Operational Resilience Outlook - Internal challenges to consider

In my last blog, I discussed a few external indicators that should be considered in the transition period in order to build a mature view of resilience.

In this blog, I also highlight a few internal factors that in-scope financial service firms should consider. 

Since the regulators published their Operational Resilience policy statement back in March 2021, financial service firms have spent a lot of time and resource on developing a framework and creating a self-assessment document to present to the regulators if requested.

However, most of the work still lies ahead. Firms are now in the Operational Resilience ‘transition period’, which runs until 31 March 2025 and the actions that firms take during this period will be critical to achieving resilience.

Maintaining the momentum they built during the last year will be critical. Firms will face many internal and external challenges while building and embedding their resilience programme over the next three years.

Here are a few internal factors that should be considered in the transition period in order to build a mature view of operational resilience.

  • Resilience has been delivered largely in silos. It now requires integration with other jurisdictions, other risk capabilities, a framework and a defined operating model to ensure strong management. This exercise will give clarity on cyclical resilience activities as the programme transitions to business as usual(BAU). Read our Target Operating Model deck here>
  • A defined strategy should make the aims of the resilience programme clear and how that aligns with corporate strategy over the next 5 years. A fundamental part of the strategy is a clear articulation of the required investment plan to remain inside tolerance by 2025
  • In most cases, Important Business Services were defined according to regulatory criteria. Whilst satisfying the regulation, they may not include other business-critical services that are key to the commercial operation of the firm and may determine a more complete view of firm-wide resilience
  • A major point of value of operational resilience is understanding where service or resource vulnerabilities exist. Improving the granularity of mapping to determine vulnerabilities, and then acting on those vulnerabilities, is key to closing any gaps and remaining inside impact tolerance
  • Understanding the people and processes involved in responding to an Important Business Service outage is critical. Updated Incident and Crisis Management plans and IBS outage playbooks should document how to respond when the inevitable happens
  • Determining appropriate metrics for resilience effectiveness is an important tool to operationalise the programme in BAU. A standard approach to reporting, including dashboards and templates, ensures consistency

Significant, long-term time and resource investment remain for in-scope firms, especially engaging with third-party providers that support the delivery of important business services and building robust scenario testing programmes that can demonstrate the progress they are making in enhancing their resilience.  

How FourthLine can help:

FourthLine is working with a number of financial service firms to help them with Operational Resilience enablement and Outsourcing and Third-Party Risk Management(OTPRM), through a mixture of consulting, managed service and resourcing options.

To speak to us about how we can help your firm with your Operational Resilience or OTPRM programme, click here>

To read our Operational Resilience Technical paper, click here>

To read our new OTPRM Technical paper, click here>

Topics: Insider, Featured, Insurance, SMCR, operational resilience, Third Party Risk Management, consultingservice, riskconsulting, PRA, investment firms

June 23, 2022
Talk to an expert

Daniel Waltham
Written by Daniel Waltham

Responsible for leading client relationships and new business sales. Dan takes a lead role in customer engagement, identifying, creating and designing solutions to help our customers with risk and regulatory challenges. Ten years of experience working with financial services businesses across risk, compliance, data protection and regulatory change.