The ever-increasing focus on operational resilience allowed financial institutions to deep dive into their organisations’ frameworks, policies, and processes at all levels, and what started as a compliance-driven exercise to align with the expectations of UK regulators, is evolving to become at the heart of everything operational.
Most firms initiated a dedicated programme to prepare for the then new regulation, putting operational resilience front and centre for senior management and the board of directors. Since the starting point of such programmes, gaps were highlighted but also many synergies with other ongoing initiatives were spotted. Cyber resilience initiatives are one great example of such gaps and synergies: by focusing on making IT more resilient, end-to-end business workarounds (such as manual processes) were starting to lag behind.
Three trends emerged on the market:
1.bPushing for rationalisation and its key success factors
Bringing together all resilience related initiatives under one umbrella was rapidly identified as a necessity to increase efficiency, optimise the intervention time of SMEs being solicited on several fronts, and leverage existing capabilities to address threats without “reinventing the wheel”.
We found many firms specifically put forward the following rationalisation challenges:
How to efficiently build IT resilience solutions that can simultaneously cover numerous different businesses?
Many firms moved to consolidate IT initiatives (e.g., cyber resilience strategy, core infrastructure resilience, servers’ recovery, IT crisis management, survival phase solutions (digital workplace solutions, Whitelists, Datavaults, etc.)) into one IT remediation stream of the operational resilience programme aiming to have a consolidated view of business requirements and constantly optimise solutions, so they cover as many businesses as possible.
How to best approach all testing programmes, and merge them into one?
Programmes dedicated to operational resilience are more and more aiming to compile a single list of scenarios to test, on different levels of severity, and to use all results in a consolidated way to measure the ability to cover threats. Firms are also considering the extension of this view to link it to all different types of testing, per type of resource (e.g., IT component testing, comms testing, etc.), so that all tests ultimately inform them on the resilience of critical activities.
What operational resilience tooling strategy to adopt?
Having a single pane of glass to look at things holistically was favoured by most firms, i.e., having a single tool and data model to compile an inventory of all services, underlying assets, existing resilience solutions, and associated testing and results. The merit of this strategy remains to be examined as currently the implementation of tools increases, and their use will most likely have implications on the strategy and the data model itself
What structure to implement? should BCM divisions be embedded into a new operational resilience function? or vice versa?
Linking the business continuity space to the operational resilience landscape has been at the heart of firms’ considerations. Many opted to create multiple tiers of services, link the BIAs to operational resilience metrics, and have BCM feed into the operational resilience data. Significant efforts are particularly going into aligning taxonomies (e.g., RTO/impact tolerance, service/process, etc.) and capitalising on existing works.
Finally, most firms allowed their internal organisational set-up to dictate how operational resilience should be interpreted and operationalised and hence got the BCM teams to take over implementing operational resilience going forward. Might we see a need for a correction course emerging in the near future and a broader set of people included in the operational resilience function, to reflect the shift in mindset that operational resilience invites us to take?
2. Establishing maturity models to drive continuous improvement
In order to demonstrate the progress regarding operational resilience topics to regulators, we found that financial firms prioritised short-term action plans putting forward notable changes in their approaches to identify and map important business services and to identify and remediate resilience gaps. Alongside this tendency, firms were conscious of the need for self-assessment and continuous improvement, and for structuring this around an agile and robust framework covering all operational resilience topics.
This translates into establishing maturity models evaluating processes and actions in place with respect to the different operational resilience topics, to drive self-assessments and the transition into Business-As-Usual. In our recent publication, “Embed Operational Resilience beyond 2022 with our 10 Point Assurance Framework”, we suggest that operational resilience should not be considered as a pathway with a beginning and an end but rather a loop continuously taking in feedback from every layer of your business.
Finally, as the industry continues to learn and evolve on resilience matters, firms are pushing for industry-wide standards to be set up, which would clarify resilience ambitions and associated roles and governance. Even though that will bring clarity, we argue that operational resilience self-assessment is the most important tool in navigating the operational resilience road ahead (Check-out our recent paper on self-assessment for more information).
3. Only starting to focus efforts on resilience culture and mindset
Financial firms face today a variety of challenges ranging from staying regulatory compliant to staying competitive and keeping up with the latest technologies, to protecting and defending their assets from cyber-attacks, to ensuring resilience in the face of the most severe of scenarios, to integrating sustainability to the mix, and many others. All of which are essential to integrate in the firm’s change management.
Understandably, we are seeing firms with varying efforts around resilience culture and mindset. Many struggle to identify and implement the needed levers for change, and more blatantly, key stakeholders do not prioritise allocating investments towards this area as they focus efforts on cost optimisation, risk reduction and customer experience.
Nevertheless, now that the first iterations of operational resilience are delivered as requested by the regulator, firms are increasingly looking to boost their resilience culture and to making it a part of their thinking and everyday considerations. As this pushes the topic forward, we suggest adding the catalyst factor of linking the topic to stakeholders’ main concerns by identify the ways resilience culture would lead to optimise costs, reduce risks and improve customer experience.
Duncan Mackinnon, Executive Director for Supervisory Risk Specialist at Bank of England
“…Operational resilience cannot be achieved through compliance alone.”
The UK regulator expects firms to take resilience works forward to 2025 and beyond and to not be limited to the individual requirements and outcomes within the policy, i.e., to think differently and embed operational resilience in the way they do business. They also urge firms to take a group level view of operational resilience, “ensuring risks arising in parts of the group that are not subject to the individual requirements, are considered.”
Wavestone can help you extend and transition your operational resilience framework from a UK-based compliance-driven exercise to Group-level incorporated best practices.
We use our experience delivering on end-to-end programmes to international financial institutions, leveraging a comprehensive and evolving framework incorporating global regulatory requirements and market best practices to assess the robustness of your resilience processes and the depth of their capabilities.
We’ll also help you draw up the fastest path to behaviours’ change thanks to our awareness framework that will ensure efforts are focused where they need to be.