Sponsored by ?

This article was paid for by a contributing third party.More Information.

Operational resilience: charting evolution, strengthening impact

Operational resilience: charting evolution, strengthening impact

Arming a business in preparation for robust operational resilience measures is not a one-step solution – it continues to evolve. The key to strengthening defences against all events – especially the unlikely but plausible – is to build business agility. In a Risk.net roundtable convened in collaboration with Fusion Risk Management, risk leaders discussed strategies to maintain and strengthen their operational resilience while creating sustainable value for their stakeholders.

Risk management is essential to bolster resilience – especially during times of severe, unprecedented operational disruption. As financial markets evolve, the need to keep up with new technologies and regulations adds friction to efficient risk management. With increased points of resistance there is a growing demand for resiliency systems that help firms stay on top of risk appetite, tolerance, security and operational intelligence.

It is therefore no surprise that operational resilience is now a board of directors’ strategic imperative, and firms must evolve their approaches and elevate systems to optimise resiliency. Organisations must today more than ever focus on anticipation, prevention and protection, rather than simply response and recovery once damage occurs.

Regulatory needs are also pressing – new UK Regulatory Operational Resilience Requirements come into force on March 31, 2022, and financial services institutions and firms now have less than six months to identify their important business services, set impact tolerances and carry out mapping and testing ahead of the enforcement.

The new requirements were introduced by the Bank of England (BoE), the Prudential Regulation Authority (PRA) and the UK Financial Conduct Authority (FCA) in March 2021. The PRA has categorically said that firms must plan for all severe stresses, however low their probability. The regulations aim to protect the wider financial sector from the impact of operational disruptions.

The future of operational resilience, IT and security risk, lies beyond thinking about today’s challenges. It is understanding how organisations can bolster risk management to drive growth and build resilience against future disruption. Risk industry experts say pushing a collaborative agenda – especially by breaking down business silos, maintaining an end-to-end view and optimising controls for clearly defining impact tolerances – will become essential for operational intelligence-led resilience.

Pushing boundaries

The foundation of evolving operational resilience is ensuring systems ‘assume failure’ and are resilient beyond just preparing for response and recovery. But today, firms are not starting from zero, and risk experts believe 85% of what regulators are calling for is already being done in one form or another. The focus now is on external boundary lines and developing a more collaborative agenda towards building a more resilient ecosystem overall that can stave off systemic impact. 

Rich Cooper, global head of financial service go-to-market at operational resilience software specialist Fusion Risk Management, noted the importance of bringing together ‘operational intelligence’ at firms by identifying important business services, breaking down silos and addressing resilience by establishing a nerve centre at the organisation.

“For the true essence of operational resilience to play out, we need to break down what were once the traditional siloed perspectives of risk, IT, public relations and business continuity teams,” he said. “[And] just focus on best practices to make sure that we look at our important business services.”

Cooper added that this is what organisations can take to the next step of “delivering promise to the customer and being able to fulfil their expectations and those of the wider financial service world”.

Encouraging collaboration between different disciplinary silos and bringing teams together is part of building a resilient organisation, as is clearly defining the lines of responsibility for each of those teams.

Moving away from stringent taxonomy and developing a common language for the measurement, management and communication of risk and resiliency is often thought of as one of the most significant challenges in this endeavour. But a step in the right direction is on the horizon, Cooper noted.

“There is a real paradigm shift in people. I have always talked about breaking down silos and aligning disciplines and taxonomies, but we are now actually seeing it happen and firms are realising how far off some of these taxonomies were, even within their own organisations,” he said.

Aside from organisational silos, maintaining an efficient and stringent three lines of defence risk management system is also an important aspect of resiliency planning. However, risk leaders at the roundtable noted that operational resiliency is increasingly first-line-led and risk-informed. Business and executive leadership needs to lead the effort, while risk and resilience play a supportive and advisory perspective.

Planning for the next stages of operational intelligence and resilience involves combining the horizontals of crisis management, training and awareness and testing to ensure there is an aggregate risk profile, which is action-oriented.

A well-rounded risk profile can further help inform an organisation’s impact tolerances – an important facet of operational resilience on which renewed focus has been placed.

Impact tolerance and scenario planning

Regulators such as the BoE, PRA and FCA have set out guidance in a briefing paper on impact tolerance, stating that firms must identify their important business services and set an impact tolerance for each.

“While we are not introducing a definitive list, we are providing further guidance on the type of business services that boards and senior management could classify as ‘important’,’’ the paper notes.

“We then expect firms to set an impact tolerance for each of these services, quantifying the maximum acceptable level of disruption through severe (or extreme in the case of financial market infrastructures (FMIs)) but plausible scenarios. Firms and FMIs are responsible for setting their own tolerances, and boards and senior management should take actions to improve operational resilience where limitations are identified in a firm or FMI’s ability to remain within these tolerances. This is where firms and FMIs should expect close supervisory scrutiny and engagement.”

Organisations must have a broader alignment on how they materially calculate impact tolerances, according to Paula Fontana, senior director of product marketing at Fusion Risk Management. “There is some variability depending on the business line as well; some business lines are inherently able to take on more risk than others,” she said. “There might not be a singular way to arrange those guardrails”.

The key is to strike a fine balance, as risk industry experts noted, as there could be consequences of defining an impact tolerance that is too tight or not too broad. “It depends on the maturity of the firm and the interoperability of those firms by the footprint they have on their client base,” one risk industry leader noted.

That said, organisations are becoming aware they need to keep an outward-facing view when it comes to understanding and defining financial, regulatory and client impact.

Effective scenario testing and planning plays a key role in informing impact tolerances and identifying control improvements, helping organisations inherently orchestrate a change towards greater resiliency and more strategic commercial decision-making.

As scenario test regimes mature, financial institutions will look to expand their use. And, faced with growing uncertainty affecting all aspects of their operating environment, firms need to create meaningful stress scenarios that will help them operate more effectively and become more resilient.

Technology continues to be a vital component of scenario analysis. Next-generation technology and artificial intelligence-enabled platforms can test and analyse the impact of severe but plausible events in real time. These next-generation innovations can leverage enterprise data and situational intelligence to run diagnostics on an organisation’s business and display outcomes.

They can also provide a proactive approach to understanding vulnerabilities and building resilience by evaluating responses under realistic conditions and make data-backed strategic decisions.

These advances can help implement continuous learning, flexibility and agility in operational resilience plans so that organisations can easily model and examine how risks materialise and compare future scenario outcomes.

Next-generation tech and future-proofing

On the role of technology in the broader effort on operational resilience, one attendee at a global bank notes: “To operate at scale, globally – and we have to have our data work for us – that data needs to be part of a comprehensive technology solution.”

He stresses the need to seamlessly shift from intelligence and deliberate planning related to early warning to understanding the threat landscape and into internet response “using that high-fidelity information to respond with precision to mitigate risk to our organisation”.

He adds: “As a former crisis manager, I have done that with spreadsheets, PowerPoint documents and phone calls, and that works when you are dealing with groups in the dozens, it doesn’t ever work when you are dealing with groups in the thousands. So it is the critical enabling activity to actually realise an operational resilient future for us.”

Data is a vital part of impact tolerance planning – especially as regulators keenly watch how data is derived and used to define those tolerances. Equally essential is the interpretation of data that is processed and analysed by technology in the next stage of evolving operational resilience.

Financial firms globally are becoming aware of the importance of operational resilience. But, as the dialogue on resilience continues to progress, business leaders must also remain agile by adopting next-generation technology, and investing in data analytics and estate monitoring technology to plan for the next decades of operational resilience at their firms. This promises to build and strengthen resilience at every level and across business silos within organisations.


Take the next step towards operational resilience today

You need to sign in to use this feature. If you don’t have a Risk.net account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here