Operational Resilience: More than Mere Compliance
The financial services industry will fail to become truly operationally resilient if regulatory requirements are the sole focus.
Rising external threats, increasing internal vulnerabilities, an ever-growing dependency on third parties, and the shift to remote working – all of which have been aggravated/accelerated by COVID-19 – have meant that financial services institutions are assessing their ability to withstand severe operational shocks.
It is no surprise, then, that operational resilience is a hot topic – and not just in Risk Management or Business Continuity circles. As well as preparing to meet the incoming regulatory requirements around operational resilience, firms should use this as an opportunity to strengthen and align existing risk and business continuity operating models to ensure that there is no overlap and no unnecessary inefficiencies are added to organisations and their cost bases. Successfully embedding operational resilience practices will enable businesses to derive a number of additional benefits, including offering a more reliable service to their customers, driving business performance improvement, and helping to improve cost efficiencies.
Operational resilience can mean different things to different people, so if you are new to the subject, please read sections 1 and 2 below. If you are already familiar with operational resilience, please go straight to section 3.
1. What is operational resilience?
The UK supervisory authorities (the Bank, PRA and FCA) published a joint discussion paper on Building the UK financial sector’s operational resilience back in July 2018. This paper started a dialogue across the financial services industry on operational resilience and the ability of firms and the financial sector, collectively, to prevent, adapt, respond to, recover from, and learn from operational disruptions.
The consultation period for the subsequent package of consultation papers closed on 1st October 2020, and final policy statements are expected in Q1 2021. Once published, firms will have 12 months to transition to the new rules, with a further 3 years to remediate any vulnerabilities or weaknesses in resilience. The regulators have stressed that firms must be able to remain within impact tolerances “as soon as reasonably practicable, but no later than three years, after the rules come into effect”.
So, to be clear: that’s one year to put in place all the ‘machinery’ needed to monitor the resilience of important business services and identify any weaknesses, followed by three years to remediate any gaps (e.g. replacing old systems or moving to alternative third-party suppliers).
2. What have the regulators asked for?
The objective of this regulation is to build the resilience of the financial sector so that it is better able to absorb operational shocks and continue to provide ‘important business services’ during periods of disruption.
The consultation papers have outlined that firms will need to:
- Identify their Important Business Services. These are the services that, if disrupted, would most likely cause intolerable levels of harm to organisations, consumers or the integrity of the wider market;
- Document end-to-end maps for each of these Services, including the people, processes, technology, facilities, information and third parties required to deliver them;
- Set Impact Tolerances for each service. This is the maximum level of disruption to an Important Business Service that could be endured before intolerable harm is caused;
- Define and execute severe but plausible disruption scenarios to assess whether Important Business Services can be resumed within Impact Tolerances;
- Identify all vulnerabilities and weaknesses that threaten the firm’s ability to deliver Important Business Services and define remedial actions; and
- Complete a board-approved self-assessment which clearly outlines the approach taken for activities 1-6.
3. Why is regulatory compliance not enough?
Given how aggressive the proposed regulatory timelines are, most firms have already started to define the capabilities needed to meet the requirements set out in the 2019 Consultation Papers. For example, many firms have made significant headway in identifying and mapping their Important Business Services, as well as setting Impact Tolerances for some of these services.
Whilst it is critical that firms strive to meet all regulatory requirements, they should acknowledge that a mentality of ‘just’ needing to meet the requirements will not lead to long-lasting and sustainable operational resilience. There are three reasons why regulatory compliance is not enough:
- Domestically, there are similarities between operational resilience and policies related to recovery and resolution or operational continuity in resolution. Standing up a new operational resilience framework without consideration of existing capabilities will lead to increased complexity and result in significant duplication of effort;
- Operational resilience is not just a hot topic for the regulators in the UK; several other regulatory bodies have also launched initiatives to bolster operational resilience across the financial services industry. Multiple policies from many jurisdictions mean there is no single version of operational resilience that international firms need to meet; and
- Lastly, this is a new subject with regulation, and compliance approaches are likely to evolve as understanding across the industry matures.
Simply implementing the letter of the law, rather than the spirit of the law, will likely result in duplicated effort in the short term and rework in the long term. Firms that adopt a more strategic approach to operational resilience will realise a number of additional benefits that could be missed if simply meeting the minimum regulatory requirements is the goal. These include:
- Alignment with existing operational risk, business continuity and organisational models to reduce inefficiencies and unnecessary additions to the cost base;
- Improved visibility and MI over the performance of key business services and the resources required to deliver these, resulting in a more reliable level of service delivery to clients;
- Better oversight and control over outsourced business activities;
- Better understanding of vulnerabilities and improved ability to prioritise and target investment accordingly.
4. What can firms do to ensure long-term operational resilience and harness the benefits?
Rather than focus solely on regulatory compliance, the main drivers for successfully embedding operational resilience should revolve around establishing a resilience-centric culture and broader business benefits. At a minimum, firms should have a clear purpose, strong leadership and logical policies & procedures – all underpinned by effective governance.
Having a common vision for operational resilience for the organisation will help to garner support from different business areas. The supervisory authorities in the UK define operational resilience as “the ability of firms to prevent, respond to and recover from operational disruptions”. However, given the different priorities and business models of different segments of the financial services market, individual firms shouldn’t rely on the definition of operational resilience provided by the regulators alone. Instead, they should identify what is important to them and agree a meaningful purpose. For example, being operationally resilient can also help to deliver better customer outcomes, achieve better performance and realise efficiencies.
Throughout the consultation period, we have seen an extraordinary degree of collaboration across the industry: between different firms and between the industry and the supervisory authorities. In the absence of clear regulatory guidelines, cross-industry forums like the Operational Resilience Collaboration Group (ORCG) and the Cross Market Operational Resilience Group (CMORG) are all pulling together to define a common approach to operational resilience, including common methodologies. This kind of teamwork is unprecedented.
Nevertheless, there is still plenty of work needed to improve cross-functional collaborations within firms. While the COO (SMF24) holds ultimate accountability for operational resilience, the size of the task means that it must be a team effort – Business Heads (SMF4) must also take accountability for the resilience of Important Business Services that come under their remit. Currently, many firms will struggle to identify a single owner for Important Business Services because services are, by their very nature, cross-functional. Operational resilience is not the responsibility of one team. Much like operational risk or conduct, for a firm to be truly operational resilient, all employees need to understand why it is important, and need to be given the appropriate tools to live and breathe it. Setting a clear tone from the top will help firms to adjust to this new way of working.
Policies & Procedures
The flurry of papers from various supervisory authorities have a common objective. But given they are all largely principle-based, they don’t offer much, if any, practical guidance on how firms can achieve operational resilience. The UK authorities are unlikely to explain how the various frameworks should come together; this is something firms will have to figure out for themselves. Each firm must define and implement their own internal rules and standards.
‘Operational risk’ and ‘operational resilience’ are two sides of the same coin, and many firms will be looking to leverage existing risk management, business continuity and crisis management frameworks and standards. The umbrella of policies and standards should continue to focus on preventative measures for the identification and mitigation of risks, but should also look to include response and recovery measures for when risks do materialise.
Establishing a culture of operational resilience can be encouraged through appropriate policies, particularly via incentivising appropriate behaviours. This obviously includes remuneration, but also extends to a far broader set of considerations, including progression, promotion, recruitment, diversity and inclusion, and speak-up culture.
In the broadest sense, ‘governance’ is the process by which decisions are made within a firm. Boards have the explicit remit to ensure the effective governance of an organisation, including full oversight on matters affecting resilience and viability. Board members do not need to be experts in operational resilience, but should be able to challenge management teams to ensure that the right culture is in place to support resilience and to certify that investment is being targeted at areas that, if disrupted, would cause the greatest harm to customers, the firm or the market.
Management will require comprehensive reports to monitor the resilience of end-to-end services, as well as the resilience of underlying resources (people, processes, technology, facilities, information and third parties). Effective governance will help to break down existing siloes and encourage a holistic approach to improving operational resilience.
The core purpose of the financial services sector is to provide financial goods and services to people and corporations. It is one of the most important sectors of the economy – indeed, it is probably the primary driver of the UK’s economy – so it is in everyone’s interests that the mechanics for providing these services are sound and resilient.
Done badly, operational resilience is just another administrative layer adding complexity on top of existing operational risk, business continuity and crisis management practices. Done well, operational resilience can drive efficiencies, deliver better performance, and improve customer outcomes. Firms that approach operational resilience with the intention of satisfying regulatory requirements alone are missing a trick. Rather than trying to purely meet all regulatory requirements, firms should be establishing the building blocks for long-term, sustainable change. Operational resilience is not just another review, another dashboard, another governance forum, and should not be another layer of complexity.
Regulators have given firms the freedom of becoming more operationally resilient in a way that suits them. Firms now need to take ownership of (and invest in) their strategic operational resilience agendas immediately. Disruptions are on the rise and increasing, so firms must be prepared.
 See the European Commission’s paper on ‘Digital Operational Resilience for Financial Services’ (Dec 2019); the Monetary Authority of Singapore’s policy on ‘Ensuring Safe Management and Operational Resilience the Financial Sector’ (Apr 2020); the International Organisation of Securities Commission’s ‘Principles on Outsourcing’ (May 2020); and most recently, the Basel Committee on Banking Supervisions ‘Principles for Operational Resilience’ (August 2020).