Operational resilience: Embracing best practices at pace

  • Subscribe to updates

  • Privacy
  • This field is for validation purposes and should be left unchanged.

Thanks to the significant impact that the COVID-19 outbreak is having on financial services firms, it’s likely that UK regulators will move quickly to implement their operational resilience agenda. Boards, C-suites and risk teams are asking – how can their firms ramp up quickly?

The focus on operational resilience by UK regulators since July 2018 seems prescient now, in the wake of the outbreak of the coronavirus. It may have been concerns about computer viruses and other kinds of cyber risks that sparked the initial conversations about OpRes, but the impact of the recent pandemic on firms is now putting operational resilience at the top of agendas. And the question that organizations are asking themselves is: “How do we do operational resilience?”.

Operationalising OpRes
The answer to this question should be an easy one for the operational risk discipline. It has been here before – firms need to operationalise best practices to create a sustainable approach to operational resilience.

At the moment, best practices are being shaped by both the regulators and experts in operational risk. It’s important to understand what both of these groups mean when they talk about operational resilience – while it builds on some aspects of operational risk, they are not the same thing. In fact, some firms appear to regard operational resilience as another risk category, but it is not.

UK regulators define operational resilience as “the ability of firms, FMIs and the sector as a whole to prevent, respond to, recover and learn from operational disruptions”. For the regulators, operational resilience is an outcome, like financial resilience, and it is the outcome of risk and organisational processes.

This fundamental point is crucial to avoid taking a completely wrong approach to this emerging discipline. From this base, regulators and industry experts are developing best practices. The UK Financial Conduct Authority (FCA) has published two papers – a discussion paper on operational resilience in July 2018, and a consultation paper in January 2020. Among other things, the recent consultation paper asks firms to identify important business services; set impact tolerances; perform mapping, self-assessments, and scenario testing; enhance management of third party relationships; and develop good communications strategies and governance frameworks.

Being able to react faster
Much of this may sound familiar – it’s clear that the regulators have built significantly on operational risk best practices in constructing their approach to operational resilience. They also want to see an ongoing relationship between the two disciplines. From a practical point of view for firms, a key challenge is developing and mapping operational risk processes into the requirements for operational resilience. Another key challenge is that firms will need to become nimbler in how they ingest important data for both – such as incidents and key risk indicator threshold breaches – and then respond to those.

In this “new normal”, it’s clear that manual processes based on spreadsheets are not agile enough to cope with the new information demands that the business, senior management, and the C-suite will have. So-called “end of the month” reporting will no longer be enough, either – firms will need to know instantly if there has been an incident, or a key indicator has been breached. In short, software is now required that can link operational risk and operational resilience together. It’s also important to note that these manual processes are not, in themselves, operationally resilient.

Firms should be seeking to operationalise best practices to OpRes, connect operational risk with operational resilience, and also make their approach to all of this as resilient as possible. Firms’ best practices should be designed to meet both business and regulatory requirements, and operationalised through the use of technology to:

• Create a library of business services, mapped to entities, business lines, locations, and supervisory bodies

• Utilize assessment criteria to judge materiality against impact categories such as customer services, markets, financial stability

• Identify impact tolerances for each activity and map these to the above identified impact categories

• Develop libraries of risks and controls against important business services

• Design key indicators for important business services, and create an instant workflow to provide rapid communication of incidents and key indicator threshold breaches across the business

• Undertake scenarios to investigate the impact sensitivity of changes in risk and control profiles to operational resilience outcomes

By connecting operational risk and operational resilience together in a resilient way that incorporates best practices, financial services firms will be able to build more robust processes, react faster, and deliver essential information to key stakeholders.

To discuss operational risk or operational resilience more with RiskLogix please contact us.

Related Posts

Effective business continuity & operational resilience are both outcomes of good risk management
There has been some debate whether Operational Resilience (OpRes) and Business Continuity Management (BCM) are the same discipline, different disciplines, or similar areas but with differing degrees of granularity. It is arguable that OpRes is customer centric in that it looks at the threats and vulnerabilities to the services provided to the customer, whereas BCM …

Effective business continuity & operational resilience are both outcomes of good risk management Read More »

Digitising Risk Management – Time to ditch the spreadsheet
It is a recognised issue in the industry that the most widely-used risk management software tool is actually provided by Microsoft – and it’s called Excel. And it’s only a partial solution – at best While tier one financial institutions have been early adopters of large, complex risk management software solutions, due to both sophistication …

Digitising Risk Management – Time to ditch the spreadsheet Read More »

Long term value from ESG – the Importance of embedding a true ESG culture in your organisation
ESG, Environment, Social, Governance reporting seems like a good thing!  Being associated with ESG practices has a positive effect on the brand, which helps organisations to sell more products and services. Meta-analysis of over 1,000 studies published between 2015 and 2020 conducted by NYU Stern and Rockefeller Asset Management found a strong correlation between ESG …

Long term value from ESG – the Importance of embedding a true ESG culture in your organisation Read More »