COVID-19 – Operational Resilience addressed? Think again.

As lockdown rules are eased and plans are being drawn up for a return to work, the focus has very much shifted from BCP execution and crisis management to re-baselining plans for H2 and moving forward with the business agenda.  This is of course good news for all.  However, before we all get too carried away with the idea of sunnier times to come, a healthy dose of introspection is needed: while most firms managed to get people working remotely from home during the first two weeks of lockdown, courtesy of corporate credit cards and a quick trip to PC World in a number of instances, the idea that the response to COVID has proven Operational Resilience is ‘done and dusted’ is misplaced at best and a dereliction of fiduciary responsibility at worst.

Operational Resilience requires a root-and-branch overhaul of how businesses respond in times of stress.  The fact that in the current situation a number of Tier 1 banks have not been able to interact with clients or suppliers via MS Teams for example, illustrates the limitations of capabilities.  Other issues have also been exposed: the ability of offshore operations to meet SLAs has been patchy at best as a result of curfews and restrictions on mobility imposed across a number of regions.

TORI Global is inviting you to attend the first in a series of three webinars focused on Operational Resilience.  If you would like to learn more about our webinar and register your interest in attending please fill your details in here

Operational Resilience is all encompassing and must be embedded as part of BAU.  This is not a ‘tick-box’ exercise.  The use of frameworks, tooling and data to provide an end-to-end ‘lookthrough’ across the business is paramount.  Ultimately, Regulators will use software such as ‘Chaos Monkey’ to arbitrarily disrupt important business services in real time.  You must be able to respond effectively to such scenarios.  Governance, behaviours, analytics and testing are key components to deliver a sustainable Operational Resilience framework.  Accountability for Operational Resilience should reside with the SMF24 executive to drive top-down across the organisation.  It should also be noted that accountability for material outsourcing as defined by the EBA, cannot be outsourced. The CEO is accountable and delegates this accountability through the SMCR regime to the SMF24. It is a critical executive role.

Our vision is ‘Resilience by Design’.  Operational Resilience must become part of the DNA of the firm. To achieve this change requires a clear and practical vision allied to an achievable implementation plan, sponsored by the Board, to deliver in a realistic timescale. The result of the change must be to equip the Board with the governance and oversight capability required to practice and demonstrate effective management of operational resilience across the most important business services offered to customers and clients. The strategy must also trigger, and then maintain, an organisation-wide adoption of resilience as a core value in service design, operational delivery and in the capability to respond to adverse events as and when they occur. 

Key elements which must be addressed include:

  1. Board governance, oversight and accountability to define important business services, agree and re-evaluate impact tolerances and embed the right behaviours;
  2. Identification of important business services and mapping to functions and 3rd parties that support these services;
  3. Impact tolerances and risk appetite (note – you may have to operate outside risk appetite to mitigate client detriment, financial loss to the business and/or systemic risk to the market. The key point is that there is clear line of sight);
  4. Tools and MI to support dynamic Business Decision Management (BDM), harnessing Enterprise data and business logic to support real-time automated decisioning where response times are not measured in hours or days and risk vectors can be flexed dependent on potential detriment to the business, customers or market;
  5. Continual review, test (including ‘tail events’) and challenge of the Operational resilience framework to assess the ability to remain within impact tolerances and to create a dynamic feedback loop between risk management and crisis management. 

All of the above must also take in to account lessons learned during the current situation and the new way of working post COVID.  We have seen a significant acceleration in adoption of Digital channels over the last three months and migration to the Cloud continues at pace – both bring a new dynamic to Operational Resilience as do some of the ‘softer challenges’ the ‘new normal’ will present such as the ability to maintain high performing teams and the alignment of collegiate behaviours when working remotely.