In 2004 the Royal United Services Institute staged a conference, UK Resilience: Joining up the Sectors,
whose purpose was to provide a forum for debate on ‘a set of specific issues that have been identified as weaknesses’. One of these is Corporate Resilience, of which it said:
‘The urgent need to develop more resilient organisations has, of necessity, moved business continuity to centre stage, prompted by the need for companies to be able to respond to an array of threats. However, where once corporate security was typically
managed in a set of safety-silos, business is now being encouraged to take a more integrated, holistic approach to becoming more resilient. The concept of Corporate Resilience is the uniting of response silos, the assessing of real threats and embedding resilience
into everyday operations. Taking a more strategic, more unified look at crisis management and business continuity is a responsible approach in the current climate and should help companies tackle more regular business and technical issues’.
Fast Forward to Today
Fast forward to 2016 and consider the world of Financial Services.
Things have got a lot more complicated as companies have extended their dependence on complex, often global, supplier networks; outsourced operations, automated business processes and reshaped IT estates to take advantage of hyper-scale cloud economics.
In that light, the threats of 2004 may start to look a little tame by comparison with today’s.
However, some things have not changed.
The imperative to think strategically about crisis management and its normalisation in every part of a company’s operations is as strong as ever.
The systemic importance of the established Financial Services sector to this and every developed economy is beyond reasonable debate, despite the emergence of a thousand smart new ways to do certain things brought about by Fintech and the fundamental innovation
which is the blockchain.
The vigiliance of the infrastructure architects, business continuity planners and crisis managers who do their work largely as unsung heroes.
But other things most definitely have changed.
Board interest in the smooth running of its business and the maintenance of its reputation has understandably intensified in the wake of a series of business interruptions which has turned from a trickle into a steady stream, and which have only their unpredictability
in common. The multi-tenanted cloud data centre going down. The faulty software upgrade. The super-hack. The rogue trader. The cyber fraudster or tricksy algorithm crashing financial markets
The emergence of hyperconnected, mobile workforces which can work, for the most part, anywhere where there is secure connection to virtual private networks and the internet.
The ability to integrate, analyse and visualise streams of data from many disparate platforms and applications to improve the scope, speed and consistency of operational decision-making.
The new understanding
At the same time, there are powerful forces at work which have repurposed and reshaped business resilience to be a strategic enabler for change. Its days as an under-recognised, little loved overhead of doing business are over.
A startling convergence of new technologies has unleashed a depth and pace of change in every corner of the sector unimaginable in 2004 and which only in the last few years has started to remake the industry from the ground up.
So it’s a climate in which the winners are acting to exploit the huge business opportunity afforded by digital technologies with a clear understanding that enterprise-wide digitisation creates new technical, operational and reputational risks which may not
fully be anticipated and so not fully mitigated.
A gathering chorus has pointed up the critical importance of getting this right.
Andrew Winston threw down a gauntlet to the technical community when he wrote
‘In a world which is volatile, uncertain, complex and ambiguous…nobody can prepare for every possible outcome… But we can build systems that are better prepared than they are now’
(‘Why you need a resilience strategy now’, HBR, 2014).
The World Economic Forum placed systemic resilience at the centre of its recent gathering:
‘it is clear that companies, governments and regulators alike will need to develop new capabilities in order to adapt fully to a digital
future’ (Three questions for the Industrial Revolution, WEF, Davos, 2016).
Andrew Tyrie, Chairman in 2015 of the UK’s Treasury Select Committee, wrote to the Bank of England’s head of prudential regulation: ‘Every month we have yet another IT failure at a major bank…These IT blunders and weaknesses are exposing millions of people
to uncertainty, disruption and sometimes distress. Businesses suffer too. We can’t carry on like this.’
(Reuters reported in ComputerWorld UK, January 2016).
Indeed we can’t.
And needn’t either.
The starting point is to recognise what business financial services firms are now in.
The business of resilience.
Because financial services businesses are digital businesses. As digital businesses are Always On, they must be digitally resilient. A digitally resilient business is one which has the flexibility to exploit immediate opportunity, the certainty that its
systems, processes and people are protected against disruption and the agility to recover smoothly and quickly in the event of significant business interruption’.
Old thinking and its consequences
Let’s get some old thinking on the table and test how adequate it appears in the context of today’s competitive imperatives, systemic interdependence, customer, shareholder, regulatory and political expectations.
‘We have DR and BC plans in place already. What’s the problem?’
All financial services organisations have Disaster Recovery and Business Continuity plans at some level. Many fewer keep them fully updated or test them frequently or fully enough to know they actually work. There is invariably a need to look forensically
at all aspects of resilience to be able to maintain and trust a set of well researched, consistent and integrated arrangements which reflect the latest configuration of the organisation structure, its working practices, physical locations, operations and information
systems.
‘We manage this stuff functionally. You can’t really integrate it’.
We are back in the safety-siloes. To be resilient, it has to be integrated. Painstakingly building up an aggregated view from many different units which contribute to DR and BC plans is not the same as creating an integrated set of resilience responses.
Aggregation is not integration.
‘We see this as a cost. It earns no revenue’
Most financial services organisations are working to transform their businesses to become more fully digital. This shift is profound and means reinventing every aspect of the enterprise. Doing this brings new risks, few of which are yet fully predictable.
Any organisation which treats business resilience as a cost injects progressively higher risk at this time of rapid change.
In summary, old thinking contents itself with too many unconnected control points in the organisation to be effective in the event of business interruption. And with contingency plans that don’t work usefully in practice, as unsupported by high quality workplace
technologies and integrated physical continuity arrangements
Feeling comfortable?
What does ‘better’ look like?
Integrated resilience arrangements which insulate operations, people and data from the toxic effects of business interruption and technology outages.
Workforces which are able to transfer to continuity sites and enjoy access to exactly the same applications, voice and data facilities as they have in their normal workplace.
Flexible capacity which creates the ability to expand at no notice into new digital workplaces to exploit unplanned demand spikes; to transition workforces in the event of re-organisation, acquisition or merger; to hold workforces pending lease fulfilment
for permanent premises.
The business of managing resilience in Financial Services has changed rapidly as the industry has responded to new technologies. For practical purposes, it has become a fusion of multi-disciplinary professional practice; the adoption of leading edge security
and digital workplace technologies, and the exercise of enterprise-wide governance enabled by strong measurement, reporting and assessment systems.
But whilst the model has matured, many firms across the sector are still coming to grips with the new realities. One of many cases in which collaboration can be catalysed by outside agents, be they technology firms, specialist consultants or systems integrators.
The sweetest spot may be to find an outside organisation which combines all of these.