Industry websites are brimming with dos and don’ts and successes and failures pertaining to building more resilient operations, creating resilient cultures, and architecting the systems that support them. Undoubtedly, resiliency is the strategy du jour with a looming regulatory mandate, particularly when disaster has become matter of course. But where are firms in their journey to implementing more resilient operations? What will become of operational resiliency post the UK operational resilience March 2022 regulatory milestone?
Building on our 2021 roundtables where we examined how firms are revisiting their approaches to operational resilience, this March we gathered a community of executive leaders in financial services to examine how firms are putting that thought into practice and adapting their culture, processes, and systems to build a more resilient tomorrow.
We’re excited to share with you what we learned from the discussion, including which regulatory perspectives and best practices leaders believe will stick around – from journey mapping to digital investments to building true business agility.
1. Operational Resilience is the New Operating Model for the Modern Enterprise
Rather than being seen as a check-in-the-box exercise, operational resilience is being widely embraced as the new operating model required to deliver important services and products to customers and markets reliably despite the disruptions and service degradations seen so frequently today.
The January joint FCA/PRA/Bank of England operational resilience webinar spoke to the value of this new operating model in depth:
“The policy we introduced last March seeks to drive better outcomes for consumers, clients, and markets. Otherwise, disruptions could harm market integrity, create potential instability in the financial system or threaten the viability of firms. We’ve designed the operational resilience policy to help you help yourselves. While we know that complying with it will take considerable time and investment, you are to an extent future proofing your business. You’re investing to make sure your important business services can withstand the unknown. And in case of any material disruption, can be recovered in the timely manner to minimize impact to consumers. That future proofing element is vital because you can’t always predict what is going to happen.
Disruption is inevitable. And in the 10 months since we’ve published the policy, we have seen that borne out. In that time, we’ve seen customers unable to access their money. Some of the world’s most significant websites becoming unavailable and worrying vulnerabilities arising that may have been exploited by malicious actors. Time and again, we are being reminded that the threats to your ongoing business services are real, evolving and may even be increasing. It’s your readiness, therefore, that determines the outcome.”
–Suman Ziaullah, Head of Technology Resilience and Cyber, FCA
And while many firms have conducted their baseline exercise of identifying and mapping important services as a part of the core attestation exercise for the UK regulators, there is broad acknowledgement that operational resilience is just good business practice. Described as the map of your living and thriving enterprise, many of these activities must be conducted in perpetuity to accommodate:
- Managing the introduction of new products and services
- Material changes to operations, organization structure, or changes to a key vendor relationship
- Revisiting impact tolerances as services and value chains evolve
- Assessing severe but plausible scenarios in light of new threat intelligence and horizon scanning activity
Dynamic service maps, horizon scanning, and real-time simulation capability are quickly becoming the new table stakes for creating and evolving services and products that are truly resilient by design.
2. Resiliency Tops Board and Executive Agendas
The majority of leaders reported vigorous board engagement on operational resilience and strong support from first line business leaders. In part fueled by the regulatory mandate for board and executive level sign off, leadership teams are newly embracing the end-to-end view of the value chain operational resilience provides, connecting the dots in ways they haven’t been able to before.
The new UK regulatory policy packages practices long in play and strings them together in new ways. This allows many firms to readily adapt these familiar but transformed concepts (such as customer journey maps, scenario thinking, tabletop exercises, etc.) into the new language of the firm.
The test for many will be whether this focus can be sustained in the long term and leveraged to achieve a fundamental shift in operating culture, particularly in a climate where firms are grappling with an ever-increasing number of stressors.
3. Digital Transformation Efforts are Accelerating
Many firms have made sizable investments in collecting the insights necessary to get their firms to the March regulatory attestation requirement. Firms – as well as their broader operating environment – are never static, and without the proper tools and insights, maintaining a current picture of risk and resilience posture remains an insurmountable task.
Further, many leaders cited global complexities, challenges with managing subsidiaries, varied business units, and obligations to matrixed jurisdictional requirements.
Third parties are also a huge consideration, and many leaders reported drawing a distinction between what is required to be compliant versus what is required to be sufficiently comfortable with how third parties and their third parties are prepared to handle the inevitable risks and events that have become so commonplace.
“You are only as strong as your weakest link.”
Third parties don’t always comply or know how to comply. Large suppliers pose a particular hazard, hastening the development of regulations such as the EU’s Digital Operational Resilience Act (DORA). While most agree there is some opportunity to standardize assessment and testing requirements for common operationally significant suppliers (and regulators may prove to be a useful partner in this regard), there will always be a need to understand the specific requirements and vulnerabilities posed by a third party’s relationship with your individual firm’s business services and relationship with customers.
For this reason, ecosystem resilience is seen to be a highly iterative and interactive exercise. “Not a one-trick pony” and “not a one-size-fits-all” were phrases articulated throughout the discussion. And while consortium groups such as ORX and, newly, SIFMA are crowdsourcing scenario libraries that can be useful in scenario design and simulation, firms need to carefully and regularly calibrate their scenarios to provide the greatest strategic foresight and practical application without ending up down the proverbial rabbit hole.
4. Firms Must Navigate the Tradeoff Between Demonstrating Evidence of Planning and the Need for Greater Business Agility
The discussion with risk and resilience leaders started by acknowledging the need for rigorous self-assessment, both from a regulatory and best practice viewpoint. Universally, the roundtable leaders see this as a real opportunity to highlight those business risks that need to be addressed. As we experience daily, this is far from a point-in-time exercise. Firms and threats are in a constant state of flux, requiring techniques and toolsets for effective horizon scanning and operationalization of response.
“Who had war in their bank’s list of severe but plausible scenarios?”
As with any insights initiative, it’s easy to get overwhelmed and try to boil the ocean. The roundtable recommendation was to start with identifying the triggering conditions (loss of places, people, processes, systems, data, and/or third parties) and map it back to real scenarios that could reliably trigger the conditions.
“If something happens, do you have the infrastructure to deal with it? What are your triggers, and are you able to tolerate the stress on your operations?”
Furthermore, triangulating real-time operational and situational insights through the use of data integration helps firms isolate changes that signal trouble before it escalates, presenting a map of your threat landscape in a cohesive way that helps put best response into practice.
5. Data-informed Agility Supports Every Member of Your Team
One executive described the evolution of risk and resilience as becoming the insights engine that fuels the decision-making of the enterprise at large.
“We are developing what essentially is… the firm in a box.
We learn from the questions people are asking.
From that, we discern what we can answer now, identify gaps, and evolve our practice over time. We’re addressing the needs of all parties in the organization – the CEO, the COO, the front line. The idea is not to have this for just one audience. This is a powerful strategy that helps you not only answer the questions that people are asking, but also helps you drive conversation about vulnerabilities and opportunities that may not have even crossed their radar.”
While the regulatory framework for operational resilience is a sound foundation that guarantees a minimum standard of resiliency across the ecosystem, tapping into the questions your business leaders are asking, paying attention to the customer journey, and pivoting in response to what is unfolding in real time allows your organization to navigate the ebbs and flows in protracted crisis.
Conclusion
In the ongoing climate, there is great crisis but also great opportunity. The rise of operational resilience, digital transformation, and greater business agility are making many ponder how we ever did without these essential frameworks and toolsets that help us better understand how we deliver value for our customers.
Want to see what a firm-wide journey to greater resiliency of operations looks like? Join our webinar this week to find out what we learned about key attributes of successful operational resilience transformation, the role of operational intelligence, and what steps organizations can take now to aid in their recovery from sustained disruption.