Thanks to the significant impact that the COVID-19 outbreak is having on financial services firms, it’s likely that UK regulators will move quickly to implement their operational resilience agenda. Boards, C-suites and risk teams are asking – how can their firms ramp up quickly?
The focus on operational resilience by UK regulators since July 2018 seems prescient now, in the wake of the outbreak of the coronavirus. It may have been concerns about computer viruses and other kinds of cyber risks that sparked the initial conversations about OpRes, but the impact of the recent pandemic on firms is now putting operational resilience at the top of agendas. And the question that organizations are asking themselves is: “How do we do operational resilience?”.
Operationalising OpRes
The answer to this question should be an easy one for the operational risk discipline. It has been here before – firms need to operationalise best practices to create a sustainable approach to operational resilience.
At the moment, best practices are being shaped by both the regulators and experts in operational risk. It’s important to understand what both of these groups mean when they talk about operational resilience – while it builds on some aspects of operational risk, they are not the same thing. In fact, some firms appear to regard operational resilience as another risk category, but it is not.
UK regulators define operational resilience as “the ability of firms, FMIs and the sector as a whole to prevent, respond to, recover and learn from operational disruptions”. For the regulators, operational resilience is an outcome, like financial resilience, and it is the outcome of risk and organisational processes.
This fundamental point is crucial to avoid taking a completely wrong approach to this emerging discipline. From this base, regulators and industry experts are developing best practices. The UK Financial Conduct Authority (FCA) has published two papers – a discussion paper on operational resilience in July 2018, and a consultation paper in January 2020. Among other things, the recent consultation paper asks firms to identify important business services; set impact tolerances; perform mapping, self-assessments, and scenario testing; enhance management of third party relationships; and develop good communications strategies and governance frameworks.
Being able to react faster
Much of this may sound familiar – it’s clear that the regulators have built significantly on operational risk best practices in constructing their approach to operational resilience. They also want to see an ongoing relationship between the two disciplines. From a practical point of view for firms, a key challenge is developing and mapping operational risk processes into the requirements for operational resilience. Another key challenge is that firms will need to become nimbler in how they ingest important data for both – such as incidents and key risk indicator threshold breaches – and then respond to those.
In this “new normal”, it’s clear that manual processes based on spreadsheets are not agile enough to cope with the new information demands that the business, senior management, and the C-suite will have. So-called “end of the month” reporting will no longer be enough, either – firms will need to know instantly if there has been an incident, or a key indicator has been breached. In short, software is now required that can link operational risk and operational resilience together. It’s also important to note that these manual processes are not, in themselves, operationally resilient.
Firms should be seeking to operationalise best practices to OpRes, connect operational risk with operational resilience, and also make their approach to all of this as resilient as possible. Firms’ best practices should be designed to meet both business and regulatory requirements, and operationalised through the use of technology to:
• Create a library of business services, mapped to entities, business lines, locations, and supervisory bodies
• Utilize assessment criteria to judge materiality against impact categories such as customer services, markets, financial stability
• Identify impact tolerances for each activity and map these to the above identified impact categories
• Develop libraries of risks and controls against important business services
• Design key indicators for important business services, and create an instant workflow to provide rapid communication of incidents and key indicator threshold breaches across the business
• Undertake scenarios to investigate the impact sensitivity of changes in risk and control profiles to operational resilience outcomes
By connecting operational risk and operational resilience together in a resilient way that incorporates best practices, financial services firms will be able to build more robust processes, react faster, and deliver essential information to key stakeholders.
To discuss operational risk or operational resilience more with RiskLogix please contact us.
