This blog is the first in a series that will look more closely at important issues around operational resilience within financial services firms. To begin with, it’s important to understand how thinking about operational resilience will change the way financial services firms and their regulators will manage operational risk going forward.
The implementation of operational resilience will create a 180 degree change in perspective for financial services firms. That’s because much of risk management today, often built upon regulation that came out of the Financial Crisis of 2008, is inward-focused. For example, the current concept of risk appetite is concentrated almost entirely on how loss events impact a firm internally. In contrast, operational resilience is outward-focused – regulators are developing an approach that is interested in understanding how events impact a firm’s customers, other firms, and the financial system as a whole.
Regulators are also expecting firms, through the process of building operational resilience, to make this shift in focus too. For example, the UK Financial Conduct Authority, in its consultation paper, Building operational resilience: impact tolerances for important business services, outlines how firms should identify their important business services. These are not services that are considered essentially internally to the operation of the firm, but rather, “services that, if disrupted, would be most likely to cause intolerable levels of harm to consumers, or market integrity.” To identify important business services, firms need to ascertain the users of individual services. In particular, firms need to explore the impact of a loss of a business service on “vulnerable consumers who are more susceptible to harm from a disruption.”
Accelerating the shift
It’s very clear that this change from firms being inward-looking to being outward-looking through operational resilience will be accelerated by the current Covid-19 pandemic. The coronavirus crisis is forcing firms to implement operational resilience at speed in many cases, to ensure they are able to provide products and services for existing customers as well as maintain market integrity. So, although the formal UK regime will not take effect until 2021, operational resilience is no longer just a regulatory imperative. It is a business priority.
In practice, how firms understand operational risk will be transformed as well – operational risk and resilience are connected. To implement operational resilience programmes, firms will need to rethink their risk appetites and frameworks, so that risks and controls don’t just relate to potential harm to the firm, but also harm to individuals, entities, and the financial system as a whole. This goes well beyond conversations about reputational risk and legal risk, which in the end are risks that are inward-looking, as it is the firm that is the focus of the harm. Instead, firms need to think about managing risks and building resilience to prevent harm to customers, other firms, or the financial system as a whole.
This fundamental change in understanding risk is very much in tune with broader societal changes in the wake of the Covid-19 pandemic. After all, in the UK, the public actively sought to prevent harm to others by willingly engaging in a lockdown to protect the NHS. This was often at risk of causing harm to themselves, for example by not being able to work.
Certainly, the nature of what is considered a risk for a financial firm will change, with the inclusion of risks to customer services, services to the vulnerable, and the financial system taking higher priority. The personal accountability of risk owners for harm prevention will likely continue to be enhanced too. As well, it’s likely there will be much more emphasis on the more rapid detection of risk events by the organization, and agile response to those events. In addition, the correlation of multiple risks, controls and events will need to be analysed in depth, making robust operational resilience software crucial. Spreadsheet-based approaches will struggle to cope in this new environment.
Identifying essential action points
In light of this coming shift, firms should seek to begin to implement operational resilience as soon as possible. Key steps firms can take to do this include:
1. Identify key business services from a customer perspective
2. Assess these for materiality against consumers, markets, firm safety and financial stability
3. Identify the business resources needed to deliver these services, such as people, processes, technology, facilities, IT and third parties
4. Map these resources for each key business service, ensuring it’s complete, accurate, documented and signed-off
5. Define the impact tolerance for each service and produce SLA targets
6. Map this information to existing operational risk data, such as risks, controls, events, and actions
7. Perform a gap analysis on operational risk data versus risks identified through the operational resilience analysis
8. Establish key indicators for each impact tolerance level and source the associated metrics
9. Perform quantitative-based scenario analysis on control failures and stress test the impact of risks occurring
In summary, financial firms need to create operational resilience frameworks, and link these to their operational risk programmes as soon as possible. Not only is this consistent with the regulatory direction of travel, but it also in alignment with evolving trends in social attitudes in the wake of the Covid-19 pandemic. Finally, it is just good business, and risk management practice.
To talk more about the relationship between operational risk and operational resilience please contact us.
