After approximately three years of consultations and one year of carrying out the initial assessment, Operational Resilience remains a “hot topic” for regulated financial entities. While it may seem as if we have passed the first hurdle, the process of building resilience is far from over. In fact, it has only just begun.
March 31st, 2022, marks the deadline of the first milestone set out by the UK Regulator when regulated financial organisations were expected to have performed an assessment of their Operational Resilience program. Now the time has come to initiate the roll-out.
During the “assessment year”, firms deep dived into the current state of their Operating Model, identifying gaps related to fundamental resilience components. These gaps gave rise to a number of challenges:
Organisations Still Work In Silos
One of the more prominent gaps that firms identified, was the lack of communication and coordination within the firm and across the entire financial industry. This siloed approach is bound to create barriers for Senior Management as they will find it increasingly difficult to oversee and manage the business. Moving away from this siloed approach, to one more interconnected and holistic in nature will give Senior Management the advantage of a more accurate overview of the business. Moreover, it will enable them to realise the potential ripple effects and impact of shortfalls across the entire organisation from an end-to-end perspective, exposing any weaknesses or gaps in processes.
Backward-Looking Risk Culture
Managing the business and its inherent risks is not a tick-box exercise, but rather one that requires proactive coordination and oversight of numerous stakeholders across the entire organisation. Moving away from a reactionary approach to a more proactive risk management approach therefore becomes the ultimate goal to achieving this. The challenge here is where the traditional approach that bases decision-making on “past events” is not overruled by a more anticipatory approach, where decision-making is based on the anticipation of “future events” that have the potential to impact the business.
We Don’t Know Much About Our Business Partners
Supplier management is not just the responsibility of the procurement function, but rather a consideration to be taken as part of the firm’s business strategy and risk management framework. It’s important that firms assess whether their partners are in fact suitable for their journey in that they provide a reliable service but also align well with the firm’s defined risk appetite. To that end, firms are expected to perform proactive supplier/vendor management activities rather than just having quarterly calls with the “supplier point of contact.
What Is Next?
A paradigm shift is required. Moving from a “post event / business centric” view to “anticipate the potential impact event /customer centric” approach is a challenging task that organisations and its Senior Management need to address. In this sense, we anticipate Senior Management should focus on the following aspects to ensure the correct level of embeddedness:
Expect An Operating Model Calibration & Revamp
The initial assessment shed light on gaps, weaknesses, and inefficiencies within the firm’s operating model. There needs to be a plan to rectify these shortcomings which is comprehensive and all-encompassing: Revisit Policies and Procedures, taking into consideration a more holistic company view rather than treating each function as separate to the rest of the business. Rethink the segregation of roles and responsibilities between the various business functions and stakeholders and move towards a more co-responsible approach. Ensure alignment of business goals and corporate risk appetite from a financial and operational perspective such that reputational harm is minimised and client trust is preserved, in the event of a shortfall.
Revisit Your Relationship With Your Suppliers
Active supplier management is imperative. Your supplier is your business partner, and therefore having a clear understanding of their strengths and weaknesses will help you make better, more informed decisions. Strong dependency on very few critical suppliers poses risks and therefore requires firms to have a well-defined “Plan B” (exit plan) to prepare for the event that a vendor suddenly ceases to exist. Moreover, monitoring of performance and setting early warning indicators is important in promptly detecting signs of failure. Although it is common practice that the Procurement function is responsible for formalising the administration of commercial agreements with vendors, from a service management perspective, the Service Owner should be responsible for managing vendor relationships and the implications that may arise by choosing a particular vendor over another (bearer of risk).
Proactive Governance & Reporting
The Governance Board should not merely be an “administrative escalation point” that grants approvals, but rather an opportunity to challenge and drive the decision-making process with the support of analytical tools such as “resilience indicators”. Senior Management should provide resources for their operational teams to run the Ops Res program and be mindful of the fact that this initiative requires a lot of change in the short, medium, and long-term. It would also be good practice for Senior Management to challenge their team with independent external assessments in order to get a comparative view of other firm’s journeys and global best practices.
After the March 2022 deadline, UK regulators plan on initiating their request of documentation around firms’ self-assessments, and evaluating the progress seen to be achieved thus far. Regulators deem this exercise to be an ongoing and evolving one that aims to establish what is to be considered the “best practice” in the current climate.
Firms will be required to provide evidence that they are able to remain within their impact tolerances by the end of March 2025. Moreover, they will be required to evidence improvements in their level of maturity with regards to Operational Resilience, close existing gaps in their operating model, and reduce the probability of intolerable harm to clients.
How TORI Can Help
At TORI, we have been actively supporting financial institutions in their journey towards building Operational Resilience. We are working with a number of financial institutions, assisting with, inter alia:
- Identifying their level of maturity through consideration of regulatory requirements and best practices
- Designing and developing ad-hoc Operational Resilience Frameworks
- Reviewing and performing independent assessments of suppliers
- Establishing proactive approaches to managing risks more effectively
- Testing resilience through Business Continuity Planning, Cyber Security Testing, and Event Scenarios