Building an Operational Resilience Framework
November 3, 2022
In recent years, regulators have made operational resilience a focus point. Notable regulatory movements include;
Risk Management v Operational Resilience
Traditional risk management focuses on minimising risk to a firm, via controls that reduce the impact and probability of a risk event happening. Operational resilience focuses on building a firm’s capabilities to deal with risk events should materialise. We are seeing operational resilience straddling five key pillars;
- Regulatory Resilience.
Ensuring that the organisation is in full compliance with regulatory requirements and can identify and adapt to changing regulatory expectations. We see this as particularly important for companies that are passporting or distributing their product across multiple jurisdictions. It is important that the CCO is comfortable that all those filings, obligations and submissions are met.
- Service Providers.
Identify critical business service providers, or those partners that could harm the firm or negatively impact its financial stability. The firm should identify an impact tolerance for service provider, beyond which it poses a risk to the firm. In an environment whereby firms are heavily reliant on partners this is a vital area. We are seeing firms are moving beyond periodic DD reviews of their partners (TPAs, Outsourcers, Vendors) to scoring and tiering of those partners.
- IT and Cyber Resilience.
A firm must ensure that both their own technology and their providers technology is suitable and secure. Continual assessment is key, in that firms should build on existing processes and systems. The new cybersecurity rules from the European Commission, known as "DORA"; continues to be a topical conversation for service providers in Europe as the clock ticks down to an anticipated 2024 compliance deadline.
- Financial Resilience.
Ensuring you have adequate operating capital, that your assets are sufficiently liquid and that you’re managing your finances prudently.
- People Resilience.
Ensuring your governance, accountability and culture are building morale and empowering success within your organisation, and that your communication plans, between employees and all stakeholders, are robust enough to handle unexpected disruptions.
Regulators Are Expecting To Show Evidence
Operational resilience is a key focus for regulators around the world. Despite individual guidance, there is commonality in relation to their operational resilience requirements. We see continued attention paid to mapping third-party interdependencies to operational resilience risks. The key difference between risk management and operational resilience is in considering the different outcomes and being ready for them rather than in trying to make an exact prediction. Management must prepare ongoing crisis management strategies in order to be able to adapt and increase the speed of recovery. This elevates the importance of business continuity planning that is interconnected to Enterprise Risk, Vendor Management and ICT.
Steps toward building the Operational Resilience Model:
- Review existing governance frameworks and committee structure include responsibilities with respect to operational resilience
- Implementation of a suitable Operational Resilience Framework should be a holistic, cross-departmental exercise
- Identify what services within their business are critical or important
- Identify impact tolerances & quantify the maximum level of disturbance that can be withstood
- Map the processes to each critical business service, taking into consideration the key staff or technology that is needed to deliver
- Continually evolve the ICT and cyber resilience strategies to reflect new working models
- Evolve business continuity management
Technology And Operational Resilience
GRC technology will allow a firm to view the operational resilience framework in real-time. This technology should have the ability to interconnect the Resilience Framework to the underlying five pillars, showing their control/assurance performance and also more crucially, BCP scenario stress-testng. The technology should facilitate the identification of emerging risks quickly, whether they be incident driven or as a result of changes in the macro environment. GRC technology will help companies manage operational risk however it must be coupled with engagement from the board and senior executives in establishing the overall operational resilience objectives and strategy, and monitoring the execution of that strategy.