It’s a daunting task, condensing all the exciting developments being made in the world of Operational Resilience into a 15-minute presentation, but that was the challenge at the recent Organisational and Operational Resilience for Financial Services Conference in London. Here, we have endeavoured to give a flavour of the key takeaways for our readers to consider and apply within their own organisations…
When looking at an Operational Resilience programme, it is worth contemplating what exactly it was that the regulations were designed to achieve and what type of environment the regulators sought to create. This could be condensed into three key aims:
- New regulations require an expansion beyond the traditional Business Continuity (BC) outlook. The general practice to date has been to look at what the impacts might be to the firm and attempt to mitigate those by building workaround strategies. Operational Resilience requires firms to look at services through a customer and market lens, ensuring that end-to-end service delivery is more robust. This might be achieved by building a more resilience-conscious culture or by putting controls in place to safeguard the processes.
- Regulators are recognizing that more incidents and crises are due to poor change management (underpinning staff culture, capabilities, risk governance, standards setting, system maintenance, etc.) than almost any other root cause. We must do more as a sector to stop new products and services being brought in, or underlying resources changed, without first conducting a resilience assessment. Building these procedures into the operating model of the firm is time consuming but invaluable in the long term; it should certainly help reduce the number of exit strategies that are written the night before the launch.
- A need to improve capabilities and expose any weaknesses in responses so that they might be remedied in advance has become critical. Those of you who were working all hours to come up with the ‘right kind of pandemic plans’ during the crisis response will recognise the importance of having plans that can be adapted on the fly and that are impact focused rather than cause driven.
The Journey to Improved Resilience
During moments of reflection looking back at the past few years working on those strategic goals, I thought it had often felt like a car journey.
We had the release of the discussion and consultation papers which strongly resembled those moments where you’re tearing around the house trying to find where you left the car keys and getting your house in order before you set off. In the same sense, Resilience teams were being assembled, BC programmes were being checked through, and preliminary assessments were made of what their business services might be under the new regulation.
The implementation period felt like checking which route to take, debating which navigation application to trust, and trying to confirm that others agree that you’ve picked the best route… All to discover mid-journey that you’ve forgotten the charger for the satnav and will have to make an additional stop to buy one. During that first year, many firms chose to engage with the major resilience consultancies or joined industry groups (the ORCG, the IA, UK Finance ORC, etc.) to share ideas and get comfort that methodologies and outcomes were aligned. Inevitably, halfway through, most of us found that we had failed to get budget for an element of implementation or realized that we would have to test less rigorously than intended that year, deferring a comprehensive test plan to the following year.
The last couple of months before the UK operational resilience March 2022 regulatory deadline, through to the present day, felt like those moments where your partner declares they forgot to put in the replacement tail-light, your youngest points out that they didn’t put any shoes on before leaving the house, and the other one is asking if you’re nearly there yet before you’re even out the driveway.
That final frantic rush up to the January board deadlines involved many a late night trying to ensure all teams were fully prepared for the year ahead. Groups discovered that federated parts of their business hadn’t quite followed the Group plan, some departments hadn’t requested any budget or resource for their remediation projects, or a new SMF24 came in and changed the definition of an Important Business Service (IBS), bringing another couple of services into scope. A pattern began to emerge of taking the next part of the programme to the business for completion only to be met with surprise that they weren’t finished yet, despite knowing that the project would take several years… it’s going to be a long, long journey towards operational resilience!
Achieving Operational Resilience by 2025
Hopefully, all our organisations will be compliant by 2025 (or at the very least, more resilient than they were before), so which warning lights should you be checking for now to give your firm the best chance of reaching your destination on schedule?
- Ensure you have an Operational Resilience programme in place. This may sound obvious, but we have heard of firms that disbanded their Operational Resilience team after the March 2022 deadline and others that drastically reduced the size of the team. The work to build operational resilience is only just getting started though… the hardest work is yet to come.
- Make certain that you have an intelligible resilience team roadmap that is shared across the business to ensure that no one is caught out. Most firms have a plan in place, but have you moved from the point of having strategic goals to tactical items that are listed, assigned, and detailed in language and terminology that everyone can understand?
- Check that there are IBS remediation plans to complete by 2025. Immediately after the March 2022 deadline passed, there was a noticeable pause for breath before teams dived into carrying out remediation plans. However, some report that their leadership teams are trying to push any remediation projects back to 2024 due to competing calls for budget, the current economic situation, missing key subject matter experts, etc. This strategy carries massive risks though:
- Increased scrutiny from the regulator may show their plans to be out of compliance if they cannot justify their completion times
- If anything happens between now and then, the executive team will find themselves in the hot seat trying to justify why they did nothing to fix a known vulnerability
- It generally follows that when you fix one vulnerability and re-test, you will find others elsewhere – with no time to fix them
- Establish an agreed vision of what level you need to map to. Until now, firms have made every effort to map to a level of sophistication necessary to accurately identify any vulnerabilities in a firm’s operational resilience. This is without necessarily outlining exactly how to map to the full extent required under the regulations. Depending on what level you intend to go to, you may need to set up major projects which don’t directly fall under remediation, such as overhauling your process catalogue or configuration management database (CMDB) or investing in data mining technology.
- Form a clear and achievable test plan. Most firms have recognised that they will need to run a wide range of severe but plausible scenario tests but face a challenge regarding time and people’s availability. If you haven’t already done so, you should have built or acquired a scenario gap analysis tool so that you can run hundreds of scenarios through a simulator which can highlight where you might have missing plans or where the recovery time objective (RTO) of a resource won’t meet the impact tolerance, for example. You can then reduce the burden on your business teams’ time by only exercising scenarios with them where necessary or to prove out the perceived resilience of an IBS.
- Ensure you have the right resilience toolset with you. Thinking back to the initial pandemic response, some firms were lucky enough to have the data feeds coming in across their business; however, most of us were watching the BBC, reading the John Hopkins reports, and scrambling to gather data in spreadsheets across the business to establish our priorities. The sheer quantity of data that requires analysis is ever expanding and having spreadsheets across the company in siloes is no longer enough – but if you do have those built, utilize technology to draw the data together.
- Set up links between your data sources. Building connections with all parts of your business creates a ‘single pane of glass’ view of your important business services and:
- Reduces the chances of multiple teams carrying out duplicate tasks
- Lessens the burden on teams to maintain their data, analyses, and reports
- Ensures that during a crisis, all leaders are making decisions based on the same information
- Improves your ability to respond quicker and mitigate harm to customers
- Enhances your ability to search out and log vulnerabilities
“Firm-wide resilience is comprised of many things: third-party risk, cyber, failover, facilities… What I want to develop is a nerve centre, trying to figure out how to federate out the details to existing programs and create a holistic perspective from them. This is not starting with a blank slate, rather it is integrating to existing programs and hopefully uplifting them over time.”
– Global Head of Technology, Resiliency, and Third-Party Operational Risks at a Financial Services Company
- Automate your monitoring. The hours spent manually entering data into spreadsheets, then building visual representations for decks, and then tweaking the PowerPoint slides until they are ‘perfect’ for the Board or Executive Risk Committee is a massive drain on resources. By automating your reports and dashboards, you can ensure that everyone is aware of the risks being accepted, can view the status of any given IBS at a moment’s notice, and get early warnings of any changes occurring, for example, if a business service shifts to become important.
- Build horizon scanning into business as usual. Whilst a formal operational threat monitoring programme is preferential, so much has been learnt over the past couple of years about the threat analysis that we could all apply to part of our daily jobs. In a time of high uncertainty and increased volatility, firms may want to build out increased measures for:
- Cyber and Tech – It’s no longer if, but when, an attack will occur, and the complexity and number of attacks is ever increasing. Individuals should know at any given time who they need to report suspicious circumstances to and how to do so. Correspondingly, emerging technologies need future proofing and plans in place that could support them.
- ESG, Reputation, and Regulation – Organisations risk fines and reputational impacts every day as expectations continue to be raised and firms face increased scrutiny from regulators and stakeholders.
- People and Hybrid Workforce – Competition for talent is at one of the highest points in living memory and changing cultural norms are exacerbating talent management struggles. Succession planning has arguably never been so vital to an organisation’s sustainability.
- Third Party and Supply Chain – Organisations are experiencing increased supplier risk events due to extreme weather events, geo-political disruptions, unplanned outages, financial or energy challenges, pandemic-induced lockdowns, and cyberattacks. This is compounded by the vendor concentration risks within sectors as well as dependencies on critical third parties such as cloud providers.
Building Agility into Your Operational Resilience Program
There’s a lovely quote stating that “the pace of change has never been this fast and will never be this slow again” – we have to be able to keep pace with the speed of impact and with people’s expectations. The pace of a human reaction is no longer acceptable; a certain amount has got to be automated, and dynamic response consoles are needed to help build the muscle memory of teams involved.
If you’re trying to become operationally resilient without equipping yourself with the right tools, you are condemning your team to drive around the racetrack to 2025 in a Land Rover Defender without power steering rather than in a streamlined Jaguar E-type. You might save money in the short term, but your team aren’t going to fare well, you might lose a few to competitors, and they won’t be excelling at what they’re doing. Your stakeholders won’t have confidence that you will stay on track; and even though you might have the same firm under the bonnet, you might not make it in time.
Create the time buffer for the services and reduce the chances of crises coming to pass by ensuring that all of the elements listed above are built into your firm’s operating model. Through this, organisations can gain the real-time insights and tools required to build agility for their enterprise.