I visited many organizations throughout 2022 and observed varying maturity levels in programs on their journey to addressing regulatory and policy requirements related to Operational Resilience. The maturity varies across program structure/ownership, assessment and testing practices, alignment with other disciplines, tooling, and taxonomy standardization.
Generally, global firms with a heavy presence in the U.K. and the EU operate with dedicated teams who work with the organization and local regulators to address the requirements that have been established by the Bank of England (BoE), Financial Conduct Authority (FCA), Prudential Regulation Authority (PRA), and other EU-based authorities.
This year, we expect to see organizations in other jurisdictions like the U.S. ramp up with new teams and leaders or broaden the scope of responsibility within existing teams to implement new internal policies, practices, and tooling to manage principles related to Operational Resilience.
This past year, we also saw increased interest from organizations outside of banking and financial services in learning how to apply operational resilience concepts within their programs. In 2023, we will continue to see more non-financial services companies adopt operational resilience concepts and frameworks. After all, Operational Resilience is not limited to the financial services industry.
These organizations will develop a deeper understanding of how their business operates from a top-down or customer-facing perspective, map their important business services end-to-end (including critical third parties), and increase their focus on identifying and testing the top scenarios that may cause intolerable harm to their customers, their firm, or the market.
Breaking Down Silos
A theme from the past year that we expect to continue in 2023 is organizations increasing efforts to align disparate programs, teams, data, and metrics.
For example, some organizations in the U.K. have dedicated teams that own the operational resilience initiatives in response to the local regulators but need more collaboration with other disciplines like Business Continuity which may operate from different geographies.
There are multiple ways that companies are addressing these types of challenges. We’re observing organizations establish cross-functional steering committees that involve teams/leaders from Operational Resilience, BC/DR (Business Continuity/Disaster Recovery), Cybersecurity, and Third-Party Risk – or consolidating some of those programs under a centralized structure.
Common goals are to:
- Increase cross-functional transparency and knowledge
- Align methodologies, metrics/definitions, program schedules, and assessment practices
- Ensure consistent organization and process taxonomies
Maturing global firms recognize the need to improve connectivity, interaction, and integration of thinking when it comes to their risk data and programs, which requires strong coordination across top leadership. As evidence, I’ve worked with multiple organizations that recently implemented new senior leadership roles that own Operational Resilience – for example, a Global Head of Resilience or a Chief Resilience Officer. Companies establish these senior leadership roles to change the culture towards risk and resilience, coordinate board and regulatory reporting across multiple risk disciplines, oversee global program activities, introduce new or updated internal standards, and establish cross-functional governance committees. This level of transformation takes time, strong leadership, and vision to navigate politics, build relationships, change behavior, and develop new capabilities that are necessary to achieve resilience beyond compliance requirements.
We also expect to see resilience leaders holding a more prominent seat at the table for decisions related to proposed strategic projects like digital transformation, geographic expansion/consolidation, and third-party initiatives (vendor selection or rationalization). The intent is to establish “resilience-by-design” in strategic investments and critical projects.
Increased Focus on Third-Party Risk Management
As firms begin more comprehensive scenario testing to identify their top vulnerabilities, they will increase focus on their third parties and the level of resilience that those vendors can provide, including validation of those capabilities.
This year, we expect resilience teams to play a more prominent role throughout the third-party management lifecycle to help the first line properly assess potential third-party providers’ risk and resilience postures as well as enforce more rigorous monitoring of existing relationships for the most critical third parties.
Another recent driver of increased focus on third parties is the Digital Operational Resilience Act (DORA). The EU parliament passed this act this past November, officially making it a legal reality for organizations with an aggressive implementation timeline and final compliance by 2024. The DORA requires firms to properly identify, risk-assess, and monitor the critical third parties that manage their data or that provide information and communication technologies (ICT). Organizations will need to pay more attention to third-party risk screening, due diligence, and monitoring.
With all of the supply chain disruptions and vendor-related cybersecurity breaches in the past few years, third parties will become a more significant part of organizations’ resilience initiatives this year, including joint scenario testing with critical vendors.
Leveraging Advanced Technologies
Today, most firms use manual service-based self-assessments, process-based business impact analyses (BIAs), and operational risk assessments to identify impact tolerances and key risks or scenarios that can impact their business and cause potential harm.
This year and in the future, we expect firms to incorporate advanced technologies like AI (Artificial Intelligence) and ML (Machine Learning) to produce predictive analytics and support “what-if” modeling and data-driven simulations. These advanced technologies are even more effective when complemented by larger volumes of real-world data provided by third-party risk/hazard monitoring services. This level of tech and data-driven horizon scanning will grow in importance as a part of the tooling suite that resilience teams rely upon to proactively identify the most concerning risks and events that will cause disruption.
Common Pain Points
Many companies face significant challenges when defining a shared vision about what resilience means to the organization. Traditionally, operational risk, cybersecurity, IT DR (information technology disaster recovery), compliance, and business continuity programs operate in silos. Each program may maintain different definitions of what risk means to the business and measurements that determine what is considered red, amber, and green. The assessment scales, processes, tools, and taxonomies often differ also.
On top of those widely recognized challenges, the regulatory-driven concepts and principles of Operational Resilience introduce new considerations and requirements. Especially for those in regulated industries, the new obligations often require additional work to produce regulatory submissions against a specific compliance timeline. So, not only is there a pain point of breaking down silos, but also the need to align and share data in a way that makes sense so that the firm can advance toward Operational Resilience.
Operational Resilience is much more than just a compliance activity. It aims to develop a more harmonized view and deeper understanding of how the business operates and delivers essential products/services end-to-end, including identification of the top vulnerabilities and risk scenarios that could impact those important products/services with intolerable levels of harm.
I have met with many resilience leaders in organizations, and they voice these types of pain points time and time again, regardless of their industry. These leaders recognize that the challenges in establishing this cohesive view are not solely technology or data related. Program structure, leadership, jurisdictions, and other issues inhibit the organization’s progress toward Operational Resilience.
In its most simple form, C-suite leaders and the board want to understand how the business works, how it may break, what the company is doing to prevent disruption, and what it will take to put it back together again. But developing this level of understanding is nearly impossible if the organization operates in disconnected program silos and data islands and also produces inconsistent reporting/classification of risks.
Taking Proactive Steps to Prepare for Future Risks
Mature programs and companies fully appreciate that they must bring more risk disciplines and data together to view and manage their risk comprehensively. A “Resilience Hub” or platform is a best-practice approach that we see many firms take to develop a common operating language and to centralize all management, protection, and reporting against their important business services. Resilience teams need to show the value of their program to their executive team, which happens when they have a better understanding of how to keep their business running, no matter what.
So, as we welcome new challenges and opportunities in 2023, Operational Resilience will continue to be a key focus for all organizations, regulated and non-regulated alike. Learn how Fusion can help you along your resilience journey by contacting your Account Manager or requesting a demo today.