Published by ORX, the world’s largest operational risk association with a membership of over 100 banks and insurers globally, the findings highlight how much the industry is shifting from traditional risk prevention to adapting, responding, recovering and learning through times of significant disruption.

Operational resilience has been on the [1]Bank of England and [2]Basel Committee on Banking Supervision’s agenda in the last few years, but the concept is now gaining momentum with regulators around the world.

Dr Luke Carrivick, Director of Research & Information at ORX explains, “The regulatory focus on operational resilience comes with an assumption that disruptive events will (not might) occur. In addition, it comes with much more concern for the impact on customer services and the wider industry, rather than a financial loss to the business.”

Critically, the coronavirus (Covid-19) pandemic has tested the industry’s ability to manage during disruption and operational resilience is now one of the top issues on the boardroom agenda.

Carrivick commented, “Coronavirus is the biggest operational challenge financial institutions have faced in a long time, if not ever, and they are now having to consider how to capture and understand the implications for resilience.

“A disruption on this scale had simply not been anticipated or planned for by most firms and has proven to be a stress on a broad range of areas: from business continuity frameworks to third party management, and from technology to people risk, to name a few.”

The ORX study findings included the following considerations for financial services firms:
1. Define the relationship between operational risk management and operational resilience – institutions should treat operational resilience as an outcome of effective operational risk management. As a result, consideration needs to be given to where and how operational resilience fits into organisational models, from roles and responsibilities to governance and reporting. It is important to avoid creating a separate silo.
2. Have clear definitions and aligned terminology to support the industry and allow for collaboration – For example, UK regulators are promoting a view of creating resilient end-to-end (important) business services, while in contrast, the BCBS references “critical operations”.
3. Use existing operational risk management practices to embed resilience – Two key areas of challenge were scenario development and testing and adapting existing risk and control self-assessments to include an operational resilience perspective.
4. Get the correct level of granularity when defining important business services – Under UK regulation, being able to set and test impact tolerances will be the determining factor when defining the level of granularity at which important business services are defined. The majority of firms are considering ‘the point of harm’ as part of the process; however, the methodology used varies greatly with no single view of important business services which could be adopted.
5. Decide whether to rank criticality of business services and how – The way in which important business services are defined, identified and/or managed varies. Some organisations are calculating, weighting, ranking and prioritising certain activities, while others are taking the view that once defined as important/critical work to achieve resilience is a must.
6. Consider what is important to the firm, the customer, and regulatory and market requirements – UK regulation is highly geared towards ensuring the impact of disruption to the end customer is mitigated. Firms need to make strategic operational resilience decisions and set priorities while protecting their organisation and the wider market.
Carrivick adds: “These challenges are very real for the global financial community. We must ensure that institutions understand how they can respond to and recover from future events.

“There will no doubt be more challenges ahead, but so far we have seen – through our membership and the programme of work we are facilitating on resilience – that financial institutions are quick to adapt and learn for the future.”