Posted on: May 12, 2022
Dusting off the Documents
The crises and disruptions of the past few years have not been black swan events − they were all imaginable and, to some degree, likely. Pandemics were on national risk registers and scenario exercised with national agencies in the UK and US just a couple of years prior; Russia annexed Crimea in 2014, setting itself up to be able to effectively target a resource rich Ukraine; and in borrowing so much during lockdown, we couldn’t avoid a state of rising inflation this year. So, how might the new operational resilience methodologies and requirements help us to mitigate future harm?
Rolling out an operational resilience program is a bit like completing a thorough spring clean: much like airing out the sheets, cleaning under the sofas, and searching out the damp at the back of the cupboard, it helps firms to discover where they are missing a failover option for a critical team, that they cannot failover from one third party to another, or that key data is not adequately backed up.
So, what better time than early April for a group of operational resilience professionals to gather in London to analyze the recent changes in the world of resilience: the increase in high probability, high impact events; how we are seeing regulatory focuses shift; and how we are preparing for the future state of resilience programs? At Marcus Evans’s Operational Resilience In The Financial Sector conference, a session was held that was led by Vicki Gavin of Kaplan International with panel members Rich Cooper of Fusion Risk Management and Stella Nunn of PwC, taking the discussion forward.
Pinpointing the Moment of Impact
Over the past year and more, we saw financial firms implementing operational resilience programs to comply with the Bank of England, PRA, and FCA regulations. Many might assume that financial firms knew all about their customers, but interestingly, attendees agreed that most service providers could not easily pinpoint where and when intolerable harm might occur.
Some firms had access to years of incident logs, and a few carried out surveys of their clientele to understand directly from them exactly where any disruption might become intolerable. Many though had to battle through extensive workshops, delving into any available data and drawing out the specific details that would reinforce their rationale. With better access to data logs and modern data analytics tooling, we hope as a sector that we can drive better insights and understand what we can and can’t afford to let fail. This shift to pursuing a “data over documents” approach will allow firms to tie together the available data and translate it into useful, viable strategy.
Speed of Response
In mapping all the important business services, many resilience managers reported finding themselves overwhelmed by the amount of data that required capture and analysis. The quantity of data can no longer be manually monitored, used to provide useful vulnerability reports, or used to provide intelligence for the crisis management teams when responding to disruptions.
With increasingly complex routes of service delivery and the need to anticipate knock-on dependencies and impacts to other services, there is a clear need for automation. In the world of financial services today, there isn’t time to pause and take stock; in that time, news of any disruption will have hit mainstream news feeds, and share prices may have taken a dive.
If, however, we could monitor live service dashboards and produce reports of expected impacts at the touch of a button, how much quicker might we be able to respond?
Better yet, if we could identify the triggers of impending crises and react to the tremors, might we be able to avoid reaching the crisis stage altogether? We might have to react based off of limited information to begin with, but we will at least be reacting. This would be in stark contrast to recent events where we have collectively waited for a disruptive situation to be brought to the forefront before we began strategizing and only acted when it’s made impact − by which point it’s too late for our strategy to be effective.
Rehearsing Different Scenarios
Once we have all the data to hand from mapping, and we’ve set ourselves up with dashboards and reports, testing can challenge any assumptions we have made, such as relying on the same key team to carry out critical tasks simultaneously. This degree of scenario testing helps to highlight further vulnerabilities.
“Decision-making assumptions are where we could fail.”
The operational resilience regulatory requirement to conduct scenario testing against a range of severe but plausible scenarios has empowered resilience managers to shift away from likelihood-based events and allowed for a wider range of scenarios to be explored. This shift allows us to look further forward, beyond the horizon, to ensure that our services are resilient by design. For example, when building a new data center in a region likely to be heavily impacted by climate change, you might ensure that de-salinization tanks are built first in anticipation of future droughts.
That being said, we still have to make scenarios as realistic as possible so as to understand timings and the art of the possible. To that end, most agreed that simulation exercises remain best practice and that joint testing with critical third parties will be invaluable. If we are able to take this one step further and conduct cross-market exercising with common third parties, we stand a far greater chance of mitigating harm to customers, firms, and the wider market in the event of a major crisis. The predictability of events (through shared information) and understanding of others’ recovery strategies means we’re far more likely to succeed together.
Finding Our Voice
Right now, we are all facing a new normal of continual disruption; many firms are feeling like they permanently have their business continuity plans invoked and resilience measures in place. In prior discussion, none of us could remember the last time we faced a disruptive event occurring in isolation. Today, we face threats on all fronts: a physical war in eastern Europe, supply chain issues for key products (e.g., semiconductor chips), rising inflation threatening a financial recession, cyber-attacks on the increase, a global pandemic (now endemic), a burnt-out workforce resigning at scale, as well as climate change issues on the near horizon. It can be said that many crisis managers have their fingers crossed for a quiet summer.
With this shift to a more permanent state of disruption though, we are finding our voice and finally being invited to the table. Part of this has been an organic progression with attendees reporting that colleagues are now actively coming to resilience teams for advice, due to our valuable insight on where we should be investing to ensure sustainable delivery of services as well as informing new business strategies. The other part of the change has been at the CMT or executive level, which is being reinforced by various authorities; CISOs are finally being invited to permanently join the Gold teams when responding to crises; and the US Securities & Exchange Commission is now proposing new rules requiring disclosure of board members with cybersecurity expertise. This finally gives CISOs a voice at the table.
So, with our seat at the table, we are armed with complete data and dashboards and are having discussions centered around how we might become omniscient, or at least become better at identifying triggers and sensing these tremors of impending disruption. When it comes to high probability, high impact events, we need to get better at recognizing them before they occur as well as get better at looking for the next compounding scenario that is standing just behind the first.
Looking forward, it is increasingly evident that we need to be able to better monitor how resilient we are when operating in a “business as usual” state, and discussions have already begun around treating non-regulated services (such as payroll) as important business services requiring analysis. With operational resilience programs in place across the financial sector, we expect to see a reduction in the amount of disruption and better mitigation of potential intolerable harm. We also expect to see more defined triggers and action responses as well as improved monitoring of the tremors we might sense before crises hit. In the long term, we hope to see financial firms go beyond operational resilience to a state of operational intelligence.
We would love to hear from you – what horizon-scanning tremors are you feeling right now? As part of Fusion’s customer community, ENGAGE, customers can join us every Friday at 10:00 a.m. CT for our Community Exchange sessions to further discuss the current threat landscape.