The Bank of England and Financial Conduct Authority’s discussion paper, Building the UK financial sector’s operational resiliency, may seem like it is developing a whole new approach to the management of significant events. However, the reality is that “resiliency” has been a part of the practice of both operational risk and business continuity for a very long time.
Understanding operational resiliency
Resiliency is a word that is being bandied about more and more by the world’s regulators, particularly when discussing the management of cyber risk. The European Banking Authority addressed many of the issues contained in the UK regulators’ discussion paper in a recent speech. As well, these issues are firmly on the agenda of the Financial Stability Board as well as the Basel Committee on Banking Supervision, who look at the resiliency of financial firms from a systemic viewpoint.
The term has long been used within the business continuity discipline. The discipline regards it as impossible to plan for specific individual events – there is an infinite variety of “what can happen”. However, it is possible to create overall organizational resiliency to withstand types of impact. Resiliency as an approach within risk management was discussed a few years ago by Nassim Nicholas Taleb in his book Antifragile: Things That Gain From Disorder.
The UK regulators’ discussion paper, at first blush, seems to create a whole new regulatory framework that firms will have to comply with, to create resiliency within specific business services. Business services are those which, if disrupted, could lead to significant loss of customers, major financial loss or reputational damage.
Where to begin
However, firms should be aware that they are not starting from scratch. Most will be able to create an operational resiliency framework out of their existing operational risk and business continuity programs. What is required is a gap analysis. To understand where there may be gaps between their existing op risk and business continuity approaches, and operational resiliency, firms should explore the following six key activities:
Make a list of the key business services in the organization, and assess how much business disruption could be tolerated, and under what circumstances. One way to explore this is to look at the firm’s risk appetite as it relates to these key business services. While the discussion paper talks about “impact tolerances” this really is another word for “risk appetite.” What are the key risks related to disruption? What controls are currently in place? How much risk is the firm willing to tolerate?
Next, the regulator is asking firms to map the systems and processes that support these key business services. Some firms may have in place such maps for risk management purposes. Firms need to be aware that they must map both their internal systems and processes as well as those of their third-party providers as they relate to the business services. They must also map processes conducted by entities that are within the same overall group but which are physically in another jurisdiction. What are key points of weakness? Is there a concentration risk of third parties – such as cloud service providers – across the organization that could weaken processes?
Firms are asked to understand how the failure of a system or process could impact the overall business service. Again, most firms will already have conducted scenario analysis for events such as pandemics, terrorism, cyber attacks, and natural disasters. Firms will also have conducted RCSAs which address these issues. This information can go a long way towards addressing regulators’ information needs in these areas. What does existing risk management intelligence say about the firm’s potential vulnerabilities? Are there places where risk management intelligence needs to be bolstered?
Firms should regularly test the controls they have in place around business continuity and disaster recovery. This should include scenario testing – for example, a mock earthquake or cyber attack. What testing does the firm have in place at the moment? Is the testing adequate to identify potential vulnerabilities or control weaknesses?
The ability of a firm to respond to and recover from disruptions is directly related to the appropriateness of the investment it has made in systems, controls, management and training. Boards of directors and senior management need to have the right risk intelligence to be able to make these investment decisions. How good is the firm’s risk reporting? How well does it crystalise the case for investment when it’s needed?
There are several different kinds of communication that are involved here. How robust are the firm’s communication plans with key stakeholders in the case of an event? Do internal plans have escalation paths and identified decision makers? Do external communication programs engage with customers, regulators, and the industry in the right way? How strong are a firm’s communication programs about the potential for these events occurring, and the related risks and controls?
These six activities are the foundational activities required to build an operational resiliency framework. To learn more about how existing operational risk and business continuity approaches, practices, and intelligence can be leveraged to develop an operational resiliency framework, speak to Chase Cooper.
Free whitepaper download
A Time of Change – 5 Key Trends Shaping Operational Risk Over the Next 2 Years
To find out more about the trends that will impact operational risk over the next few years, download our free whitepaper.