“Resilience is all about being able to prevent or overcome the unexpected. Sustainability is about survival. The goal of resilience is to thrive.” - futurist, Jamais Cascio
As regulatory authorities turn their attention from Operational Continuity in Resolution (OCIR) to the less well-defined ‘operational resilience’, boards and business leaders will be forgiven their inevitable apprehension. At first glance, guidance from the Bank of England, the PRA and the FCA appears light. This begs the question, when will demands for operational control relent to afford businesses the opportunity to invest in true evolution and transformation?
In contrast, we believe that the operational resilience agenda represents far more than a further regulatory obligation. In fact, financial institutions should consider it an opportunity to evolve and optimise operational capabilities.
Operational resilience should be embraced as ‘good business sense’, rather than applying it simply to survive through protective measures.
Operational resilience makes good business sense
Operational resilience gives us the opportunity to address a range of issues that face the industry. Most notably we see reputational, customer retention, talent attraction, financial and systemic benefits. A risk and control-orientated focus often results in the broader benefits – derived from delivering enhanced resilience – being overlooked. For example, we consider the following through customer, systemic and institutional lenses:
|Institutional sustainability lens||
The overlapping lenses of operational resilience
Our understanding of operational resilience is through three lenses:
- Systemic stability (ensuring the system is not threatened by one or several operational failures)
- Customer (notably retail, but not exclusively)
- Firm sustainability (ensuring operational failures do not threaten the viability of a firm, including outcomes of reputational damage)
These lenses are not mutually exclusive.
Either individually or in combination, the customer, institutional and systematic factors will impact the resilience of a firm’s various operational platforms, process and systems in different ways.
Immediate impacts tend to be more identifiable from a single perspective. Nonetheless, the situation is fluid. In the long term, impacts tend to amalgamate (for example, a chronic customer or systemic impact may over time create firm sustainability issues).
In assessing an institutions operational resilience, non-operational factors on operational processes has recently become more profound. Understanding these factors and their impact is fundamental to realising the broader benefits of operational resilience.
Unsurprisingly, where firms’ sustainability is concerned, a sound strategy, operational processes and protocols are integral foundations to establishing customer and systemic resilience.
Both the scope and influence of customer and firm resilience have evolved. Where resilience was focused on operational risks and controls, it now extends to both tangible and intangible influences, including strategic risks, competition risk and talent. Unless addressed effectively, over time, an unresolved or recurring customer or systemic issue can come to threaten firm sustainability.
While firms have reported an increase in technology outages over the past year, as well as an 18% increase in cyber-attacks, such headline-grabbing IT outages, data leaks and hacks are simply the most measurable manifestations of operational weaknesses.
Senior management cannot ignore “creeping weaknesses”. These are the subtle weaknesses that can take years to notice. While they may crystallise suddenly, the real risk is that they characteristically do not. Eventually, the cumulative impact of the drip effect often compounds and complicates the challenge.
The potential influence of each of these elements will be driven both by the firm’s operating model and its market position (for example, is it one of many offering a systemic service, or one of few?).
Firms must be increasingly conscious of the evolving impact of external factors on their own resilience plans. The dynamic nature of these elements requires a more adaptable business model. The means by which firms assess, identify and mitigate resilience risks must become more proactive, iterative and flexible.
Delivering beyond the minimum makes business sense
Resilient or reactive? The truth is, both. The regulators acknowledge that the UK is not a “no failure” regime, but demonstrating an appetite to deliver beyond minimum requirements is another instance of ‘good business sense’ – gaining favour with regulators and delivering the business evolution customers, shareholders and employees demand.
Delineating between OCIR, operational resilience, operational risk, business continuity and the associated analyses is a fundamental step in a firm’s evolution. Understanding and defining the interrelationships and dependencies will enable firms to better allocate responsibility and more clearly evidence control.
Operational resilience in context
|Operational resilience||Ensuring your operation is failure-aware and failure-responsive|
|Operational continuity in resolution||Safeguarding systemic processes (critical economic functions) in the event of firm failure|
|Operational risk||Understanding, monitoring and mitigating threats to resilience and continuity (in this context)|
|Business continuity and/or remedial activity||Responding to and recovering strongly from an operational resilience failure|
|Root cause analysis||Understanding the cause of failure and applying that learning|
Operational resilience is about ensuring that financial ecosystems, key services and customers are not impacted when incidents occur, if they cannot be prevented in the first place. The principal step to achieving operational resilience begins with mapping systems and processes, identifying and addressing potential weaknesses. The resilient organisation will be able to bounce back, if something does go wrong, it is able to restore the service quickly, minimising external disruption.
Finally, the organisational DNA will foster learning and change management to future fix operations; collectively aiming to ensure whatever outage, down-time or breach happened will not happen again.
It is crucial that organisations have a clear understanding of their operational map – the combination of systems, processes and people that fulfil a need in the eyes of its customers or clients. The recent joint PRA/FCA/Bank of England paper sets out their clear expectation that firms quantify potential impacts and acceptable tolerances across process components and the resilience to stress.
Our methodology starts from the customer-facing product and service catalogue. This provides the foundation for any assessment of customer needs, informing an end user-orientated approach to resilience. Internally, resilience will largely be determined by which parts of the internal service catalogue support the provision of the product from end-to-end, and the strength of that chain.
An operational resilience dashboard is then formed to determine where the least resilient or most impactful components lie. The initial dashboard will likely give rise to further questions and clarifications. This iterative process is positive and we expect it to become part of the cadence of the firm.
Operational resilience as a route to competitive advantage
There are clear and common benefits for major stakeholder groups and for firms to become operationally resilient; be they customers, staff, management, shareholders and regulators.
This is an opportunity for firms to "future fix", to create more effective operating models and to thrive.
For more information contact Gareth Miller.
Areas to consider when approaching the initial assessment include
- Scoping the operational resilience universe
- Categorising the end-users: buyers, customers, clients, stakeholders
- Completeness of product and service catalogues
- Comprehensiveness of process mapping
- Governance, risk management and oversight (inc policies and procedures)
- Outsourcing and supplier resilience
- Setting appropriate impact tolerances; severity and duration
- Resilience testing; infrastructure, IT systems and people
- Incident Management, Root Cause Analysis and effective learning