Transitional Period – The next steps for Operational Resilience

As 31st March 2022 ticked by, the first important deadline passed: the end of the implementation period for Operational Resilience.

Over the preceding months, financial services firms have consistently worked to complete all necessary activities mandatory to meet this delivery milestone. So now, they should be in a good position in terms of having a clear understanding of their Important Business Services, Impact Tolerances, and vulnerabilities.

Nevertheless, going forward, a new level of robustness and maturity is required, and the regulators expect firms to continuously improve their operational resilience over time. Firms now need to consider the skills, capabilities, and tools at their disposal and any gaps in resources, know-how and tools needed to achieve long-term resilience maturity.

The regulators expect that the three-year transition period is the time available to firms moving from compliance to long-term resilience.

What are the main next steps that Financial Services firms should consider to make a smooth transition?

• Invest - to fill the gaps identified in their operational resilience capabilities. Creating an investment plan that supports the Board in prioritising technology, resources and capabilities, in order to close vulnerabilities as soon as possible.

• Outsourcing and Third-Party Risk Management (OTPRM) – to help the business in understanding the interplay between Third-Party Risk and Operational Resilience. It is important to create a bespoke, consistent methodology with templates and tools that identify levels of materiality and assess risk. Firms should find a strategy to reduce manual and inefficient processes, improve third party monitoring and reduce the risks in their ongoing relationships.

• Design an adequate Target Operating Model (TOM) – to identify ownership of resilience at different levels and set up a strategic work program. It is essential to define transition plans to shift resilience program activities to BAU over time. Document the TOM including roles and responsibilities of all participants, also including governance forums, and the Board. This is required as evidence for the ongoing operation of resilience controls.

• Resilience Refresh – to increase the sophistication of resilience testing and mapping to continuously improve resilience.

• Metrics – to ensure ongoing, data-driven, real-time monitoring of resilience risks, issues, and gaps and to ensure that meaningful reporting is available to measure the resilience of your Important Business Services for key internal and external stakeholders.

• Integration – to understand the maturity of related resilience capabilities and integrate resilience activities with business continuity management, operational risk management, third party risk management, cyber resilience, threat intelligence and crisis management.

• Resilience by design – to establish resilience by design into new products, new business services, transformation initiatives, and change management processes.

All the above actions are essential for fully transitioning to the desired level of Resilience and to give comfort to the Board that dynamic resilience will be effectively delivered day by day.

Let`s point out that operational resilience is an evolving regulatory principle that requires firms to be constantly informed to ensure that consumer and market disruptions are always managed, in terms of both resourcing and costs. Indeed, firms must consider both the resource needed in the implementation period, as well as the future operating model to run the resilience framework in a BAU capacity.

We are all aware that planning every possible disruptive event may be challenging, nevertheless, with a dynamic and agile approach, it would be possible to look at a variety of delivery models and achieve and sustain resilience in the long term.

Finally, giving firms standard directions on the best model of resilience may be difficult, as it depends on the nature of each individual business. For example, for some, seconding an experienced resource into the operational resilience team could be the best choice in the short term. While for others, a co-sourced model could suit better, as to run the framework in the future.

To discover more on the next steps that Financial Services firms should consider now, check the next steps deck that Fourthline has produced.

How FourthLine can help:

FourthLine is working with a number of financial services clients to help them plan, implement and manage an operational resilience programme through a mixture of consulting and resourcing propositions.

Download our operational resilience service deck  here>