Operational Resilience

What are the challenges you face?​​

Regulators are adopting a pragmatic approach and understand that ‘one-size-fits-all’ will not produce the right outcomes.  The approach is one of proportionality (size and complexity of the business plus potential systemic risk) and, by way of impact assessment and scenario planning: ‘severe but plausible’ i.e. there is a recognition that not all risk can or should be mitigated but it needs to be understood by reference to risk appetite and managed accordingly.  In some instances, it will be acceptable and in fact necessary to work outside of risk appetite (to avoid business, market and/or client detriment).  Clear line of sight and dynamic management of risks in a crisis is the key.​​

To achieve operational resilience UK regulators have stipulated that firms:​​

• Identify their important business services that if disrupted could cause harm to consumers or market integrity.​
• Identify and document the people, processes, technology, facilities, third parties and information that support a firm’s important business services (mapping).​
• Set impact tolerances for each important business service (ie thresholds for maximum tolerable disruption).​
• Test their ability to remain within their impact tolerances through a range of severe but plausible disruption scenarios.​
• Conduct lessons learned exercises to identify, prioritise and invest in their ability to respond and recover from disruptions.​
• Develop internal and external communications plans for when important business services are disrupted.​
• Create a self-assessment document.​

How TORI can help…​​

• Developing an Operational Resilience strategy​
• High level roadmap​
• Developing a Target Operating Model​
• Third-party risk management and outsourcing​