To strengthen operational resilience, firms should be engaging with scenarios, using risk management software. This blog explores the contribution that a good scenario program could make to understanding vulnerabilities and enhancing resilience.
Scenarios and op resilience go together naturally. Both disciplines are focused on understanding multifactor, exceptional-but-plausible events in more depth, and the impact that such events could potentially have on a financial services firm. Using scenarios as part of an operational resilience program can add considerable richness of understanding and effectiveness in implementation.
Seeing resilience in a new light
However, stepping back for a moment, it makes sense to briefly consider what operational resilience is. According to Nick Strange, Director, of supervisory risk specialists at the Bank of England, in a speech earlier this year, operational resilience is “the ability of firms, FMIs and the sector as a whole to prevent, respond to, recover and learn from operational disruptions”. For the regulators, operational resilience is an outcome, like financial resilience.
It is absolutely right that global regulators should be focusing on operational resilience in the way that they are, particularly given the new challenges firms face, such as cyber risk. Through considering “operational resilience”, regulators are encouraging firms to think in a more holistic way. For example, sometimes firms can wind up looking at impact controls in an isolated or siloed way. Joining them up by focusing on impact controls within a critical business service paints a different picture. Operational resilience encourages firms to think in terms of the implementation of a collection of controls designed to mitigate both the short- and long-term impact of a loss event on a firm and its stakeholders.
Applying scenarios to deepen understanding
Approaching operational resilience through operational risk methodologies opens the door to applying some of the excellent approaches developed within the op risk discipline over the past two decades. So, while the more traditional application of scenarios is focused on understanding risk and control effectiveness associated with a loss event, scenarios can also be used as part of an operational resilience program, to help firms better understand where impact controls are needed and how effective current impact controls are. It can also be used to identify new risks which may emerge out of the scenario process.
A good place to start is to examine a firm’s risk and control self-assessment (RCSA) data. Using the RCSA data for operational resilience scenarios will enable firms to better understand how risks and controls map to systems and processes within a business services perspective. It should deliver insights into which impact controls are effective, and which are not, on the ground.
Key risk indicators (KRIs) and key control indicators (KCIs) should deliver the same sort of intelligence – understanding of what risks are materializing within business services, and how effectively impact controls are operating. Using RCSAs, KRIs and KCIs in this way will ground an operational resilience scenario exercise in reality, creating a credible desk-top exercise for testing the effectiveness of the program. Scenarios can be used to create an effective approach to operational resilience, or to challenge an existing one.
Scenarios are useful within operational resilience programs in other ways too. For example, using scenarios will force the firm to think about multiple risks occurring as part of the same event scenario, rather than just thinking about one risk event in extremis. This is very important – in real life, a large risk event often brings along with it a range of other risk events at the same time, or in quick succession. For example, a cyber attack could bring down the online banking platform, which then produces pressures on the bricks-and-mortar branches, as well as on the telephone banking platform, making an operational risk event much more likely to emerge in those areas of the business. Scenario workshop exercises encourage this kind of connected thinking.
A third area where scenarios are helpful is in creating communications plans. Operational resilience best practice today encourages firms to draft communications to stakeholders such as customers, shareholders and regulators in advance of an event happening. Communications can be difficult to compose in the heat-of-the-moment, and preparing them in advance enables language to be considered from multiple perspectives to ensure the right message is getting across. Scenarios can help organizations identify the kinds of communications they should consider preparing, as well as what their content should be. For example, in the case of the online banking failure, how should customers be redirected to other service platforms?
In short, firms would certainly be missing a trick if they failed to use scenarios within their operational resilience programs. Scenarios can provide important insights on both the strengths and weaknesses of operational resilience programs in the real world, ultimately improving those programs and enabling firms to deliver value in a robust and consistent way.
To learn more about how scenarios can be used to improve operational resilience, speak to the experts at RiskLogix.