Operational resilience: Why scenario analysis should be an essential ingredient

  • Subscribe to updates

  • Privacy
  • This field is for validation purposes and should be left unchanged.

To strengthen operational resilience, firms should be engaging with scenarios, using risk management software. This blog explores the contribution that a good scenario program could make to understanding vulnerabilities and enhancing resilience.

Scenarios and op resilience go together naturally. Both disciplines are focused on understanding multifactor, exceptional-but-plausible events in more depth, and the impact that such events could potentially have on a financial services firm. Using scenarios as part of an operational resilience program can add considerable richness of understanding and effectiveness in implementation.

Seeing resilience in a new light

However, stepping back for a moment, it makes sense to briefly consider what operational resilience is. According to Nick Strange, Director, of supervisory risk specialists at the Bank of England, in a speech earlier this year, operational resilience is “the ability of firms, FMIs and the sector as a whole to prevent, respond to, recover and learn from operational disruptions”. For the regulators, operational resilience is an outcome, like financial resilience.

It is absolutely right that global regulators should be focusing on operational resilience in the way that they are, particularly given the new challenges firms face, such as cyber risk. Through considering “operational resilience”, regulators are encouraging firms to think in a more holistic way. For example, sometimes firms can wind up looking at impact controls in an isolated or siloed way. Joining them up by focusing on impact controls within a critical business service paints a different picture. Operational resilience encourages firms to think in terms of the implementation of a collection of controls designed to mitigate both the short- and long-term impact of a loss event on a firm and its stakeholders.

Applying scenarios to deepen understanding

Approaching operational resilience through operational risk methodologies opens the door to applying some of the excellent approaches developed within the op risk discipline over the past two decades. So, while the more traditional application of scenarios is focused on understanding risk and control effectiveness associated with a loss event, scenarios can also be used as part of an operational resilience program, to help firms better understand where impact controls are needed and how effective current impact controls are. It can also be used to identify new risks which may emerge out of the scenario process.

A good place to start is to examine a firm’s risk and control self-assessment (RCSA) data. Using the RCSA data for operational resilience scenarios will enable firms to better understand how risks and controls map to systems and processes within a business services perspective. It should deliver insights into which impact controls are effective, and which are not, on the ground.

 

Key risk indicators (KRIs) and key control indicators (KCIs) should deliver the same sort of intelligence – understanding of what risks are materializing within business services, and how effectively impact controls are operating. Using RCSAs, KRIs and KCIs in this way will ground an operational resilience scenario exercise in reality, creating a credible desk-top exercise for testing the effectiveness of the program. Scenarios can be used to create an effective approach to operational resilience, or to challenge an existing one.

Scenarios are useful within operational resilience programs in other ways too. For example, using scenarios will force the firm to think about multiple risks occurring as part of the same event scenario, rather than just thinking about one risk event in extremis. This is very important – in real life, a large risk event often brings along with it a range of other risk events at the same time, or in quick succession. For example, a cyber attack could bring down the online banking platform, which then produces pressures on the bricks-and-mortar branches, as well as on the telephone banking platform, making an operational risk event much more likely to emerge in those areas of the business. Scenario workshop exercises encourage this kind of connected thinking.

A third area where scenarios are helpful is in creating communications plans. Operational resilience best practice today encourages firms to draft communications to stakeholders such as customers, shareholders and regulators in advance of an event happening. Communications can be difficult to compose in the heat-of-the-moment, and preparing them in advance enables language to be considered from multiple perspectives to ensure the right message is getting across. Scenarios can help organizations identify the kinds of communications they should consider preparing, as well as what their content should be. For example, in the case of the online banking failure, how should customers be redirected to other service platforms?

In short, firms would certainly be missing a trick if they failed to use scenarios within their operational resilience programs. Scenarios can provide important insights on both the strengths and weaknesses of operational resilience programs in the real world, ultimately improving those programs and enabling firms to deliver value in a robust and consistent way.

To learn more about how scenarios can be used to improve operational resilience, speak to the experts at RiskLogix.

Related Posts

Effective business continuity & operational resilience are both outcomes of good risk management
There has been some debate whether Operational Resilience (OpRes) and Business Continuity Management (BCM) are the same discipline, different disciplines, or similar areas but with differing degrees of granularity. It is arguable that OpRes is customer centric in that it looks at the threats and vulnerabilities to the services provided to the customer, whereas BCM …

Effective business continuity & operational resilience are both outcomes of good risk management Read More »

Digitising Risk Management – Time to ditch the spreadsheet
It is a recognised issue in the industry that the most widely-used risk management software tool is actually provided by Microsoft – and it’s called Excel. And it’s only a partial solution – at best While tier one financial institutions have been early adopters of large, complex risk management software solutions, due to both sophistication …

Digitising Risk Management – Time to ditch the spreadsheet Read More »

Long term value from ESG – the Importance of embedding a true ESG culture in your organisation
ESG, Environment, Social, Governance reporting seems like a good thing!  Being associated with ESG practices has a positive effect on the brand, which helps organisations to sell more products and services. Meta-analysis of over 1,000 studies published between 2015 and 2020 conducted by NYU Stern and Rockefeller Asset Management found a strong correlation between ESG …

Long term value from ESG – the Importance of embedding a true ESG culture in your organisation Read More »