Connect with us
Our website publishes news, press releases, opinion and advertorials on various financial organizations, products and services which are commissioned from various Companies, Organizations, PR agencies, Bloggers etc. These commissioned articles are commercial in nature. This is not to be considered as financial advice and should be considered only for information purposes. It does not reflect the views or opinion of our website and is not to be considered an endorsement or a recommendation. We cannot guarantee the accuracy or applicability of any information provided with respect to your individual or personal circumstances. Please seek Professional advice from a qualified professional before making any financial decisions. We link to various third-party websites, affiliate sales networks, and to our advertising partners websites. When you view or click on certain links available on our articles, our partners may compensate us for displaying the content to you or make a purchase or fill a form. This will not incur any additional charges to you. To make things simpler for you to identity or distinguish advertised or sponsored articles or links, you may consider all articles or links hosted on our site as a commercial article placement. We will not be responsible for any loss you may suffer as a result of any omission or inaccuracy on the website.

Banking

Building operational resilience – prepare for risk events or get punished

Building operational resilience - prepare for risk events or get punished 3

Building operational resilience - prepare for risk events or get punished 4By Gary Lynam, Director of ERM Advisory, Protecht

Financial Institutions must put operational resilience at the top of their agenda and step up their game in building accountability and tolerance against potential operational disruption. Prepare for potential risk events with a transactional approach or get punished by the FCA, argues Gary Lynam, Director of ERM Risk Advisory, EMEA, Protecht.

On 31 March 22, the Financial Conduct Authority (FCA) in partnership with the Bank of England and the Prudential Regulation Authority formally finalised its new Operational Resilience Rules and a phased approach for tougher financial regulation that will for the first time punish financial institutions for potential risk of operational disruption by March 2025.

Alongside this the EU has also issued new legislation for the financial services industry, the Digital Operational Resilience Act (DORA) to make sure the financial sector in Europe is able to maintain resilient operations through a severe operational disruption. What do these developments mean for financial institutions and how can we build resilience in and over time?

Defining Operational Resilience

Put simply, resilience is the ‘capacity to recover quickly from difficulties’ (OED). It’s also the ability to withstand adversity before encountering difficulties. From an operational perspective, it can be said to mean the ability to withstand adversity, recover quickly, pivot post-crisis and learn from disruptive events.

In the context of the new legislation, it mandates that businesses have satisfactorily completed a number of tasks, from identifying ‘important business services’ to ‘setting impact tolerances’ and ‘mapping and testing to identify vulnerabilities’. Failing to meet these requirements could incur a hefty fine, and will limit an organisation’s pathway to success.

Operational Resilience versus Organisational Resilience

As we have noted, operational resilience is process-oriented and linked to the capacity to continue to provide critical operations and business services in the face of operational stress and disruption. On the other hand, organisational resilience looks beyond critical operational processes to the entire organisation. Thus, changes to the external environment which entail dramatic and rapid action also come into play.

The key attributes of a resilient organisation

The ISO standard on Organisational Resilience identifies the following core qualities:

  • Shared vision and clarity of purpose
  • Effective and invested leadership
  • Supportive culture
  • Shared knowledge and data
  • Available resources
  • Highly developed and coordinated management disciplines
  • Fostering continual improvement
  • Anticipating and managing change

From my own experience, I would add these additional values to the list:

  • The ability to continuously monitor and assess changing information, including identification of evolving threats
  • The capacity to make decisions quickly and pivot when necessary
  • The continual management of your workforce’s well-being, which enables them to both withstand shock and change when necessary
  • A proactive risk culture which encourages learning lessons both from internal challenges and those faced by other businesses

For continuous risk monitoring and to gain value from risk management it is worth considering deploying a robust Enterprise Risk and Resilience platform, designed for usability and accessible from multiple devices, including mobile. This will engage the whole organisation including third party vendors and keep your risk and compliance information consistent with just one system. Ideally, it will also provide detailed dashboards and high-quality reports for board and senior management. The tool must be able to simply integrate risk and resilience concepts to avoid additional IT administration.

That might seem like a daunting list of aspirational attributes but companies of all sizes need to shockproof themselves from unforeseen events so, with less than three years until the deadline, where do we begin?

Where to start?

The first step is to evaluate your current state of resilience by asking some key questions and searching for some home truths. Explore how quickly your business can make decisions in the face of adverse challenges, including reallocating resources in a hurry. Ask how robust your relationships with key stakeholders (internal and external I.e. 3rd parties) are and whether they will come to your aid in uncertain times. Monitor the engagement level of your workforce – will they rally when the going gets tough? Find out how aligned senior executives and the C-suite are with the core vision and purpose. And look at what processes exist internally to capture lessons learned and communicate them effectively.

Once you have completed this assessment, you’ll have a good idea where the gaps are and what to do next. It is worth noting that the FCA has published two self-assessment questionnaires, which will help you with the process.

Identify important business services

Then, we start ticking off the boxes outlined by the regulators. Use Business Impact Analysis (BIA) to identify which services are important – generally those that directly affect the customer. For example an inability to provide a financial payment at a required time, resulting in significant detriment or emotional distress to customers.

Set impact tolerances

Having identified your important business services, you then need to determine your impact tolerances. That means the threshold of disruption for each service that would cause unbearable damage to your customers. You should also segment your customer base when you are assessing impact tolerance because there may be vulnerable demographics whose tolerance for harm is lower than others.

The impact of third parties is constantly increasing as we move to a greater level of outsourcing and shared service models. It is important to specify your working relationships with third parties, and engage them in mapping, vulnerability assessments and scenario testing when setting impact tolerances.

Process mapping and testing

To appreciate how your important business services engage with each other, you must continuously map the processes needed to deliver each service and the resources needed to perform those processes. Bear in mind, a single process might underpin multiple services and a single resource might support multiple processes. By mapping all these interconnected components, you can build a full picture of how and where disruption might strike; where your vulnerabilities are; and how to resolve them.

That’s just the beginning of the operational resilience journey but it will stand you in good stead for the incoming legislation. Recent years have shown, via a global pandemic, land war in Europe and calamitous climate change, that there are an increasing number of disruptive events which threaten the smooth running of society and business. By building operational resilience now, you’ll be better placed to withstand any storms on the horizon.

Global Banking and Finance Review Awards Nominations 2022
2023 Awards now open. Click Here to Nominate

Advertisement

Newsletters with Secrets & Analysis. Subscribe Now