Understanding Operational Resilience
In an era marked by escalating threats such as natural disasters, geopolitical tensions, cyberattacks, and social unrest, an organization’s ability to adapt, react, and maintain operations is crucial. Operational resilience mirrors personal resilience: just as individuals have to navigate unforeseen events, organizations must sustain functionality under pressure.
The Increasing Focus on Resilience
The financial industry, frequently disrupted by various crises – from cyberattacks to geopolitical events – has witnessed profound impacts. A notable incident in 2018 involved a significant IT failure at UK bank TSB, prompting detailed reviews by UK regulators. The Prudential Regulation Authority (PRA), Bank of England (BoE), and Financial Conduct Authority (FCA) jointly issued stringent regulations to mitigate systemic risks and contain potential crises. Similar regulatory frameworks have emerged globally, emphasizing transparency in an environment that operates with complexity and ambiguities.
Deciphering Intent and Purpose
Understanding the rationale behind these regulations is fundamental. Recognizing their intent facilitates the development of robust operational resilience mindsets and capabilities across organizations. Operational resilience transcends mere checklists; it is the outcome of effective operational risk management. This presents a unique challenge, as operational risk often operates in silos, complicating the aggregation and effective management of risk.
Simplifying Regulatory Requirements
Regulations mandate that financial institutions identify their critical services that could impact markets or consumers adversely. Institutions must comprehend the entire service delivery process, set operational thresholds, and continually test these against evolving threats and environmental changes.
Fusion’s Integrated Approach to Resilience
Fusion offers a comprehensive framework built on Salesforce, enabling organizations to assess, manage, and enhance their resilience posture. From risk assessments to contingency planning, Fusion equips organizations to navigate operational vulnerabilities effectively.
The Fusion Framework® System platform offers the foundational modules to manage a business continuity program, which can readily be integrated into an operational resilience platform focused on the delivery of key services. The testing module allows organizations to identify, test, and execute thousands of simulations at the click of a button for severe but plausible scenarios that they are exposed to. It uncovers previously unknown vulnerabilities and prioritizes by real business impact (not just size) to strengthen resilience programs in the most efficient way.
The crisis management module allows for incident monitoring and crisis management, integrating seamlessly with any emergency notification tool. The capabilities allow users to identify the business impact, establish the best course of action, and discover how to recover better, all while coordinating and recording all crisis communication.
Fusion’s platform unites all resilience activities under one roof, bringing together integral data to understand critical dependencies, communicate cross-functionally, and use technology to uncover data and program gaps. Ultimately, organizations can use Fusion to ensure they’ll never be caught off guard when (not ‘if’) disasters arise, and recover quickly to deliver on their promise to customers.
Establishing a Framework for Critical Services
Organizations should develop objective frameworks to determine core business services. This approach aids regulators in understanding industry-wide risks and dependencies, a perspective acutely missed during the 2008 financial crisis. The ultimate goal is to manage systemic risks and prevent industry-wide contagion, promoting harmonization across and beyond the financial sector.
Guidelines for Self-Assessment
Regulators look for organizations to conduct self-assessments as a guide to assess where organizations are at on their journeys. A self-assessment is crucial for understanding how robust organizations are with their operational resilience capabilities. Organizations must prioritize services and allocate resources accordingly, ensuring that critical functions remain unaffected. Key considerations to address include:
- Continuity strategies for services during crises
- An understanding of internal and external dependencies
- An awareness of risks and vulnerabilities, along with mitigation strategies
- Determining factors that may impair service delivery
A thorough self-assessment should be a dynamic document, updated annually to reflect the evolving organizational landscape.
Core Components of a Resilience Plan
A resilience plan for each critical service should include:
- A detailed overview of the service, including its market role and client base
- An analysis of geographical and operational footprints
- A breakdown of supporting assets and third-party services
- An established and approved impact tolerance statement
- Identified risks and vulnerabilities
- Historical incidents and tested scenarios, alongside investment undertakings aimed at enhancing resilience
Comprehensive Governance and Oversight Framework
The governance of an operational resilience program should outline the structure and roles up to the board level, integrate with risk management practices, and align with organizational risk appetites. Additionally, it should detail the methodologies for establishing and revising impact tolerances and process mappings.
A Comprehensive Approach to Resilience
Regulatory focus is shifting towards comprehensive oversight across jurisdictions. Organizations must demonstrate the impact of their core services from a legal and operational standpoint, an ability seamlessly integrated into platforms like Fusion.
Authors
