Supporting a Global Bank with the implementation of their Operational Resilience Programme
A key priority for regulators in the UK (BoE, PRA, FCA) and similar bodies internationally (BIS) is to put in place a stronger regulatory framework to improve the operational resilience of firms, financial market infrastructures (FMIs) and the financial sector as a whole. They are seeking assurance on the ability of firms (FMIs and the financial sector as a whole) to prevent, adapt, respond to, recover and learn from operational disruptions i.e. capabilities to continue deliver important business services and remain within their impact tolerance during severe but plausible scenarios.
Following on from this regulatory guidance and in particular the December 2019 FCA/PRA Consultation papers, the client set out to establish their Operational Resilience programme to enhance the Bank’s capability and readiness to withstand a major operational disruption. Wavestone was engaged to help establish and implement an effective operational resilience programme for the UK territory.
How did Wavestone help?
Working alongside stakeholders such as the UK CISO, Head of Business Continuity and 2LOD, we worked through the initial phases of the operational resilience methodology set out by the UK regulators. We identified important business services by meeting with key business lines to gather information regarding the impacts of operational disruption on customers, the firm itself and the wider UK financial market.
We subsequently devised a successful 2-step approach for mapping each important business service: mapping the start-to-end process flow for each important business service (one being ‘Cash Management’ for example) and then gathering comprehensive asset information (people, IT applications, data, infrastructure, premises, 3rd parties) about each step.
In parallel, the Wavestone team worked on other key deliverables to support the programme:
- Developed the future operational resilience target operating model (TOM) for the UK territory (aligned with the Group OpRes TOM) and also the operational resilience roadmap (timelines, resource estimates)
- Reviewed operational resilience controls for 2nd line of defence (2LOD)
- Reviewed current operational resilience governance and MI
- Developed ‘severe but plausible’ crisis scenarios
- Identified areas for improvement (‘quick wins’) for current crisis management capabilities
- Created crisis management procedures
The Relationship with the Client
The Wavestone team (1x Manager, 1x Senior Consultant, 1x Consultant) worked closely with the core client team throughout the project and in particular on strategic pieces of work such as the Operational resilience TOM and roadmap including resource estimates.
The team were also quick to react to any project issues by maintaining transparent communications with the core team (e.g. raising risks and identifying mitigation measures as soon as possible). Despite the project taking place during the global pandemic, remote working allowed us to continue on track with delivery and maintain a strong relationship with the core client team. For example, we increased formal catch-ups with the client during the pandemic from weekly to bi-weekly.
Our Unique Approach
Wavestone demonstrated high levels of adaptability by responding quickly to changes in the important business services during the mapping phase. The scope of the important business service changed multiple times which impacted the ongoing mapping work. Once receiving the final direction from the client, Wavestone quickly focus on completing the mapping work for the priority areas in line with the client’s expectations. Strong coordination with different entities allowed us to align everyone towards the same goal in this instance.
The Results
By the end of the project we had completed two of the key phases of any operational resilience programme (IBS identification and IBS mapping) as well as putting in place the foundations for the rest of the programme e.g. operational resilience TOM, governance and analysis of crisis management capabilities.
This work has helped establish the bank’s operational resilience journey in adherence with regulatory guidance and also facilitated alignment with the client’s global operational resilience programme.
The comprehensive mapping has allowed the client to identify key operational dependencies and potential vulnerabilities. The level of detail in the mapping will allow the client to pinpoint exact vulnerabilities following scenario testing.