The Basel Committee on Banking Supervision’s Principles for operational resilience outlines the vision that the global regulatory body has for this emerging discipline. There is quite a bit to digest in this paper, but there are five key considerations to be found within the document that firms should not overlook as they read it and prepare to implement – or upgrade – their own operational resilience programmes. These include:
- Operational risk is the home for operational resilience. According to the Principles for operational resilience paper, “The bank’s operational risk management function should work alongside other relevant functions to manage and address any risks that threaten the delivery of critical operations. Banks should coordinate their business continuity planning, third-party dependency management, recovery and resolution planning and other relevant risk management frameworks to strengthen operational resilience across the bank.” Regulators are once again underscoring the central role that operational risk management should play within financial services firms. Moreover, this text underscores the need for operational risk to have access to joined-up governance, risk and compliance (GRC) data from across the organisation to help coordinate the operational resilience efforts.
- Third party risk management is a growing focus. The role of third parties in operational resilience preparedness and response is underscored several times in the paper, highlighting the increasing attention that regulators around the globe are placing on third party relationships across a variety of regulatory topics. For example, the operational resilience paper says: “The board of directors should take an active role in establishing a broad understanding of the bank’s operational resilience approach, through clear communication of its objectives to all relevant parties, including bank personnel, third parties and intragroup entities.” Spelling out a board-level responsibility for operational resilience communication to third parties shows just how much regulators want accountability for third-party relationships situated at the highest levels within firms. For UK firms, this translates into allocated accountabilities under the Senior Managers & Certification Regime.
- Focus on the customer and capital. There has been much industry discussion about the cultural implications of the shift in focus that operational resilience makes towards customers and other external stakeholders. Risk management, it is said, is inward-looking while operational resilience is outwardly directly. It is a good thing for regulators to specifically call out the need for this external focus through the work on operational resilience – it is too often overlooked and should also be a much greater part of thinking around risk management. However, firms should be under no illusions – the ultimate goal of both risk management and resilience is the preservation of capital. After all, without capital, there is no way forward for firms, or their customers. Operational resilience is designed to boost confidence in individual firms and the financial system as a whole among customers and other stakeholders, potentially reducing systemic risk, and the need for firms to dip into their regulatory capital in the event of a mass cyberattack, for example.
- Embrace three levels of risk appetite. The operational resilience paper implies that regulators understand there to be three levels of risk appetite: expected (i.e. residual), unexpected (towards inherent but not necessarily at inherent) and stressed (now the resilience level). Firms should bake these three levels into their risk appetite-related processes, connecting risk and resilience together at a strategic level for the organisation. By doing this, the board and senior managers will be better able to understand the position of the firm vis-à-vis risk and resilience. This will translate into improved decision-making about investment in operational risk and operational resilience initiatives.
- Keep operational risk goals in mind. The interrelationship between operational risk and operational resilience needs to be woven into the organisation’s framework and processes for both. For example, in the operational resilience paper, it says that “The goal of incident management is to limit the disruption and restore critical operations in line with the bank’s risk tolerance for disruption.” However, this is just one goal – the operational resilience goal. The operational risk goal is to deliver a robust root cause analysis. Firms need to keep this in mind as they shape their incident management response processes. As well, firms need to be able to connect operational risk data and processes to operational resilience ones within the GRC software they use – the frameworks need to be closely aligned so that activities are mutually supportive and not duplicative.