Operational Resilience: No time to rest – Transitioning to BAU

A culmination

As we head into the second quarter of 2022, PRA / FCA regulated firms should have completed their Operational Resilience Self-Assessments to meet the 31^st March regulatory deadline. These Self-Assessments are the culmination of a body of work undertaken over the last few years by firms across the industry involving identifying and mapping important business services, setting impact tolerances, running scenario tests, identifying vulnerabilities and developing remediation plans. Time, effort and investment has brought us to this point and we should all rightly acknowledge the good work completed. However, this is no time to down tools.

Don’t rest on your laurels

As with other regulatory deadlines, there is the risk that momentum can be lost. We should remind ourselves that Financial Services firms are expected to have a plan for the three-year transition period which will enable them to remain within their impact tolerances by no later than 31 March 2025¹. Therefore, organisations should not rest on their laurels or become entrapped in a ‘tick the box’ mindset. Self-Assessments will need to be regularly refreshed to show progress made, operating models should be built-out, staffing needs will evolve, maps / tolerances / testing will all need further enhancement, and remediation of vulnerabilities will need to be managed effectively.

Furthermore, firms will have implemented the mechanisms and processes to maintain Operational Resilience in BAU; but how well embedded are these? For example, have the Operational Resilience requirements been fully aligned to and integrated with complimentary risk management frameworks (e.g. Operational Risk)? Do they also align fully with complementary UK regulations such as Operational Continuity in Resolution (OCIR) and Outsourcing and Third-Party Risk Management (SS2/21)?

Widening horizons

Operational Resilience is not only a UK regulatory initiative; supervisory authorities across other jurisdictions are also focusing on this topic. For instance, at a global level, the BCBS’s Principles for Operational Resilience, in the EU, the EC’s Digital Operational Resilience Act (DORA) and, in the US, the FED’s Interagency Paper on Sound Practices to Strengthen Operational Resilience. This is further augmented with legislation produced by the Central Bank of Ireland and the Monetary Authority of Singapore, to name a few examples. Regulators may question global firms that have disparate Operational Resilience approaches across geographies, where they exist, or challenge firms in the future to apply best practice from developments driven by UK legislation to other geographies (and vice versa). While much has been done to meet individual regulatory requirements, longer term benefits and efficiencies can be gained by ensuring greater cross-regulatory and cross-jurisdiction alignment.

So, how do you transition from ‘programme mode’ to BAU, in a sustainable manner, whilst maintaining momentum to continue to build organisational resilience in an operationally efficient way?

Navigating the way ahead

Firstly, an overarching transition plan (moving from Operational Resilience ‘programme mode’ into BAU) should factor in activities from across the Operational Resilience spectrum. The plan should have clearly assigned responsibilities and ownership which is empowered by the Board (who are ultimately accountable) to drive activity and execution across the following areas:

A. People / roles & responsibilities

B. Prioritisation, decision making and investment

C. MI, technology and data optimisation

D. Refining service mapping and scenario testing

E. Embedding / evolving the operating model

F. Lessons learnt

A – People / roles & responsibilities

Having Operational Resilience roles and responsibilities clearly documented through artefacts such as RACIs and Job Descriptions will be vital to transition and BAU running. With Programme teams shifting (or disbanding) as the regulatory deadlines come and go, having a clear picture of which individuals / teams are accountable for key activities will help anchor resilience objectives. This will need to be complemented by a measured recruitment approach which looks at both individuals with existing Operational Resilience experience and those who have tangential skillsets or have developmental potential. As firms become more familiar with Operational Resilience concepts and practices, training courses should be deployed to help embed resilience knowledge and mindsets for the future. This could also involve adjustments to senior management balanced scorecards.

B – Prioritisation, decision making and investment

Alongside targeting the remediation of vulnerabilities, firms should look to prioritise opportunities identified. True vulnerabilities – i.e. items that if not fixed will directly endanger an organisation’s ability to remain within impact tolerances – should be top priorities. Such items should be communicated clearly to Boards in a consumable manner to enable decision making. There is also opportunity here to consider touchpoints with other existing / planned initiatives across the business (e.g. technology, cyber, Operational Risk) to look for synergies, pooling of resources and cost savings. Enhancement opportunities, identified via Operational Resilience activities (e.g. consolidating resilience assessment data with linked functional area data sets such as Procurement), could well feed into and augment existing books of work. Having a clear prioritised view of the suite of vulnerabilities, opportunities and wider in-flight organisational improvement initiatives will enable better decision making and investment choices.

C – MI, technology and data optimisation

Operational Resilience MI should leverage trend data built up over time, both from existing business metrics (e.g. incident reporting, system outages, attrition, etc.), and from testing / assessment activity (e.g. scenario testing, RCSAs, stress testing etc.). Operational Resilience dashboards that have already been designed will need regular enhancement. This should involve the review, challenge and adjustment of metric sets to foster continuous improvement and presentational upgrades based on user feedback and evolving priorities. This will also help provide better business insight into key offerings, e.g. Important Business Services. From a technology perspective, tooling is an area for further consideration; with some firms leveraging existing solutions (particularly for service mapping / cataloguing) and others exploring holistic offerings. Having a rich and accurate data pool to underpin tools and dashboards is paramount so data cleansing / enrichment are other factors to consider. Furthermore, incident reporting mechanisms (in alignment with Impact Tolerances) will need consideration in light of an anticipated PRA ‘Operational Resilience Incident Reporting’ Consultation Paper due in H1 2022 setting out what information should be submitted by banking and insurance firms when operational incidents occur.²

D – Refining service mapping and scenario testing

As a key ‘pulse check’, scenario testing should be refined over time. The evolution of scenario libraries to align with industry trends and ‘hot topics’ will be important. This will help highlight potentially vulnerable areas and test how robust prevention, recovery and response mechanism really are. Additionally, past test data insights (e.g. Stress Testing and BCP / DR testing) should be increasingly utilised to help inform scenario testing. Scenario testing itself can also look to take on more sophisticated forms using a range of war game workshops, live data modelling / testing and desk-top reviews. Other enhancements that could be considered include involvement of third-party suppliers in scenario testing exercises, developing cross industry tests (e.g. disruption to a systemically important clearing house) and developing more severe scenarios to align with Stress Testing. Alongside these considerations, service mapping will need to be revisited and refined as businesses change over time and as a result of any gaps discovered in scenario testing. Furthermore, as familiarity with operational resilience concepts grows, service mapping resource information can be enriched with further insight into key underlying dependencies, pinch-points, workarounds, opportunities and controls.

E – Embedding / evolving the operating model

Different firms will be at different stages of establishing their operating model for Operational Resilience. However, all firms will need to embed and evolve their models over the coming years. In addition to the items mentioned in points A to D above, key areas that should be built out and continuously enhanced include the definition of a simple vision and strategy for Operational Resilience, which aligns to wider business and organisational objectives. Definition and documentation of clear frameworks, standards and policies for operational resilience are also important. These should align to and dovetail with existing frameworks such as Third-Party Risk Management (TPRM), Information Security and Operational Risk and be aligned with regulatory requirements. Governance structures should be laid out and integrated within existing structures where possible, to help monitor, govern, control and enhance resilience across the organisation. Establishing strong Operational Resilience teams and capabilities across the business lines and support functions is also essential alongside consideration of appropriate tooling to maximise efficiency.

F – Lessons Learnt

Finally, but by no means least, lessons learnt will play a key role in the transition to BAU and future resilience successes. Firms should actively capture and act on lessons learnt from the last few years and also build this into a culture of continuous improvement. These lessons can be derived from activities across the Operational Resilience spectrum: Important Business Service mapping, Impact Tolerance setting, scenario testing, vulnerability and remediation progression, operating model rollout, training and MI to name but a few.

Conclusion

A sizable shift has taken place across the financial services industry with the introduction of Operational Resilience initiatives which build on traditional financial resilience practices and engender organisation-wide resilience. New concepts, mechanisms, roles, responsibilities, and structures have been introduced and a body of work undertaken to deliver them to initial regulatory deadlines. As we take stock of achievements made, and in order to really benefit from work completed, Financial Services firms must not fall into the trap of complacency. They must instead strive to transition Operational Resilience initiatives into BAU and further evolve them to affect the required level of transformation across organisations. Only in recognising this and going beyond a ‘tick the box’ mentality will organisations successfully manage disruptions, nurture the resilience of their businesses and reap the benefits of stability. “There’s an inherent danger in letting people think that they have perfected something. When they believe they’ve ‘nailed it,’ most people tend to sit back and rest on their laurels while countless others will be labouring furiously to better their work!”³

¹ SS1/21 ‘Operational resilience: Impact tolerances for important business services’ (bankofengland.co.uk)

² Regulatory Initiatives Grid – November 2021 (fca.org.uk). Page 17.

³ Richard Branson