Operational resilience is a set of techniques that allow people, processes and informational systems to adapt to changing patterns. It is the ability to alter operations in the face of changing business conditions. Operationally resilient enterprises have the organisational competencies to ramp up or slow down operations in a way that provides a competitive edge and enables quick and local process modification.
This is the next significant regulatory pillar. Ultimately, Operational Resilience is a Board responsibility which needs to be driven top-down. These regulatory commitments dove-tail with other commitments including SMCR, SMF24, PSD2 and EBA.
Regulators are adopting a pragmatic approach and understand that ‘one-size-fits-all’ will not produce the right outcomes. The approach is one of proportionality (size and complexity of the business plus potential systemic risk) and, by way of impact assessment and scenario planning: ‘severe but plausible’ i.e. there is a recognition that not all risk can or should be mitigated but it needs to be understood by reference to risk appetite and managed accordingly. In some instances, it will be acceptable and in fact necessary to work outside of risk appetite (to avoid business, market and/or client detriment). Clear line of sight and dynamic management of risks in a crisis is the key.
To achieve operational resilience UK regulators have stipulated that firms: