Operational resilience, the ability to protect critical operations and core business lines from any hazard, needs to be right at the top of the agenda across the financial services ecosystem. Its importance has been significantly reinforced by the year we
have just had. The pandemic brought about massive disruption across the industry, affecting how supply chains function, how customers behave and what customers expect. The whole way many institutions do business has been forced to change fundamentally in ways
that were for the most part not foreseen. Other factors, such as Brexit, have underlined the reality of how events can turn cosy assumptions on their head.
So what does all this mean for operational resilience strategies as we go forward? When the pandemic struck, it soon became apparent that traditional business continuity and disaster recovery planning, functions that are often carried out in siloes, were
not for the most part up to the task of helping banks manage effectively. The outbreak caught many off guard, with some organisations having to suspend operations while they adjusted to new realities, fast realising that their contingency plans were either
only partly successful or completely unsuccessful in responding to the pandemic.
As the pandemic continues to evolve, it is likely that organisations will be faced with the disruption associated with shifting between times of restriction and relaxation. Building a recovery during such a period of flux will undoubtedly be challenging
and will call for what Deloitte terms the need to build
‘modified resilient operations’ whereby recovery is sustainable in terms of resource use and flexible enough to meet inevitable change.
To add another layer of complexity to an already challenging situation, regulators have for a while been signalling their concerns over operational resilience. Even before the pandemic struck, questions were being posed.
At the end of 2019, the UK’s financial regulators, namely the Bank of England (BoE), the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA), jointly published a series of
consultation papers on operational resilience in the financial sector. This initiative was a direct consequence of the public scrutiny that followed a long list of IT failures and cybersecurity breaches across the financial services spectrum. Calls followed
for a more explicit framework to force banks and insurers to enhance their operational resilience, and thereby protect the wider UK economy from the impact of operational disruptions.
Regulators identified five key themes arising from the issue that it requires firms to take note of:
-
Firms should adopt a services-driven view, focussing time, effort and resources on what is important to their customers
-
Business services should be prioritised by their relative importance to three main considerations: financial stability, viability of the firm and harm done to customers or other market participants.
-
Firms should be clear about their tolerated threshold for harm or financial loss caused by severe but plausible disruptions
-
Banks should think through how to manage prompt and meaningful communications during a disruption
-
Once tolerances for disruption are established, they should be tested against dynamic scenarios to prove they can be met
This is not just a UK thing. Regulators from around the world are refocusing supervisory approaches on operational resilience to support the soundness of financial firms and the stability of the financial universe.
But a fresh approach to operational resilience, one that is tied into a wider strategy on digital transformation, should not be seen simply as a regulatory burden. Instead it should be understood as the bedrock on which all sorts of other good things can
be built.
I recently wrote an article on digital twinning, exploring how institutions from across the banking sector are turning to the idea to help them with a range of challenges. But institutions that want to use twinning to model scenarios and test new ideas must
first make sure that such efforts are built on certainty. By pursuing the goal of operational resilience, they will end up a lot more certain of the foundations that their business is based on. If they seek agility, continuity, situational awareness and continuous
improvement, then they must first be sure about every aspect of their processes.
For many organisations, this will mean a fundamental review of the real business processes to the designed process. To get end-to-end visibility on current process performances based on real operational data from system logs to create a solid foundation
for accurate analysis and diagnosis of process issues. This will allow them to then continually measure business process performance in real-time to check compliance and ensure continuous return on investment. Most analysts suggest an initial multi-million-pound
investment for enterprise organisations for this initial review and a significant annual budget for the operational management thereafter.
This will involve, among other things, smarter use of data, and better collaboration across functions as well as an improved methodology for understanding where risk is. Questions must be asked about how to manage tolerances within that framework of risk.
There’s no point in running experimental scenarios if you can’t move quickly enough once an opportunity is spotted. Why build new lines of business if you are unable to protect yourself against a major service outage in the event of supply chain disruption
or cyberattack?
The good news is that moves to improve operational resilience may tie in well with other initiatives that banks are engaged on, like digital transformation and migration of essential workloads and services to the cloud. Indeed, a well-executed migration
to a platform such as AWS or Google Cloud can play a meaningful part in strengthening resilience. Where once cloud migration was perceived as creating an unnecessary new risk, it is now seen as potentially providing financial services firms with strengthened
operational resilience in ways that are not otherwise achievable.
Better operational resilience is not achieved overnight. Risk managers must help foster an organisational resilience culture by engaging senior management in planning decisions and developing a joined-up approach to resilience strategy. In addition to cultural
change, banks should seek out the kind of technology platforms that can play a part. There’s a lot to be gained for those that get this issue right. And as the last 12 months have proved, there’s also plenty to lose.