Operational resilience – Creating a fundamental shift in perspective for risk management?

  • Subscribe to updates

  • Privacy
  • This field is for validation purposes and should be left unchanged.

This blog is the first in a series that will look more closely at important issues around operational resilience within financial services firms. To begin with, it’s important to understand how thinking about operational resilience will change the way financial services firms and their regulators will manage operational risk going forward.

The implementation of operational resilience will create a 180 degree change in perspective for financial services firms. That’s because much of risk management today, often built upon regulation that came out of the Financial Crisis of 2008, is inward-focused. For example, the current concept of risk appetite is concentrated almost entirely on how loss events impact a firm internally. In contrast, operational resilience is outward-focused – regulators are developing an approach that is interested in understanding how events impact a firm’s customers, other firms, and the financial system as a whole.

Regulators are also expecting firms, through the process of building operational resilience, to make this shift in focus too. For example, the UK Financial Conduct Authority, in its consultation paper, Building operational resilience: impact tolerances for important business services, outlines how firms should identify their important business services. These are not services that are considered essentially internally to the operation of the firm, but rather, “services that, if disrupted, would be most likely to cause intolerable levels of harm to consumers, or market integrity.” To identify important business services, firms need to ascertain the users of individual services. In particular, firms need to explore the impact of a loss of a business service on “vulnerable consumers who are more susceptible to harm from a disruption.”

Accelerating the shift
It’s very clear that this change from firms being inward-looking to being outward-looking through operational resilience will be accelerated by the current Covid-19 pandemic. The coronavirus crisis is forcing firms to implement operational resilience at speed in many cases, to ensure they are able to provide products and services for existing customers as well as maintain market integrity. So, although the formal UK regime will not take effect until 2021, operational resilience is no longer just a regulatory imperative. It is a business priority.

In practice, how firms understand operational risk will be transformed as well – operational risk and resilience are connected. To implement operational resilience programmes, firms will need to rethink their risk appetites and frameworks, so that risks and controls don’t just relate to potential harm to the firm, but also harm to individuals, entities, and the financial system as a whole. This goes well beyond conversations about reputational risk and legal risk, which in the end are risks that are inward-looking, as it is the firm that is the focus of the harm. Instead, firms need to think about managing risks and building resilience to prevent harm to customers, other firms, or the financial system as a whole.

This fundamental change in understanding risk is very much in tune with broader societal changes in the wake of the Covid-19 pandemic. After all, in the UK, the public actively sought to prevent harm to others by willingly engaging in a lockdown to protect the NHS. This was often at risk of causing harm to themselves, for example by not being able to work.

Certainly, the nature of what is considered a risk for a financial firm will change, with the inclusion of risks to customer services, services to the vulnerable, and the financial system taking higher priority. The personal accountability of risk owners for harm prevention will likely continue to be enhanced too. As well, it’s likely there will be much more emphasis on the more rapid detection of risk events by the organization, and agile response to those events. In addition, the correlation of multiple risks, controls and events will need to be analysed in depth, making robust operational resilience software crucial. Spreadsheet-based approaches will struggle to cope in this new environment.

Identifying essential action points
In light of this coming shift, firms should seek to begin to implement operational resilience as soon as possible. Key steps firms can take to do this include:

1. Identify key business services from a customer perspective
2. Assess these for materiality against consumers, markets, firm safety and financial stability
3. Identify the business resources needed to deliver these services, such as people, processes, technology, facilities, IT and third parties
4. Map these resources for each key business service, ensuring it’s complete, accurate, documented and signed-off
5. Define the impact tolerance for each service and produce SLA targets
6. Map this information to existing operational risk data, such as risks, controls, events, and actions
7. Perform a gap analysis on operational risk data versus risks identified through the operational resilience analysis
8. Establish key indicators for each impact tolerance level and source the associated metrics
9. Perform quantitative-based scenario analysis on control failures and stress test the impact of risks occurring

In summary, financial firms need to create operational resilience frameworks, and link these to their operational risk programmes as soon as possible. Not only is this consistent with the regulatory direction of travel, but it also in alignment with evolving trends in social attitudes in the wake of the Covid-19 pandemic. Finally, it is just good business, and risk management practice.

To talk more about the relationship between operational risk and operational resilience please contact us.

Related Posts

Actionable Insights: Automating Workflows and Assigning Tasks for Effective Operational Risk Management
In the dynamic financial services landscape, operational risk data has emerged as a strategic asset for organizations seeking to strengthen their resilience and business performance. By harnessing all available data sources, including expert-driven assessments like Risk and Control Self-Assessments (RCSAs), and integrating them into robust technology platforms, firms can gain unparalleled insights into their risk …

Actionable Insights: Automating Workflows and Assigning Tasks for Effective Operational Risk Management Read More »

Data is King: Building a Golden Source of Risk and Control Information for Banks
In the ever-evolving world of financial services, data has emerged as the new ruler, holding the capability to unlock operational proficiency, mitigate dangers, and confirm adherence to regulations. For banks, possessing a centralized, thorough, and easily accessible collection of risk and oversight material is no longer an extravagance; it’s an indispensable necessity for survival and …

Data is King: Building a Golden Source of Risk and Control Information for Banks Read More »

How to Foster a Culture of Risk Awareness in Your Bank: The Role of GRC Technology
The financial industry underpins the entire economic system by fostering trust and stability. Banks, a cornerstone of this ecosystem, play a critical role for individuals and businesses alike. For individuals, they act as trusted custodians, safeguarding hard-earned assets in the form of checking and savings accounts.  On a broader scale, banks facilitate commerce by offering …

How to Foster a Culture of Risk Awareness in Your Bank: The Role of GRC Technology Read More »