Building an Operational Resilience Capability
Martin Hillier, Head of Programme Management
“Operational disruption can impact financial stability, threaten the viability of individual firms and FMIs, or cause harm to consumers and other market participants in the financial system.”
- Joint paper from FCA, PRA and BoE
Recently, ‘operational resilience’, in various guises, has become a keen area of focus for regulators globally and whilst there is no international framework supporting the regulation of financial services’ operational resilience currently, global regulators are likely to continue to support shared principles and objectives relating to operational resilience. Fundamentally, regulators seek to ensure that severe, disruptive events are not exacerbated by the interconnectedness of today’s financial system or the operational complexity of global firms that are so prevalent across financial markets today. The interests of customers and market participants must be safeguarded by ensuring continuity of the vital services the financial system provides to the economy and our community as a whole.
“Operational disruption can impact financial stability, threaten the viability of individual firms and FMIs, or cause harm to consumers and other market participants in the financial system”
– Joint paper from FCA, PRA, BoE.
The UK regulators have been spearheading consultations on the topic of operational resilience, articulating their expectations for an integrated and customer-centric approach in joint, FCA, PRA & Bank of England (BoE) Discussion and Consultation Papers. Further, the impact of COVID-19 has, of course, left firms and regulators in no doubt that risks previously considered highly unlikely, can and do come to fruition, bringing the operational resilience of firms and the industry into even sharper focus. COVID-19 has also highlighted that many issues emanating from such an event transcend borders and thus require a degree of international cooperation to address them effectively.
At its heart, operational resilience, as set out by the UK regulators, is a concept that requires firms to take a business service view of resilience and implement a framework that prioritises the resilience of its most important business services. Responsibility for the identification of important business services rests with the firms. They must consider client and market impacts, as well as the firms’ interconnectedness internally and externally. Firms must identify and map processes, people, information/data, technology, facilities and reliance on critical 3rd parties required to deliver these important business services. The goal is to set impact tolerances which quantify the amount of disruption that could be tolerated in the event of an incident and implement mechanisms to facilitate the resumption of those business services without breaching established tolerances.
Whilst Business Continuity Planning (BCP) focuses, in part, on the prevention of threats crystallising and impacting firms negatively, of course, it’s not possible to prevent all conceivable risks from materialising. Operational resilience and impact tolerance requirements are not designed to conflict with or supersede existing BCP/RTO/RPO principles, rather they should further enhance them. Crucially, the assumption that operational disruption will occur is a fundamental principle that underlies a robust operational resilience strategy.
What are the implications for firms?
On 20 March, due to the COVID-19 outbreak, the UK Regulators announced an extension to the consultations on operational resilience until 1 October 2020. Specific deadlines for compliance remain uncertain and the UK Regulators have announced that ‘Firms and FMIs will not need to meet requirements resulting from the consultations before the end of 2021’. Given operational resilience remains a top priority for the Bank, PRA and FCA and in light of the magnitude of work some firms may face to address it, firms would be well advised to start building out their operational resilience functions and activities now, if they have not done so already.
In order to build a robust operational resilience programme, firms should:
- Establish a Programme / Function
- Establish a dedicated operational risk programme or function. This function should operate end to end, across 3 Lines of Defence, (3 LoD) providing a holistic view of the firm’s resilience position that can centrally coordinate and draw on resilience capabilities, enterprise wide. Not only does this break down the traditional siloed view of the firm, the regulators will expect a designated function to own and appropriately govern operational resilience with full board sponsorship.
- Secure Board Sponsorship
- Implement ‘top-down’ – Regulators will expect the operational resilience message to come from the top. The board should provide strong oversight and a clear mandate for the operational resilience function to operate effectively and embed the ethos of operational resilience in risk and governance committees and the institution as a whole. Firms will need to ensure there is sufficient expertise as well as clear lines of responsibility and accountability for the delivery of operational resilience.
- Identify Important Business Services
- Establish clear and consistent criterion for identifying a common list of important business services across related functions, e.g., Recovery & Resolution Planning, BCP, Disaster Recovery, Ops Risk and relevant business areas. Use a client-centric lens and consider what products or services are absolutely critical to them. Then identify the key value chain in the delivery of each of these important business services.
- Identify and Map Processes, People, Information, Technology, Facilities, and 3rd Parties
- Leverage existing institutional mapping, enhancing with specific applicability to the value chain identified in the important business services, including an analysis of 3rd party interdependencies and digital dependencies.
- Set Impact Tolerances
- Establish clear and consistent criterion for identifying impact tolerances and setting thresholds across the firm. Set qualitative and quantitative metrics for each important business service, considering the full value chain and a focus on client, market and institutional impacts.
- Build Testing, Scenario Analysis and Performance Management Capabilities
- Build out an enterprise wide testing capability that sets out severe, plausible scenarios that are dynamic and reactive to ensure appropriate increases in severity, based on market and firm events. The capability should incorporate a framework that sets out objectives, the approach for cross functional testing and that measures performance against the associated impact tolerances.
- Establish a Communication Plan
- Communicate effectively to colleagues, regulators, and clients. Build on existing communication strategies to provide timely information to customers and other market participants whilst leveraging social media to ensure the operational resilience agenda is effectively publicised, internally and externally.
- Design and Implement Remediation plans
- Identify, prioritise and remediate resilience gaps (e.g., develop a strategy to deal with concentration risk associated with critical 3rd parties), while building sustainable and dynamic solutions that can be adjusted in accordance with market conditions.
- Embed into BAU
- Incorporate impact tolerances into existing risk monitoring capabilities and align with the firm’s overarching risk appetite, policies and standards across the 3LoD. Embed operational resilience considerations into new product approval processes. Remember, this is not just about financial impacts, client and market impacts must be at the centre of firms’ operational resilience strategy.
- Review Lessons Learned
- Even with all of the aforementioned plans implemented, there may still be a ‘black swan’ event or elements of a firm’s resilience that were somehow overlooked; COVID-19 has refreshed industry memory of this exact risk. Show willingness to learn from past mistakes (and share both internally and externally) so that they will not happen again. Implement an ethos of continuous improvement and review lessons learned to then reassess incident, crisis, and business continuity management strategies and always be ready to adapt to new challenges and environments.
Critical to operational resilience planning, review and strategy is being cognisant of the fact that we all operate in an interconnected, global ecosystem. Being aware of and leveraging insights from your peers should be as much a priority as looking inside your own organisation. JDX benefit from having great insights from both large financial markets infrastructures’ approaches and planning around operational resilience as well as multiple small, medium and large institutions who operate in the financial services market. Leveraging this insight around their approaches to operational resilience will help ensure an operationally resilient ecosystem.
At JDX, we have a wealth of experienced consultants who can help you navigate the complexities of operational resilience, from working in partnership with your organisation to establish a formal operational resilience capability with board sponsorship, through to supporting in the execution of remediation programmes, including the mapping of important business service dependencies, full end-to-end testing and comprehensive training through to BAU handover and resource continuity.
If you’d like to discuss further, please contact:
- Martin Hillier
Director – Head of Programme Management – Transformation and Change
- Caroline O’Sullivan
Director – Business Consulting
- Charles Davis
Director – Business Consulting