Operational Resiliency – What You Already Know Within Operational Risk

  • Subscribe to updates

  • Privacy
  • This field is for validation purposes and should be left unchanged.

The Bank of England and Financial Conduct Authority’s discussion paper, Building the UK financial sector’s operational resiliency, may seem like it is developing a whole new approach to the management of significant events. However, the reality is that “resiliency” has been a part of the practice of both operational risk and business continuity for a very long time.

Understanding operational resiliency

Resiliency is a word that is being bandied about more and more by the world’s regulators, particularly when discussing the management of cyber risk. The European Banking Authority addressed many of the issues contained in the UK regulators’ discussion paper in a recent speech. As well, these issues are firmly on the agenda of the Financial Stability Board as well as the Basel Committee on Banking Supervision, who look at the resiliency of financial firms from a systemic viewpoint.

The term has long been used within the business continuity discipline. The discipline regards it as impossible to plan for specific individual events – there is an infinite variety of “what can happen”. However, it is possible to create overall organizational resiliency to withstand types of impact. Resiliency as an approach within risk management was discussed a few years ago by Nassim Nicholas Taleb in his book Antifragile: Things That Gain From Disorder.

The UK regulators’ discussion paper, at first blush, seems to create a whole new regulatory framework that firms will have to comply with, to create resiliency within specific business services. Business services are those which, if disrupted, could lead to significant loss of customers, major financial loss or reputational damage.


Where to begin

However, firms should be aware that they are not starting from scratch. Most will be able to create an operational resiliency framework out of their existing operational risk and business continuity programs. What is required is a gap analysis. To understand where there may be gaps between their existing op risk and business continuity approaches, and operational resiliency, firms should explore the following six key activities:


Make a list of the key business services in the organization, and assess how much business disruption could be tolerated, and under what circumstances. One way to explore this is to look at the firm’s risk appetite as it relates to these key business services. While the discussion paper talks about “impact tolerances” this really is another word for “risk appetite.” What are the key risks related to disruption? What controls are currently in place? How much risk is the firm willing to tolerate?


Next, the regulator is asking firms to map the systems and processes that support these key business services. Some firms may have in place such maps for risk management purposes. Firms need to be aware that they must map both their internal systems and processes as well as those of their third-party providers as they relate to the business services. They must also map processes conducted by entities that are within the same overall group but which are physically in another jurisdiction. What are key points of weakness? Is there a concentration risk of third parties – such as cloud service providers – across the organization that could weaken processes?


Firms are asked to understand how the failure of a system or process could impact the overall business service. Again, most firms will already have conducted scenario analysis for events such as pandemics, terrorism, cyber attacks, and natural disasters. Firms will also have conducted RCSAs which address these issues. This information can go a long way towards addressing regulators’ information needs in these areas. What does existing risk management intelligence say about the firm’s potential vulnerabilities? Are there places where risk management intelligence needs to be bolstered?


Firms should regularly test the controls they have in place around business continuity and disaster recovery. This should include scenario testing – for example, a mock earthquake or cyber attack. What testing does the firm have in place at the moment? Is the testing adequate to identify potential vulnerabilities or control weaknesses?


The ability of a firm to respond to and recover from disruptions is directly related to the appropriateness of the investment it has made in systems, controls, management and training. Boards of directors and senior management need to have the right risk intelligence to be able to make these investment decisions. How good is the firm’s risk reporting? How well does it crystalise the case for investment when it’s needed?


There are several different kinds of communication that are involved here. How robust are the firm’s communication plans with key stakeholders in the case of an event? Do internal plans have escalation paths and identified decision makers? Do external communication programs engage with customers, regulators, and the industry in the right way? How strong are a firm’s communication programs about the potential for these events occurring, and the related risks and controls?

These six activities are the foundational activities required to build an operational resiliency framework. To learn more about how existing operational risk and business continuity approaches, practices, and intelligence can be leveraged to develop an operational resiliency framework, explore risk management software from RiskLogix.

Free whitepaper download
A Time of Change – 5 Key Trends Shaping Operational Risk Over the Next 2 Years 

To find out more about the trends that will impact operational risk over the next few years, download our free whitepaper.


Related Posts

Embedding and Entrenching Operational Risk Management
One of the most difficult things that a Chief Risk Officer (and the Head of Operational Risk Management) has to do is embed and entrench operational risk management. By contrast, implementing operational risk management is straightforward although a task that can take several years. It is also easy for a regulator to spot a firm …

Embedding and Entrenching Operational Risk Management Read More »

The Shortcuts Trap – Rethinking Reporting
How speed can be the enemy of usefulness when it comes to reporting This is the last in a series of four blogs about the ways in which common shortcuts can undermine core operational risk elements within financial services firms…..more to come You can view the other blogs here:The Shortcuts Trap – Loss Events ReconsideredThe …

The Shortcuts Trap – Rethinking Reporting Read More »

Loss data – Driving business value from operational risk data
In most financial services organizations, operational risk data is underused. Vast amounts of operational risk data – including operational risk loss event data – is often collected but are not transformed into meaningful reports for key stakeholders. As a result, the business, senior management, and the board can often question just how much real business …

Loss data – Driving business value from operational risk data Read More »

Client Area Access

Sign in with

Your company email address is required to register.

  • Name

  • Contact Info

Sign in with

Please enter your username or email address.
You will receive a link to create a new password via email.

You must be logged in to edit your profile.