Top 3 mistakes made in Operational Resilience programmes
1. Not Opening The Aperture
- Most commentators (and regulators) agree that Operational Resilience is not limited to technology. We agree. Our own view is that at least 10 specific areas contribute to ensure Operational Resilience. Most financial institutions seem to have started considering critical operations and important services and the required tolerances. But some are still finding it difficult to get traction on additional conversations beyond the well-trodden path of technology security, continuity and recovery.
- Some Operational Resilience programme leaders have frustratingly found that their firms are looking at this initiative through a narrow lens, which has limited the focus to end-to-end services mapping, and a refresh of security, continuity and recovery thinking. This is a mistake. In our view, winning organisations will take a view that considers services, processes, controls, risk, reporting, data, technology, culture and more.
2. Not Making Inflight Improvements.
- The path to Operational Resilience will be a long haul, and rarely smooth. How a firm capitalises on the turbulence is key. In our view, too few clients are structuring their programmes with benefit identification and realisation in mind. Delivering a wide-ranging Operational Resilience programme can be a little choppy so focus is required on the in-scope deliverables. We see far too many clients failing to create an expectation or the mechanisms that will enable the work within the programme to truly benefit from the value-add opportunities.
- Winning programmes will consider how, during the in-scope work, they can identify additional areas to remove costs and waste, refine processes and controls, and ultimately create greater value.
3. Not Creating a Flywheel.
- The most value of successful Operational Resilience programmes is when continuous improvement becomes a cultural habit. In this way, the plan-check-do cycle reinforces performance on an ongoing basis, iterating and improving, and building momentum – hence a “flywheel”. Too few programmes fully consider the cultural and behavioural changes needed to create this flywheel.
- Our experience shows that in many cases, insufficient attention is given to the people and culture aspect of Operational Resilience. And when it is, it is often limited to awareness and training, rather than seeking to influence the wider cultural and behavioural change that is required.
Top 3 questions you need to answer to pass regulatory scrutiny of Operational Resilience
1. Have you really (really) identified the critical business services?
- Until quite recently the focus was on customers and clients and the business services critical to ensuring continuity for them. The regulators have not provided a market-wide taxonomy of business services. Whilst it may appear straightforward (but not easy) to work out the services on which customers and clients rely, this view may have changed during COVID-19. The lockdowns and new ways of accessing firms may have provided new data points on the services that are most valued and important. Have these been captured and have firms considered where disruption would have the most material effect?
- In addition, regulators have also refined the definition of business service from customer and client to “end user or participant”. This acknowledges that some critical services have users that are a few steps removed from direct customers – for example, in investment management where liquidity maybe considered an important service to market participants i.e. users. Has this view also been considered? The skill is in defining services at the right level of granularity to support the setting of impact tolerances. Ideally, firms should define their business services at a level which allows them to consider the different ways in which the end users need could be fulfilled. And this should be agnostic of delivery channel.
2. Have you set the right thresholds?
- Thresholds – or setting these - may be the most contentious issue. In some ways thresholds are simple to identify, but in reality they should only ever be a proxy to measure the associated impact. Firms need to locate existing data to help measure the impact over time, estimate the maximum limit, and then validate those limits through a series of scenario tests. But firms shouldn’t feel that there is only one way to set impact tolerances. Firms should choose which approach works for them. Regulators will want to see an approach that is both clear and effective. Regulators will also want to understand that thresholds make sense, in the real World – reporting that an 8 hour outage can be tolerated is only useful if you can also report who is affected and how. Finally, firms need to consider a range of adverse scenarios when working out the impact of disruption because this may manifest itself in different ways.
3. Have you fully tested and assured the framework and got sufficient evidence?
- Ultimately what the regulators want to see is evidence that a firm has identified its own business services vulnerabilities and has agreed a series of steps to improve their overall resilience. Is there sufficient evidence of testing to support the view of performance and of gaps and weaknesses? Regulators acknowledge that firms will already undertake testing programmes in areas such as business continuity, disaster recovery and crisis testing, and these will contribute to an overall view of resilience. However, for many firms testing has not gone beyond this. Most are not in a position to use the “chaos testing” that larger firms can deploy. So what should be in a test plan? As firms build out disruption and tolerance scenarios, new approaches to assurance and testing will emerge. Pay close attention to the new data being made available, even where this feels tactical.
5 reasons to care about Operational Resilience
1. Customer expectations about access and availability have never been higher.
- Delivering a service that is always robust and responsive in the event of issues is both the minimum customer expectation and also a necessity for building and cementing the trust between organisations and customers.
2. Threats are more sophisticated.
- Organisations have widely benefited from technological innovations. However, technology has enabled the creation of cheap but effective cyber weapons, the use of which has unpredictable consequences.
3. The risk of internal failure is higher.
- Increasingly sophisticated systems are being used across application development and infrastructure. change. Higher sophistication is translated into elevated risk and relative potential impact, both financial and operational, in the event of internal change failure.
4. Natural disasters and extreme weather events are more severe.
- Over recent years, we have witnessed climate change that is associated with extreme natural events. If either your organisation or your clients are global, you will be affected by such events. Are you ready and able to service them under “all and any weather conditions”?
5. Increased regulatory scrutiny.
- In the aftermath of the last financial crisis, the financial services sector is evolving into a highly regulated landscape, with the primary goal to protect the client. An organisation that is not operationally resilient may find itself unable to respond appropriately
5 key benefits of Operational Resilience
1. Create synergies
- Focusing on Operational Resilience allows synergies to be identified across other areas where resilience has long been important: strategic resilience (the resilience of a strategy and market position) and financial resilience (capital adequacy and solvency). The combined focus on OR may create opportunities to align approaches.
2. Enhance customer loyalty
- Rapidly responding to crises and recovering to deliver good customer outcomes will be a key driver of success in increasingly competitive markets. Trust and loyalty may be enhanced by either preventing disruptions or out-performing competitors even events do occur.
3. Reduced cost of disruption
- The greater focus on end-to-end services stability and clear senior management accountability to resilience should both reduce the likelihood of disruptions but also speed up recovery. So the overall cost of disruption should be lower.
4. Easier to pivot
- The clarity from critical services and the people, data and systems and processes that underpin these means pivots towards new markets, products, customers or even M&A activities should be easier. The transparency will aid decisions about key business and operating model changes.
5. More effective resource allocation
- Decision making should be enhanced because it will now be clear what are the critical business services – these are where most resources are needed. So investment cases, allocation of people or technology should be more effective.