From Resilience to Excellence: The Time Is Now
The timelines are clear. By 31st March 2022, UK financial services institutions must implement the Operational Resilience regulatory obligations that have been outlined by the PRA, FCA and Bank of England.
In summary, firms are required to do the following:
- Identify their Important Business Services
- Document end-to-end service maps for each of these services, identifying the people, systems, third parties, information and facilities that underpin them
- Set Impact Tolerances for each service
- Define and execute severe but plausible scenarios
- Identify all service-related vulnerabilities and define appropriate remedial actions
- Complete a board-approved self-assessment
Operational Resilience is not just a standalone function or process, it is an outcome that brings together multiple interdependent components of an organisation’s operating model, which ultimately need to unite for firms to be able to “prevent, respond and recover” from operational disruptions. Given the far-reaching nature of the regulation, taking a holistic approach from an operating model perspective is a good fundamental starting point when addressing this new regulation.
The key components of a firm’s operating model can be categorised across the following 7 dimensions. The related Operational Resilience impacts and considerations are also included below against each of the dimensions.
- Vision & Strategy: To be clearly defined and align to the wider business and organisational objectives
- Standards & Policies: A clear structure of frameworks, standards and policies for Operational Resilience which align with existing regulations and frameworks across the organisation. (e.g., Risk & Control Framework, Outsourcing, Business Continuity, Crisis Management)
- Processes: Key supporting processes are required to maintain and monitor Operational Resilience and support Important Business Services (these will also need to work in tandem with an organisation’s existing operational landscape
- Technology & Data: Appropriate IT and data strategy and architecture underpinning the technology required to support Important Business Services and the Operational Resilience workflow. (as well as key back-ups – e.g., disaster recovery plan and site)
- People, Organisation & Culture: Key personnel who will be accountable and responsible for Operational Resilience, the processes impacted downstream and the shift in organisational culture
- Governance & MI: Timely, useful and accurate MI to ensure that the Board and senior management can ensure effective prevention, response and recovery across the organisation. (e.g., KRIs, Incidents, SLAs)
- Sourcing & Location third party outsourcing, premises and procurement (e.g., disaster recovery sites, data centres and dependencies on head office)
Whilst some organisations consider Operational Resilience as another regulatory burden, other more forward-looking firms are seeing this as a prime opportunity to enhance their operational performance.
At BCS we also believe this presents a timely opportunity to critically assess operating models and their underlying processes, through the following three lenses:
- Process Improvement
- Opportunities for Automation
- Cost Optimisation
From Resilience to Excellence – The Opportunity
The COVID-19 pandemic has accelerated a range of shifts in the way organisations operate internally, as well as how they serve their customer base. Working from home, the potential demise of business continuity sites and a shift towards digital channels have all put the spotlight on how firms deliver their Important Business Services. Such rapid adoption of technology has increased the dependency on underlying processes and infrastructure, meaning that a system failure could cause intolerable harm to customers. The pandemic itself has also proven to be a ‘real-life test’ of how resilient firms really are. Where organisations have managed to withstand this period, now is the time to assess how things could be done more effectively and efficiently.
Developing a comprehensive understanding and mapping of existing operational processes and assessing strengths and shortfalls is an invaluable exercise for any organisation. For Operational Resilience specifically, Important Business Services are supported by many lower-level processes that are ripe for improvement. Typical focus areas to explore across processes include the dimensions of people, technology, data, locations, SLAs and third parties. For example, by mapping out key processes end-to-end, it may become apparent that customer experience could be enhanced for online banking transactions, or that complaints or payroll services rely too heavily on manual intervention from a small number of key personnel with specific skillsets and system access requirements. This may lead to key personnel risk, system dependencies, bottlenecks, and slower turnaround times, ultimately leading to issues with the delivery of Important Business Services.
Understanding and mapping key processes also allows organisations to identify where waste currently exists, or even where a process is fundamentally outdated or broken. For example, across a technology landscape, is there an over-reliance on third parties or legacy systems? Are there backups and workarounds for key systems or key personnel? Is there a process in place to ensure visibility if an Important Business Service is interrupted and harm is caused to consumers? Perhaps MI or KPI processes could be improved to highlight potential weaknesses within an Important Business Service, which will allow an organisation to acknowledge and reduce vulnerabilities. Ultimately, optimising processes proactively reduces risk, increases control, and facilitates better operational decision making which benefits internal staff and external customers. So, once underlying processes are mapped and understood for Operational Resilience purposes, there is a clear opportunity to deliver their intended outcomes more efficiently and effectively
Opportunities for Automation
Automation is another hot topic in the increasingly digital environment we operate in, however it must be approached with a strategic mindset. Use it smartly and you will free up time and resources to re-prioritise and focus on higher value tasks, such as enhancing customer experience. Rely too heavily on automation, and systems architecture becomes disjointed and creates further system friction across the technology landscape. Additional complexity within the technology landscape could increase that risk of vulnerability if there was an outage, so it is important to consider where automation is appropriate.
Once firms have identified processes that would benefit most from being automated, it is critical that these processes are correctly mapped. Typically, processes that might be suitable for automation are highly manual, data intensive, repeatable and require limited human judgement. Examples may include letter generation and issuance, KYC and customer screening, and loan and payment processing. The overarching aims of automation are to reduce risk, increase process quality and speed to market, whilst also enhancing customer experience. Once appropriate process candidates have been selected, it is vital to strike the right balance between human and programmatic involvement. Automation should be viewed as a driver to make people more efficient, rather than to replace them entirely. Therefore, a hybrid approach is often the most effective. Human judgement and skillsets are critical in providing the necessary controls and governance surrounding systems or processes. For example, complaint handling and product queries require a human touch, and so should be approached judiciously from an automation perspective.
It follows naturally from improved process performance, as well as identifying automation opportunities, that areas suitable for cost optimisation will start to emerge. While becoming operationally resilient will allow firms to reduce risk through their ability to recover from disruptions, there is also the opportunity to identify cost savings by reviewing the overall operating model and the processes that support the delivery of Important Business Services. Taking the time to conduct this review will identify areas of high spend and waste which can present quick wins or even strategic cost optimisation initiatives. One of the most pertinent examples is the future shape and need of the business continuity plan, site, test and associated roles. In the post pandemic world, a review of premises and location can also reveal potential cost saving opportunities, following recent shifts in hybrid working and increasing demand for digital services from customers. At a more detailed level, further examples include an inefficient and expensive KYC process which may be better served being conducted offshore by third parties, or via automation as outlined above. Additionally, some firms operate an arduous complaints process which relies on high cost or outdated technology which requires regular maintenance. And so, conducting a review of the operating model and its underlying processes could prove a fruitful exercise and help identifying areas of inefficiency, as well as informing specific initiatives to optimise costs.
In summary, the FCA, PRA and Bank of England are providing financial services institutions with the perfect opportunity to take a step back and review their operating models, supporting processes and cost bases, to assess how these can function more effectively and efficiently.
Although the immediate need is for firms to meet regulatory requirements and to ensure the resilience of Important Business Services, we argue that this period offers a far greater opportunity.