Planning for operational resilience will unquestionably be a strategic priority for firms over the course of 2021 and beyond. In an increasingly interconnected and digitalized world, organizations can be vulnerable to disruptive events related to technology-based failures, system outages and cyber-attacks. This has been further highlighted by the Covid-19 pandemic, with organizations needing to adjust their operational resilience plans to take into account not only the health impact to employees, but also the effects such as the shift to remote working. At the same time, because of climate change, firms also need to consider the increased likelihood of natural disasters threatening significant operational disruption.
Such a diverse risk landscape requires firms to continuously evaluate how they operate, communicate and safeguard against threats – some known, and some not yet known. While predicting a disruption can be challenging, there are measures organizations can adopt to further evolve and enhance their operational planning and response. This is even more pressing in light of the growing attention from global regulators and government agencies who have been gradually increasing their focus and oversight of firms’ operational resilience plans.
In the U.S., recently, the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency (OCC) and the Federal Deposit Insurance Corporation (FDIC) released an interagency paper outlining sound practices drawn from existing regulations, guidance, statements, and common industry standards, designed to help large banks increase operational resilience.
In the UK, the Bank of England, the Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) have proposed a regulatory framework to promote operational resilience of firms and financial market infrastructures. This has culminated in the three UK supervisory authorities publishing a shared policy summary and coordinated consultation papers aimed at prompting a dialogue with the financial services industry on new requirements to strengthen operational resilience across the sector.
In Europe, policymakers are also addressing this topic, with the European Commission adopting the Digital Finance Package (DFP) in September 2020. This includes the Digital Operational Resilience Act (DORA), which requires participants in the financial system to have the necessary safeguards in place to mitigate cyber-attacks and other risks around the use of information and communications technology.
Until recently, operational resilience was typically developed with a risk-avoidance mindset focused on the end goal: full recovery. However, given the increased regulatory focus in this area, and with organizations facing a greater variety of operational threats than ever before, businesses must widen their planning scope to ensure the continued delivery of critical services, even with some systems becoming unavailable. In response, firms must consider evolving their operational resilience practices while focusing on three key areas:
"While predicting a disruption can be challenging, there are measures organizations can adopt to further evolve and enhance their operational planning and response."
1. Tailored Approach
Firms must assess and develop long-term business continuity plans and operational resilience strategies in accordance with their specific needs and those of the clients they serve. Developing maturity matrices – a “checklist” intended to evaluate how well-developed a particular process or program is – can be beneficial to establishing resilience program goals, as well as to managing expectations and measuring a firm’s performance against those predefined goals. It is no longer sufficient to have an optimum system of risk identification, evaluation, and assessment; companies must now be able to predict potential disruptions and be agile, adaptable, and resilient to continue to thrive. This premise has driven firms’ shift from a pure risk focus to a risk and resilience approach.
2. Know Your Assets
Firms and FMIs can identify relevant risks by mapping important business services to their operational dependencies, including locations, systems, suppliers, and people. For example, organizations need to ensure they know where the critical workforce, such as subject matter experts, key decision-makers and employees with critical skills are located and ensure that the risks associated with geographical locations are understood. A crucial part of an efficient operational resilience strategy is conducting a thorough “bench-strength” analysis, assessing critical processes and the depth of people who are able to provide support. This should include an estimate of the timeframe required for peers to take over the responsibilities of those who are not able to perform them.
3. Supply Chain Disruption
The use of third, fourth and even fifth-party suppliers to deliver a firm’s services, specifically those related to critical operations, has risen in recent years. As such, organizations are increasingly required to establish detailed processes to measure, monitor and control the potential risk exposures associated with outsourcing these services. This includes consideration for testing and availability of backup providers and failover procedures. One of the crucial issues that requires thorough evaluation is how far back in the supply chain organizations are able to go to assess risk threats, particularly for third-party suppliers providing critical services. While opting for supply chain restrictions may be challenging in today’s interconnected operational environment, it is important for firms to realize that it might be more difficult to achieve operational resilience if they rely heavily on vendors with whom they don’t have direct contact.
As a result of the challenges revealed by the Covid-19 pandemic and increased regulatory focus, operational resilience will continue to be a high priority for financial services organizations in the coming months and years. Building a robust operational resilience model is critical to ensure the continued delivery of services. By moving away from a “one size fits all” resilience approach to each firm knowing their unique assets and understanding the implications of a potential supply chain disruption, organizations can tackle key issues head-on and better prepare themselves against future threats.
This article was first published on the IBS Intelligence website on 28 April 2021.