Business Resilience: what you need to know
There are a number of slightly different definitions of resilience: from “the property of a material that enables it to resume its original shape or position after being bent, stretched, or compressed”, to “the ability to be happy or successful, after something difficult or bad has happened”. I’m sure UK regulators are less interested in the idea of 'being happy', but being able to 'return to its original shape' and the ability to be 'safe and secure' would almost certainly resonate.
Whilst regulatory requirements are often met with the cynical response of “yet another cost to meet a set of requirements that don’t help our business”, in the case of Operational Resilience, it makes perfect business sense. In a world of daily or even hourly incidents or breaches, it’s crucial that our most critical business services are those that are best-protected and can be recovered quickest. This is vital if an organisation is to minimise business damage and any risk to customers and consumers. Maintaining client trust is paramount, and Operational Resilience is fundamentally designed to deliver this.
Increasingly, organisations need to look at resilience more widely and through a number of different lenses: Business, Operations, Third Party, People and Regulation.
The need to align security, controls and people to your most important assets may seem obvious, but any financial organisation needs to have a view on the key business services you take to your clients, regulators and partners. We find that most organisations have grown organically and have a good view of the functions within the business, but not necessarily the parts of those functions that are most important, or those that deliver the most business value.
Operational disruptions can be caused by a diverse range of incidents, ranging from cyber-attacks and malicious insiders to flooding and power outages. It is important that organisations accept that disruptions will happen. It’s not a question of ‘if’, but ‘when’ an incident might have a disruptive impact on the business and its customers.
It is key that the organisation – ideally fully-endorsed and driven by the board – is as prepared as possible to respond and recover. Business Continuity Processes (BCP), Disaster Recovery (DR) and Crisis Management processes, as well as the threat landscape they are based on, should be frequently reviewed and uplifted as necessary.
With the increased dependence of financial services organisations on third parties, there needs to be a strong focus on effective third-party risk management, including extending the controls, policies and governance that a firm holds itself accountable for to its respective third parties. Regardless of whether a service is provided in house, fully-outsourced or a composite of the two, accountability resides with the financial organisation.
Richard Branson’s #1 focus is not his customers, but his employees, because he strongly believes that happy employees create happy customers (which will, in turn, create happy investors). When looking at Resilience, focusing on and equipping your people with the knowledge, responsibility, authority and tools, along with training, will help create a “happy and resilient” workforce. Whilst training high-risk roles is an essential part of this, organisations that build resilience into the business culture create a far more systemically resilient workforce.
Responding to the changing needs of UK regulators
The emerging regulation – as outlined in the Bank of England DP01/18 / Prudential Regulation Authority (PRA) DP01/18 / Financial Conduct Authority (FCA) DP18/04 discussion paper – picks up on many of the items discussed above; from the need to understand your business and the critical business services to the associated impact tolerances and assets, as well as the ability of the board to govern operational resilience.
At TORI Global we define and implement Operational Resilience and Crisis Management strategies with our financial services clients based on their risk appetite and market position. There are a number of areas that we think you should consider in order to remain resilient and avoid getting all “bent out of shape”.
- Business Resilience: embark on a process of understanding the key services you take to market; understand the criteria you use to determine the most important ones; and map to the people, process and technology used to implement the service. If, as a minimum, you perform the Business service cataloguing, it will give you some visibility on the areas you should protect the most and respond to the fastest
- Operational Resilience: review and uplift (if needed) your policies, procedures, controls and Business Continuity Planning, Crises Management and Disaster Recovery capabilities reflecting the current threat landscape.
- Third Party Resilience: understand your key third parties required to deliver your critical business services and see how close your contracts reflect the internal policies and procedures that would have been used if executed internally. Put a roadmap in place to fix and continually assess.
- People Resilience: understand who your key people are or those in high-risk roles and make sure they have the necessary training to limit accidentally creating a chain of events that leads to a breach, such as spotting a phishing email and stringent password management. In addition, make sure any scarce skills resources have appropriate backups identified should they be required.
- Regulation: be ready for the regulator. Test your organisation and check how you would handle different scenarios that cause the organisation to “bend a little”.
Want to chat?
Should you feel that any of the areas outlined above are a challenge for you and that your organisation could benefit from the experience and impartial, practical advice of TORI Global, please get in contact with us.