Resilient Operating Models
The impact of the pandemic has changed our personal lives in ways that many of us could not have imagined, only two years ago.
The effect this has had on the world of work, organisations, and the customers they serve is no different1.
One thing is increasingly clear – hybrid working, rising cyber-attacks, political instability, climate related disasters and enhanced expectations from a digital world mean that organisations now need to be resilient as part of business as usual (BAU).
Although the coronavirus pandemic has been the most prominent scenario in the very recent past, other case studies such as the TSB IT Migration failure2 have also shown how high the stakes can be when disruptions occur. Resilience goes far beyond a firm’s mere ability to ‘prevent, respond, and recover’ during a major incident or operational disruption – it needs to be fully integrated into enterprise operating models.3
As with many other challenges, our view at BCS is that financial services organisations must consider a number of key operating model dimensions (and their inter-connectedness) to be resilient from day-to-day.
What follows is a summary view of considerations, across the seven BCS operating model dimensions.
1. Vision & Strategy
Having a clearly defined vision and strategy for enterprise-wide resilience is critical, which should align to a firm’s broader business and organisational objectives. For example, any financial services organisation that prides itself on delivering ‘market leading customer experience’, will need to ensure that their pitch is backed up by resilience as a way of operating daily, and not just a high-level statement of intent which is only supported by firefighting, when things go wrong. From a strategic perspective, resilience will need incorporating into approaches to change and transformation, as opposed to being viewed as something to react to in the event of an external event. In 2022, resilience has graduated from being regarded as ‘just another IT or business continuity process’ – to now being front and centre of a firm’s strategy in the boardroom.
2. Standards & Policies
A suite of coordinated frameworks and accompanying document families (including processes, procedures, and guides, as well as accountable owners) are fundamental in setting the foundational baseline for an organisation’s resilience. These are the core artefacts that will enable a firm to prevent, respond, and recover from operational disruptions that may threaten its vision and strategy. Having a clear structure of aligned and complimentary frameworks, standards and policies across Crisis Management (including internal and external communications), Change Management, Risk, Finance, Technology, HR, Business Continuity Planning and Operations is now more important than ever. Frameworks must be fully implemented and embedded across all components, including key underlying risk and control mechanisms. Some examples of these include diagnostic tools such as Risk and Control Self Assessments (RCSAs), Technical Risk Assessments (TRAs), Data Protection Impact Assessments (DPIAs), Business Impact Assessments (BIAs), Record of Processing Activities (ROPAs) and Record Inventories.
3. Process & Automation
Although many of the frameworks listed above will provide broad coverage across the enterprise risk profile, firms must now also clearly define their Important Business Services (IBS)4 and the underlying processes and resources required to deliver these to customers – both in ‘peace time’ (BAU) and ‘war-time’ (crisis) scenarios. Many of the frameworks and supporting mechanisms above may provide strong ‘back-up’ arrangements in the event of a disruption, however up until now, they may not have been tailored to ensure a firm’s primary focus is on delivering its Important Business Services. Once these services have been identified, opportunities for automation can be explored to deliver a win-win-win of reduced risk, enhanced customer experience and improved job satisfaction for internal employees, who can be freed up to focus on higher value activities. In short, strong processes are key for practically delivering on what you set out to achieve with your standards and policies, as well as recovering effectively in the event of a major disruption.
4. Technology & Data
It goes without saying that in an increasingly digital world, an IT strategy, IT architecture, application suite and data governance model are all critical in supporting Important Business Services. These components will then require monitoring to ensure their ongoing resilience, as well as key annual exercises such as disaster recovery tests. Once again, it is important to ensure that these exercises focus in the first instance on the resilience of Important Business Services and are not just generally targeted at business continuity across the broader enterprise. Given that cloud-based solutions provided by external providers are increasingly in vogue, having clear Service Level Agreements (SLAs) is pivotal in ensuring that agreements and contracts are honoured, limiting the potential risk of downtime, failures, and the inevitable impact this could have on customer experience or the wider economy. This is particularly important where a firm has concentration risk exposure for cloud or other IT services provided by third party suppliers.
5. People, Organisation & Culture
Whilst it is fundamental that overall ownership for the resilience of an organisation’s operating model is allocated (often to the SMF 24 – COO), accountability and responsibility of end-to-end Important Business Services is increasingly important and may involve new roles and responsibilities across departmental teams. These need to be agreed and documented in individual role profiles as well as a firm’s Management Responsibilities Map (MRM), and across all three lines of defence. Where roles are critical, HR and business lines will need to ensure that back-ups, cross-skilling, and succession plans are in place. For organisations already embracing more agile ways of working, the concept of operating day to day whilst also delivering change via multi-disciplinary, cross-functional ‘tribes, guilds and squads’5 will also now be commonplace, however not all firms may be this nimble. For organisations that have experienced siloed ways of working between business lines and functions, the concept of resilience across departments and teams may require a fundamental shift to a new dynamic including a ‘resilience culture’, and this will need developing and embedding over time.
6. Location & Sourcing
The move to being distributed and digital since the onset of the pandemic in 2020 has irrevocably altered ways of working for employees, as well as the way they serve their customers, potentially forever. For example, many firms now view hybrid working arrangements as a form of business continuity and resiliency itself, in the event of another future scenario where centralised office working becomes unfeasible. On a related note, as call centre operatives have worked from their bedrooms, and some new joiners to the world of work have found themselves sat around kitchen tables, many are now realising that business continuity site locations are no longer required. From a sourcing perspective, many organisations now seeing outsourcing and ‘in-sourcing’ across their eco-systems as simultaneous opportunities and threats, depending on the nature of the services provided by third parties. Clearly, any outsourced arrangements need judicious management and monitoring, with back-ups in place if key vendors fail, especially if these are critical in delivering Important Business Services to customers. For third party management, some example focus areas that improve resilience include vendor materiality ratings, strengthening of terms and conditions, enhanced business continuity plans and vendor exit plans.
7. Governance & MI
Boards and senior managers have increasing responsibility to review and assess the strength of a firm’s operating model from a resilience perspective. This indicates that tone and focus in this area needs to come from the very top. For this to happen, although all the dimensions noted above are all key in delivering the design of a resilient operating model, they must then be monitored, measured, and tracked via MI tabled at the appropriate governance committees if a firm is going to be able to gauge its own operational and financial success. For example, senior managers may want to know when the last disaster recovery test took place, or how many recent SLA breaches with critical vendors there have been. Key metrics on incidents, financial losses, cyber-attacks, and data leaks could also be other example areas of interest. From a customer perspective, organisations may also want to look at customer feedback, satisfaction surveys, and how this compares to their competitors. Over time, this will be the true test that tells a firm how resilient it really is.
The world in 2022 is a very different place to how it was, prior to the pandemic. Consequently, although resilience may have previously been considered as an IT process, or a once a year, ‘one-off’ exercise – it is now a fundamental part of a firm’s overall business strategy. This then needs to be supported by the appropriate frameworks, polices, people process and technology, as well as a broader industry ecosystem. UK regulatory requirements aside, organisations that embrace this opportunity will reap the trifecta reward of increased control, improved customer satisfaction and reduced risk.
Resilience can’t be outsourced to a third party, or for IT, Risk and Compliance to manage, just because it is a regulatory obligation. Given how fundamental it is, and how it permeates the whole enterprise, it requires a comprehensive, holistic approach, if organisations are to realise the benefits of having resilient operating models.