Most dual-regulated and SMCR enhanced firms have made progress with operational resilience. However, we’ve found that inertia arises frequently when identifying Important Business Services (IBS).
Both large and small firms seem to encounter a common set of challenges at this phase.
Sam Tyler, one of our Risk and Resilience Analysts, outlines some of these challenges.
Defining services at the correct level of scope
Applying the correct level of scope to your IBS identification process is critical. Being both too granular or not granular enough can hide resilience gaps.
A common stumbling block occurs when considering each individual channel required to deliver a service. By approaching the IBS identification process in this way, you may misunderstand if a customer is truly being put into a position of intolerable harm.
For example, an Insurance firm may consider “Contents insurance Claims” as an IBS. The temptation may be to go a level deeper and define the business service via channel, such as ‘Contents claims via telephone’. However, by doing this there is a potential that you do not consider that should the service be unavailable, a customer may be able to access the same overall service of ‘Contents Claims’ via email or another channel.
If the service could be easily accessed via a different channel, it could be argued that it does not cause intolerable harm to the customer.
Conversely, when looking at services through a product lens, the opposite can be true and in fact, it is recommended to consider all the service outcomes available as part of a product.
The number of services associated with a product can be long, and you may be able to uncover multiple causes and examples of intolerable harm through what may be considered the same overall product – thus potentially discovering multiple IBSs.
A good example comes from a breakdown cover product in insurance. Initially, it may be tempting to consider an overarching IBS of “breakdown cover claims”. However, there are potentially several discrete IBSs within “breakdown cover claims”, such as “provision of roadside assistance’ or “provision of a courtesy car”. These additional IBSs will only be uncovered by applying a high degree of granularity through a product lens.
Defining services that are business services, internal services, and underpinning services
A common headache in the IBS identification stage is determining whether a service falls into one of three categories: a business service, an internal service, or an underpinning service.
- A business service is a service that is provided to an external end-user that is performed by the business and is a single service as opposed to a collection of services
- An internal service performs processes for the business to function and shouldn’t be considered for IBS status (even though they can be important to the business)
- Underpinning services are services that usually sit behind multiple business services and are often critical in the running of Important Business Services
An Important Business Service must be a business service, and not an internal service or underpinning service.
Confusion sometimes occurs when classifying underpinning services as business services. Like internal services, the business may classify them as crucial to the operating of the business, however, the regulation would not define them as important business services. (Note, these services will be mapped during the mapping phase of operational resilience, should they underpin Important Business Services).
Designing and using a competent and reliable methodology is essential to distinguish between these three categories and without that methodology, indecisiveness can often reign.
Defining intolerable harm
Defining intolerable harm is crucial to support the identification of Important Business Services. However, at times it is not obvious what constitutes intolerable harm and the potential consequences of a disruption to individual customers.
Examples of intolerable harm vary, depending on the role of a business, the industry they operate in, the customer base and the products they offer. For an insurance firm that offers a travel insurance product that also includes medical cover, it is obvious to see the consequences of a disruption to the claims service, i.e., a policyholder without medical cover, with the policyholder not receiving treatment.
If we take another example, of a Savings and Investments firm that specialises in children’s savings accounts (CTFs/JISAs), then what can be defined as "intolerable harm" is more nuanced. Clearly, a customer won’t be left in a vulnerable position in the same way as disruption to medical cover, due to the nature of these products. Finding where intolerable harm can occur will ultimately be more difficult. This is where a strong IBS and intolerable harm assessment methodology is key.
Nonetheless, if you cannot find intolerable harm that could be caused by a disruption to a business service, then it cannot be an IBS.
When looking at intolerable harm caused to the customer by disruptions, time criticality is often the biggest indicator. The long-term nature of Pensions and Investments products is an important consideration.
For example, with life protection, “money in” services such as payment of premiums are often more time-critical than “money out” services such as death claims.
A customer expects and requires that they are always covered, and an inability to keep them covered is intolerable harm. A failed premium payment (due to a disruption to a particular service) could lead to, under certain circumstances, a cancelled policy, and a customer without cover.
Death claims on the other hand do not have the same level of time criticality. Estates can, and often do, take months to settle and so it’s difficult to argue that with such low levels of time criticality that it can be an Important Business Service.
With a pension provider, ‘money in’ services such as paying into a pension are less time-critical to the customer. A customer pays into a pension to see the benefits in their retirement, which could be decades away. Therefore, it’s difficult to argue that with this level of time criticality, that a plausible disruption to this sort of service would cause intolerable harm.
‘Money out’ services though, are the opposite of this. A ‘money out’ service such as ‘Pension Payments to the customer’ are clearly far more time-critical and it’s easy to see where intolerable harm may occur, i.e., delayed payments to customers relying solely on their pension as a retirement income could result in missed payments to financial commitments.
How FourthLine can help:
FourthLine is working with several clients to help them achieve compliance and react to the challenges of the new operational resilience regulation, through a mixture of consulting and recruitment services.
You can get in touch here to find out more about our tailored and proportionate responses for Operational Resilience.
We found the best way to start the process of board engagement is to invite key board members to our tailored 90-minute Operational Resilience engagement workshop. Find out more about booking a workshop here>
For further insights on Operational Resilience, go to our Operational Resilience micro-site