Operational Resilience: What You Need To Know
Financial institutions have become increasingly susceptible to cybercrime and data breaches in the last decade. These attacks are aimed at not only defrauding individuals or institutions, but also frequently involve malicious damage to data or security breaches.
The Covid-19 pandemic has only brought further levels of disruption and made it clear that cybercrime is not the only threat to service delivery. Digital transformation programmes have been accelerated as organisations of all sizes adapted to new ways of working and communicating.
Of course, even prior to the pandemic, pressure to improve operational resilience had been growing. In October 2019, the Treasury Committee urged regulators to develop a clearer and more robust framework to push financial sector firms to enhance their operational resilience.
A period of consultation was undertaken and, in 2020, the UK’s financial regulators the Bank of England (BoE), Prudential Regulation Authority (PRA), and Financial Conduct Authority (FCA), published a series of consultation papers outlining their proposed approach to transforming operational resilience in the sector.
The new guidelines which resulted from these consultations are coming into force from the 31st of March 2022 (delayed by one year from the original date of 31st March 2021), and they will drive important changes in the way financial organisations approach operational resilience.
Understanding operational resilience
‘Operational resilience’ refers to the ability of financial sector firms to deal with disruptions to standard operations as they arise. If important business services are rendered unavailable due to operational disruption, there is the potential for harm to consumer confidence and market integrity, and in turn, the stability of firms and the financial system.
Effective operational resilience ensures a firm has a strategy to prevent, adapt to, respond to, recover from and learn from any issues which may arise. It’s what ensures organisations are able to navigate the world around them and the risks posed by a wide range of factors including geopolitical unrest, natural disasters, IT and cyber-crime and even the outbreak of a global pandemic.
The new operational resilience regulation compels organisations to replace their existing risk management strategy with a new framework which accepts that disruption is likely to occur in today’s climate.
It places the onus on ensuring financial services companies are in a position where they can absorb and adapt to any shocks to their standard operation. They should be positioned to remain within pre-identified tolerances for failure. The regulatory framework encompasses prevention, response, recovery, and the ability to learn from mistakes after the fact. In short, it’s aimed at driving a mindset shift from complete prevention to continuity in the event of a disaster.
Here’s a summary of the Financial Conduct Authority’s advice for organisations to comply with the new regulations:
- Governance: Firms must ensure they have installed a framework for decision making, accountability and control of the new regulations within their organisation. Supervision should be undertaken by those at senior management level with board-level oversight.
- Business services: Businesses must identify and state the activities which, if disrupted, would harm consumers or market integrity.
- Mapping: Firms will need to identify and document the people, processes, technology, facilities and information used to carry out their activities.
- Impact tolerance: Organisations must set impact tolerances for each important business service identified above (i.e. thresholds for maximum tolerable disruption).
- Scenario testing: They must then test their ability to remain within their identified impact tolerances when exposed to a range of dynamic disruption scenarios.
- Communication: Firms must develop fast, effective internal and external communications plans ready to deploy when their important business services are disrupted.
- Self-assessment: All of the above must be captured in a self-assessment document which provides evidence of compliance.
How could this affect your business?
To ensure they comply with the new regulations and its intended shift in attitude, businesses will need to adapt their approach to operational resilience. We’ve put together a step-by-step guide to help organisations who are taking their first steps toward compliance. For the largest out there, it is thought transformation to full compliance could take anything up to three years to complete.
To get started, think about the following points and how your organisation would be affected:
- What is the likelihood of disruption to your day-to-day operation and where would it stem from? The pandemic is an excellent recent example but also consider natural disasters, cyber-attacks, terrorism, geopolitical unrest and even a major disruption to power supplies.
- Then, run through all your departments, however small, and highlight how they would be impacted by the events you have uncovered. This may also include third-party service providers, so make sure you capture them in your plan too. Then model what the impact on each department would be, particularly on business services.
- Next, map out what the response would look like. What needs to happen to enable each department to continue to function at the level needed to deliver everything from normal business operations to a skeleton operation? Is there a cascade effect from one department to another which you need to factor in?
- Identify how this activity would be communicated both internally and externally and to key stakeholders. If your IT systems have been compromised and you cannot access emails or a CRM, how will you contact customers?
Building teams that can cope
According to Josh Angus, MD of specialist FS recruiter William Rose Associates, the key to success lies in the careful construction of teams to lead the processes. The new operational resilience regulations look set to usher in a new culture of careful planning, adaptation and learning in financial services. Those responsible for ensuring compliance will need to focus on four key areas:
- They must create an environment which encourages an understanding of impact tolerances and the process of escalation.
- Create a framework whereby risk controls are regularly tested and put effective monitoring systems in place.
- Follow appropriate due diligence when onboarding new suppliers and review this process regularly to ensure it is fit for purpose.
- Foster a culture which promotes the idea that learning from incidents is the best pathway to increase operational resilience.