially where specific knowledge of certain products are required to deliver the service
  • Stakeholder engagement in terms of ensuring there is a clear understanding of accountabilities and responsibilities for those involved in the mapping to provide the required support.

Setting Impact Tolerance
  • Lack of definitions on vulnerability making it difficult to consider consistently as part of impact tolerance
  • Finding the balance between over-committing impact tolerances (too short, high risk of breach and reg reporting) and meaningful impact tolerances (not too long and therefore impossible to breach in any severe but "Plausible" scenario)

Governance, Management Information (MI) and Reporting Requirements
Another important consideration is how operational resilience will be governed.

A robust Operational Resilience governance framework will enable firms to streamline their priorities and allow them to focus on the Pillars (people, facilities, IT, data and outsourcers) that support their Important Business Services (IBSs).

A clear line of sight is particularly important for senior managers to understand any issues or weaknesses in the Pillars that support their IBSs.

Resilience MI and reporting are essential to becoming more operationally resilient as a firm, as well as meeting evolving regulatory expectations.

There are several factors resulting in firms becoming operationally resilient, such as:
  • Clarity of the firm's strategic direction
  • Defined roles and responsibilities
  • Effective governance
  • Clear & concise methods of streamlining priorities

When the above are in place, key stakeholders will have clearer visibility, enabling effective evaluation and monitoring of resilience performance and key risks.

Viewing the firm through a service lens engenders better coordination across silos, as brings together teams across business and technology to work towards achieving goals, reaching better resilience outcomes, reducing duplication and inefficiencies.

Deploying a strategic approach to operational resilience enables senior management and boards to evolve their structures and support mechanisms to ensure that individual and collective accountabilities are met, and robust evidence is maintained to demonstrate that reasonable steps have been taken to address areas of weakness.

The inclusion of appropriate resilience MI is critical when establishing a firm's reporting framework. It is not uncommon for firms, in the early stages of developing their resilience MI, to have some limitations with regards to their current MI suite, in terms of it being focused in the right areas.

Many firms are discovering that their existing risk management systems are not configured for the demands of operational resilience. 

They are typically focused on the post disruption metrics - impact to the firm either financially, reputationally or regulatory, as a result of an event or incident occurring, rather than measures taken to prevent a disruption and its subsequent impact on consumers, the firm itself or the market.

As a starting point, firms should review their risk data, MI and reporting that they currently capture and track to consider whether, when viewed through the business service/Pillar lens, it could be used as a basis for resilience.

How FourthLine can help:
FourthLine is working with several clients to help them achieve compliance and react to the challenges of the new operational resilience regulation, through a mixture of consulting and recruitment services.

You can get in touch here to find out more about our tailored and proportionate responses for Operational Resilience.

For further insights on Operational Resilience, go to our Operational Resilience micro-site

 

Topics: Featured, Risk Management, Insurance, Professional Services, Flexible, SMCR, Learning, operational resilience, Third Party Risk Management

October 18, 2021
Talk to an expert

Tom Clark
Written by Tom Clark

Tom is a seasoned financial services risk & compliance professional with over 30 years of experience. Most recently Tom has been instrumental in developing and embedding Operational Resilience frameworks, including managing Business Incidents, Business Continuity, Disaster Recovery and Health & Safety across numerous large Financial Service Firms. In addition, Tom has been responsible for leading & delivering strategic projects around key business areas such as building and enhancing governance and oversight models, including Operational Resilience. Tom has also operated as an Operational Resilience SME, in organisations involved in the creation of joint ventures and material outsourcing engagements and has played a key role in contributing to the response to the Operational Resilience Consultation paper and the requirements of the subsequent policies in terms of assisting firms with identifying, mapping & setting impact tolerances for their Important Business Services.