Joining the global debate on policy governing operational resilience, the Federal Reserve recently published a paper outlining practices designed to help large banks increase operational resilience. The Fed, in contrast to the new frameworks set forth by UK regulatory authorities and the recently released Basel committee guidance, characterized the effort as bringing together existing policy and guidance governing operational resilience practices in one place.
The paper reflects a tone the Fed is taking more generally surrounding the importance of making resilience actionable for global firms.
At the October OpRisk North America Summit, Art Lindo, Deputy Director for Policy in the Federal Reserve Board’s Division of Supervision and Regulation, closed his remarks with a reflection on the opportunity at stake for global financial services institutions:
‘I’m going to close my opening remarks with a plea. And the plea is…let’s not waste this opportunity, even though it came out of a pretty dark tragedy, for us to take the steps that would lead to what I believe would be a true alignment of operational resilience expectations for the financial sector at large and that would put us in a better position to strengthen resilience against all sorts of hazards that I believe are very likely to occur in the not too distant future on a more regular basis.’
There is no denying the increasing abundance of frameworks governing resilience and risk management. For institutions tasked with bringing sound practices to life, this can be a daunting endeavor, requiring hundreds of hours of analysis and interpretation through the lens of their own institutional know-how and best practice. Further, implementing operational resilience at scale without hindering the ingenuity required to navigate uncertainty has become the new table stakes. The new mandate for resilience:
Run the firm.
Protect the firm.
Change the firm.
Grow the firm.
Resilience teams are being asked to be the connective layer between the offensive, revenue-generating lines of the business, and the defensive ones – mapping firm capability, garnering situational intelligence, isolating where the firm is likely to break, deploying the defense, making the remedy, and spotting new opportunities. This requires translating best practices of risk and resilience in language that feels familiar, and further, actionable to every member of your organization.
When we asked dozens of executives about what mattered when building a resilient organization, they put defining a common language at the top of their list. As resilience gets more executive visibility since COVID-19, many risk and resilience leaders are kicking off or refreshing their programs and they need benchmark data, practical advice and candid conversations on the how. Making resilience actionable was the topic of our September roundtable event, ‘Speaking Resilience in the Language of Business’.
Here are ten highlights from the data and the discussion:
1. Resilience is a board-level concern.
Operational resilience is considered ‘direction of travel’ for the broader industry, a non-optional set of activities executed in order to serve and protect customers and the backbone of economic security.
2. Business owners are at the resilience helm.
This can be both a challenge and an opportunity for risk and resilience teams looking to drive data-driven decision-making and repeatable best practices across the firm. Partnership is the new imperative.
3. 1st and 2nd line definitions are shifting.
Business continuity and risk teams are increasingly integrated into the business. Part regulatory-driven, part cultural, firms are recognizing that for resilience to impact operations at scale, it needs to be thought of as a whole.
4. Business priorities are driving focus.
Connecting your resilience efforts to organizational priorities allows you to drive direct impact on your organizational outcomes faster. Focusing on what’s important ultimately unlocks value to the organization and furthers opportunities for partnership at greater scale.
5. Guidance + Institutional Know-How = Excellence
Many firms look at winning practices as an amalgamation of guidance and institutional know-how. However, what works at one institution may not work at another, so strategies must change according to the broader situational context. Firms are at different stages of interpreting guidance based on pacing of guidance.
6. Communicate in the language of business.
Risk and resilience teams have created a lingo of their own governing the ways in which we work, communicate, and measure progress. However, the way in which you communicate with constituents across the organization can mean the difference between stagnation and success.
7. Navigate with a cultural map.
In the same way, resilience teams must be sensitive to geographical and cultural nuances when driving large-scale organizational change. Similarly, ‘tribal rules’ within departments or geographies can influence the mindset and behaviors of individual teams.
8. Data integrity is a precursor to success.
Data integrity is a huge barrier to real progress. The so-called ‘bronze datasets’ that plague many institutions can make it difficult to yield real insight, or even worse, provide outdated or incorrect information, shackling effective decision-making.
9. Understanding is the foundation.
Understanding how your business works, how it breaks, and how to protect it is a foundational step in any resilience initiative. By mapping your organization with intent, you have a clear line of sight into what is most important for your customer.
10. Measure in three parts.
Measuring resilience efforts can be thought of in three parts — A) what needs attention now, B) what may need attention soon (emerging risks and issues), and C) those activities necessary to build a more resilient organization over time.
When it comes to developing a common language, it’s all about striking the right balance. The more complex your language becomes, the harder it is for others to follow along, and further, apply it. However, a risk and resilience framework that is too simple will be overly dilute and won’t help your firm in the ways it should.
What has your experience been with translating risk and resilience in the language of business? I’d love to hear your thoughts!
To get started on your own risk and resilience program, check out this free guide.
I couldn’t be more grateful for the Fusion Risk & Resilience Leader Community for taking the time to invest in their peers. By providing such great benchmark data and joining regular roundtables to discuss the results, these leaders are helping us all get better together – building a more resilient world.
If you or someone you know would be interested in joining the Fusion Roundtable program, please take our signup survey.
Interested in operational resilience software for financial services?