Firms need to ensure that Operational Resilience plans are effective enough to ensure full compliance with the rules and regulations set by the Bank of England, Financial Conduct Authority and the Prudential Regulation Authority.
The first regulatory milestone is fast approaching by which time all firms within the UK financial sector must have made the necessary steps to comply with all the Operational Resilience rules. By March 2022, firms must have identified the Important Business Services, defined impact tolerances, and completed mapping and testing to a level of sophistication necessary to do so.
By March 2025, firms need to ensure they are making reasonable efforts to remain within their impact tolerance. The rules set out by the regulators offer a certain degree of flexibility for different types of firms that need to be analysed and understood to be able to feel confident in “doing the right thing”.
In order to assist firms and make it simpler to understand the flexibility provided by the regulators, Wavestone has developed a 10-point Assurance Framework that utilises our extensive experience within the Operational Resilience environment.
This article will explore our framework and the different steps we take to assess and subsequently improve a firm’s Operational Resilience.
Wavestone’s 10 Point Operational Resilience Assurance Framework
Active Preparation
As confirmed by recent major disruptive events (e.g. the ransomware attack on Colonial Pipeline, the Covid pandemic, the Suez Canal blockage, and the Facebook DNS outage), the threat landscape has changed from “if” crises will happen to “when”; meaning that companies need to ensure they are prepared for extreme shocks, whatever their likelihood. Plans must be in place to ensure that they can continue operating their important business services (IBS) within impact tolerance during a crisis, regardless of the incident. This requires being aware of all processes and assets that their IBS relies on, as well as the contingency measures they have in place to ensure that they can continue operating no matter what.
Embedding Operational Resilience into the business is an ongoing process and thus it is important to have repeatable and sustainable processes that address the fundamentals including identifying new important business services, setting their impact tolerance, performing asset mapping, conducting scenario testing, identifying threats, vulnerabilities and risks, and planning for remediation. We assess this by analysing the methodologies used, the amount of empirical data ingested into the process, and the governance model and SME engagement.
Operational Resilience relies on the ability to continue operating important business services within their impact tolerances. This means making sure that the IBS are identified and analysed correctly, and that this analysis is deeply known by the right stakeholders, so it informs their decisions. To assess these criteria, we analyse the quality of IBS definitions, impact tolerances, mapping, threat analysis, and critical path and contingency identification. We specifically look for data-driven analysis, strong SME engagement, and identification of complex dependencies (such as cross-divisional).
The inability to continue operating business-critical processes after a crisis can have catastrophic consequences for firms, so effective Business Continuity and Disaster Recovery plans need to be in place covering both minor and disaster-level disruptions. We assess the mechanisms and processes in place to do this; including ensuring that RTOs and RPOs have been defined and redundancy processes exist to fall back on for example. We specifically look at how embedded the IBS view is within current BCM and DR processes to determine whether BCM and DR plans are prioritising the continuity and recovery of assets supporting IBS?
A business is only as resilient as the weakest link in its supply chain and is ultimately responsible for the services and actions that these third parties take. A breach in a supplier can effectively lead to a breach in their customer, who can still be legally accountable for it. For example, recently we’ve seen major incidents caused by third party failures such as the Ever Given container ship blockage, the Solar Winds hack and the Accellion data breach which have had huge repercussions across multiple industries.
Incidents like these show that a sufficient governance framework to manage all third and fourth parties is required. We assess this governance framework by first looking for senior management accountability and identifying how the IBS view is incorporated in supplier criticality assessments. We then assess how the organisation analyses the resilience of their suppliers through due diligence on their KPIs to understand how vulnerable they are to threats. We also assess how prepared the organisation is for a third-party failure through looking at their continuity and exit plans. This ensures that third party risk is mitigated throughout the supply chain, maximising an organisation’s security and Operational Resilience posture.
Operational Resilience analysis and testing highlights risks in the business, which need to integrate with existing second line operational risk management processes in order to be managed accordingly in BAU. We assess the second line oversight strategy, monitoring, controls management and reporting, and how Operational Resilience risk fits into those in BAU. We also look at how Operational Resilience controls fit into the RCSA process.
Effective Reaction
When a crisis inevitably occurs, efficient and effective processes must be in place to ensure that it is managed through from identification to recovery. A crisis that is not properly managed and responded to in a carefully planned way can cascade quickly resulting in a higher, more damaging impact on customers, the firm itself and the market.
With organisations being faced with many threats, it is essential to have a clear plan of action to respond in all extreme, but plausible, scenarios. Responding ad hoc to a crisis will be chaotic and problematic. For example, a common challenge within crisis management is the effective allocation of resources. We therefore assess our clients’ ability to identify incidents when they occur and efficiently allocate resources to respond and stay within the defined impact tolerances under all relevant scenarios. This assessment can be made through analysis of the crisis management framework and existing plans, the existence of training for crisis management, or even the running of stress tests or crisis simulation exercises.
Communication is a key part of any business – it is especially important for operational resilience to maintain communication with all stakeholders including senior leaders, employees, regulatory authorities, social media and the public. In addition to being able stay in contact, it is equally important to know what message to give to each group of stakeholders otherwise precious time is spent wasted while agreeing what should be communicated. We analyse the crisis communication plans, templates and training in place to assess the ability of the organisation to maintain quality communication during a crisis, regardless of the nature of the incident.
Learning from Continuous Feedback
Operational Resilience should not be considered as a pathway with a beginning and an end. To be more effective, it should be a continuous loop that is ever improving after taking on feedback. The Wavestone way is to embed operational resilience into every layer of your business which will help more than just to satisfy the requirements of regulators. Operational Resilience is a long-term shift in culture that is necessary to truly reap the benefits of documented processes and capabilities. Processes and controls should adapt and improve as firms change their business strategy and operating model, and as the threat landscape evolves.
This continuous feedback needs to be considered at all levels so that senior leadership are engaged in continuously improving Operational Resilience.
As per the SMF24 regime, business leaders are accountable for upholding and promoting the culture of Operational Resilience to ensure it is adhered to throughout the firm. We assess the governance framework in place, both from a terms-of-reference and “real life” perspective, to ensure that all accountable SMF are identified and involved in decision-making. We also look for an engagement model and RACI spread across the three lines of defence, paying particular attention to resilience risk hands-offs.
With this in mind, a forward-looking culture is a more resilient one. A firm that actively anticipates threats and works to mitigate them will ultimately be able to respond more effectively and reduce the total impact of a crisis. We assess how this culture is embedded from top to bottom and across teams throughout the firm to identify where improvements can be made.
It is essential to leverage data to continuously monitor resilience risks, identify gaps as they occur and to feedback key results to management. Data gained can be used to measure the effectiveness of, and supplement, the Operational Resilience processes. For example, using tools to automatically collect real-time system data will be more effective than relying on manual documents. We analyse the robustness and accuracy of our clients’ data model around IBS, their tooling strategy, their ability to identify gaps in real time, and their reporting model and how it is leveraged in decision-making.
Carrying out testing is essential to knowing that plans work, and that IBS can continue to operate within their impact tolerances in the event of a crisis. Therefore, we assess the testing strategy in place, ensuring appropriate test methodologies and scenarios have been chosen, looking at how data collected in testing is used for MI, as well as ensuring that the lessons learnt from testing are then used as feedback for continuous improvement.
Roxane Bohin
Senior Consultant
We can tailor this framework to fine-tune it to your needs and then deliver a rounded assessment mixing document analysis against best practices as well as stakeholder interviews focused on typical pitfalls. This enables us to deliver a maturity benchmark against peers and give you a view of the solidity of your foundations to embed Operational Resilience.