Operational resilience: a new approach to managing cyber, tech and sourcing risk

The financial services sector has often led the way in shaping thinking about how to manage risk. In the UK its latest focus, thanks to the Financial Conduct Authority, Prudential Regulation Authority and Bank of England, is operational resilience. This concept is one that anyone in, or interacting with anyone in, the financial services sector needs to know about.

What is Operational Resilience?

Part and parcel of crisis planning

In days that are long gone, the focus was mainly on trying to prevent cyber attacks, data breaches, and system, process and third party service failures. Nowadays, most people accept that these types of events are bound to happen. Crisis plans and teams are now in place across many organisations, primed and ready to respond to all kinds of risk scenarios.

However, in many cases, approaches still focus on the risk relating to individual systems, processes or events. Stakeholders are incentivised to look after only what is within “their” areas, and the potential impact of events on customers, suppliers, the wider market and other third parties is too often left to be determined at the point of crisis, rather than beforehand.

Shaking things up

Operational resilience shakes things up. It requires financial services firms to take a more holistic, clearly-evidenced, outcomes-focused approach to making themselves ready to “resist and respond” to disruption to their operations. The way in which they judge disruption needs to be set by reference to clear impact tolerances i.e. the point at which the disruption to each of the firms’ services to their customers and the wider market becomes intolerable.

Protecting continuity of services – a cultural change

The focus is on protecting the continuity of the services that firms deliver to customers and others (known as “business services”), i.e. thinking about “business service outage”, not just “system outage”; thinking about the “end-to-end business service”, not just the “end-to-end system or process or outsourced service”.

For many organisations, this will require significant cultural change and the bringing together of previously siloed parts of the business to speak a common new language.

Consultation papers on Operational Resilience

Regulatory proposals
A few days ago, in their long-awaited package of papers proposing new rules and guidance on operational resilience, the UK financial services regulators proposed key activities to improve operational resilience. For regulated firms, these may become rules; for others, they may become a new benchmark of good practice.

1. Governance. Clearly articulate governance and responsibility for operational resilience (for many regulated firms, this will be done as part of their Senior Managers and Certification Regime framework).
2. Business services. Identify your important business services at a sufficiently granular level.
3. Mapping. Identify and document the people, processes, technology, facilities and information necessary to deliver each important business service.The purpose of this mapping is to identify and remedy vulnerabilities and enable effective scenario testing. This is much easier said than done.
4. Impact tolerances. Assume disruption will happen and set a disruption tolerance level for each important business service. Impact tolerances should generally be set at the first point at which a disruption would cause an intolerable level of harm to, for example, customers or market integrity. It will be crucial to be SMART about how impact tolerances are set and monitored. 
5. Scenario testing. Carry out regular tests of your ability to remain within impact tolerances. Scenarios should be severe but plausible, and lessons should be learned. Any existing crisis plans will need to be reviewed and tested regularly to ensure that they remain adequate.
6. Communications. Implement “fast and effective” communications strategies for internal and external communications.
7. Document, document, document. Among other things, prepare and regularly update self-assessments to evidence compliance with operational resilience rules. These self-assessments must be reviewed and approved at board level regularly and could be requested by the regulators at any time.

What happens next?

The regulators are inviting feedback on their proposals until 3 April 2020. They aim to finalise their rules by the end of next year and for most of them to take effect in late 2021 although full compliance is not expected until 2024.

In order to properly understand the impact of the proposed rules, firms will need to have a proper handle on what operational resilience means for them. As well as requiring input from internal stakeholders across a very broad spectrum, they may also need to seek feedback from third parties, including those within their supply chain or on whom they will rely to assist with the implementation of operational resilience programmes or in the event of a crisis.

Even in the short term, regulators’ keen focus on the proper management of third-party services is likely to increase. This makes it crucial for teams to be seen to be undertaking proper vendor assessment, selection and management, as well as ensuring that any in-house functions responsible for procurement, assessment, strategic integration and management of third-party services are adequately resourced, experienced and performing. As always, it will be important to ensure that appropriate diligence has been carried out – and continues to be carried out throughout the procurement lifecycle – on vendors, and that appropriate contractual protections are not just in place, but also tested and used in practice. This will be particularly challenging against a background of increased cloud-usage and the drive for innovation and automation.