Operational resilience – Creating a fundamental shift in perspective for risk management?

  • Subscribe to updates

  • Privacy
  • This field is for validation purposes and should be left unchanged.

This blog is the first in a series that will look more closely at important issues around operational resilience within financial services firms. To begin with, it’s important to understand how thinking about operational resilience will change the way financial services firms and their regulators will manage operational risk going forward.

The implementation of operational resilience will create a 180 degree change in perspective for financial services firms. That’s because much of risk management today, often built upon regulation that came out of the Financial Crisis of 2008, is inward-focused. For example, the current concept of risk appetite is concentrated almost entirely on how loss events impact a firm internally. In contrast, operational resilience is outward-focused – regulators are developing an approach that is interested in understanding how events impact a firm’s customers, other firms, and the financial system as a whole.

Regulators are also expecting firms, through the process of building operational resilience, to make this shift in focus too. For example, the UK Financial Conduct Authority, in its consultation paper, Building operational resilience: impact tolerances for important business services, outlines how firms should identify their important business services. These are not services that are considered essentially internally to the operation of the firm, but rather, “services that, if disrupted, would be most likely to cause intolerable levels of harm to consumers, or market integrity.” To identify important business services, firms need to ascertain the users of individual services. In particular, firms need to explore the impact of a loss of a business service on “vulnerable consumers who are more susceptible to harm from a disruption.”

Accelerating the shift
It’s very clear that this change from firms being inward-looking to being outward-looking through operational resilience will be accelerated by the current Covid-19 pandemic. The coronavirus crisis is forcing firms to implement operational resilience at speed in many cases, to ensure they are able to provide products and services for existing customers as well as maintain market integrity. So, although the formal UK regime will not take effect until 2021, operational resilience is no longer just a regulatory imperative. It is a business priority.

In practice, how firms understand operational risk will be transformed as well – operational risk and resilience are connected. To implement operational resilience programmes, firms will need to rethink their risk appetites and frameworks, so that risks and controls don’t just relate to potential harm to the firm, but also harm to individuals, entities, and the financial system as a whole. This goes well beyond conversations about reputational risk and legal risk, which in the end are risks that are inward-looking, as it is the firm that is the focus of the harm. Instead, firms need to think about managing risks and building resilience to prevent harm to customers, other firms, or the financial system as a whole.

This fundamental change in understanding risk is very much in tune with broader societal changes in the wake of the Covid-19 pandemic. After all, in the UK, the public actively sought to prevent harm to others by willingly engaging in a lockdown to protect the NHS. This was often at risk of causing harm to themselves, for example by not being able to work.

Certainly, the nature of what is considered a risk for a financial firm will change, with the inclusion of risks to customer services, services to the vulnerable, and the financial system taking higher priority. The personal accountability of risk owners for harm prevention will likely continue to be enhanced too. As well, it’s likely there will be much more emphasis on the more rapid detection of risk events by the organization, and agile response to those events. In addition, the correlation of multiple risks, controls and events will need to be analysed in depth, making robust operational resilience software crucial. Spreadsheet-based approaches will struggle to cope in this new environment.

Identifying essential action points
In light of this coming shift, firms should seek to begin to implement operational resilience as soon as possible. Key steps firms can take to do this include:

1. Identify key business services from a customer perspective
2. Assess these for materiality against consumers, markets, firm safety and financial stability
3. Identify the business resources needed to deliver these services, such as people, processes, technology, facilities, IT and third parties
4. Map these resources for each key business service, ensuring it’s complete, accurate, documented and signed-off
5. Define the impact tolerance for each service and produce SLA targets
6. Map this information to existing operational risk data, such as risks, controls, events, and actions
7. Perform a gap analysis on operational risk data versus risks identified through the operational resilience analysis
8. Establish key indicators for each impact tolerance level and source the associated metrics
9. Perform quantitative-based scenario analysis on control failures and stress test the impact of risks occurring

In summary, financial firms need to create operational resilience frameworks, and link these to their operational risk programmes as soon as possible. Not only is this consistent with the regulatory direction of travel, but it also in alignment with evolving trends in social attitudes in the wake of the Covid-19 pandemic. Finally, it is just good business, and risk management practice.

To talk more about the relationship between operational risk and operational resilience please contact us.

Related Posts

Effective business continuity & operational resilience are both outcomes of good risk management
There has been some debate whether Operational Resilience (OpRes) and Business Continuity Management (BCM) are the same discipline, different disciplines, or similar areas but with differing degrees of granularity. It is arguable that OpRes is customer centric in that it looks at the threats and vulnerabilities to the services provided to the customer, whereas BCM …

Effective business continuity & operational resilience are both outcomes of good risk management Read More »

Digitising Risk Management – Time to ditch the spreadsheet
It is a recognised issue in the industry that the most widely-used risk management software tool is actually provided by Microsoft – and it’s called Excel. And it’s only a partial solution – at best While tier one financial institutions have been early adopters of large, complex risk management software solutions, due to both sophistication …

Digitising Risk Management – Time to ditch the spreadsheet Read More »

Long term value from ESG – the Importance of embedding a true ESG culture in your organisation
ESG, Environment, Social, Governance reporting seems like a good thing!  Being associated with ESG practices has a positive effect on the brand, which helps organisations to sell more products and services. Meta-analysis of over 1,000 studies published between 2015 and 2020 conducted by NYU Stern and Rockefeller Asset Management found a strong correlation between ESG …

Long term value from ESG – the Importance of embedding a true ESG culture in your organisation Read More »