Operational resilience 3.0 – Unlocking potential and elevating response

Unprecedented events have the potential to shock a firm’s immune system and cause operational disruptions. The challenge is compounded when firms must also keep pace with digital transformations and shifts in regulatory guidance. Although resilience measures are in place, a future-proof attack plan is vital. In a Risk.net webinar convened in collaboration with Fusion Risk Management, an expert panel delved into best practices for businesses to elevate systems to the next level of prediction, preparation and protection

The unprecedented Covid-19 pandemic, which unfolded worldwide over the past 18 months, has undoubtedly reshaped the operational resilience agenda for businesses, governments, and regulators. The year 2020 was a real-world stress test of the financial industry’s resilience.

Along with displaying structural flexibility to counter the seismic changes brought about by Covid-19, financial firms continue to adjust to hybrid work, reconfigured physical workspaces and revised risk management frameworks while adapting to changing regulatory guidance.   

Resilience risk jumped from fifth to third place in Risk.net’s annual Top 10 operational risks survey published in March, just behind IT disruption and data compromise.  

It is telling that only two years ago a certain large bank, in the course of routine business continuity planning, drew up a scenario in which one-third of its global workforce were locked out of their offices without warning due to a pandemic. The bank tore up the scenario at the time, dismissing it as unrealistic.

The renewed focus on operational resiliency is also reflected in regulatory policy as new guidance was issued earlier this year by the Bank of England’s Prudential Regulation Authority (PRA). The policy statement on operational resilience for financial firms, published in March 2021, says the PRA expects firms to plan for all severe stresses, however low their probability.

Other recent guidance was issued by the Basel Committee on Banking Supervision, also in March 2021, aiming to make banks better able to withstand, adapt to and recover from severe adverse events. 

Firms will need to prioritise best practices in response to regulatory policy and supervisory guidance and be equipped with practical approaches on how to achieve a mature and robust operational resilience programme.

As firms prepare for the next possible crisis, experts believe best practice measures such as more collaboration, especially among business silos, and the three lines of defence management functions will boost resiliency planning.

Plan for the unthinkable

Effective operational resilience means ensuring a system does not break down under stress and having a plan in place if it does. While firms have clearly shown resiliency in the face of the unprecedented disruptions of the past year, it is important to understand what to focus on and how best to prepare for the next ‘black swan’. 

Rich Cooper, global head of financial service go-to-market at operational resilience software specialists Fusion Risk Management, noted that just as firms today are better prepared in their infrastructure and work-from-home strategy, “it doesn’t matter what the situation is, it’s about the impact [an event] has on your operation”.

Events can range from a cyber attack to widespread power outages to technology failure or a vendor issue – all could impact the business service in an unpredictable way. “But understanding the components … and making sure you have a certain amount of resilience to fulfil the obligations to those services is really what’s important,” said Cooper.

Collaboration among business units and breaking through silos is an important first step, according to the panel.

Silo bias

Organisational silos pose challenges by adding complications and deterring smooth functioning of the operational side of business. Improving communication across those silos is a natural best practice for optimal resilience planning.

“Firms have looked across groups and realised that HR departments need to come together with the technology groups, facilities, health and safety issue management, and to ensure they continue to deliver their promises as an organisation,” Cooper noted. 

Breaking down silos and encouraging co-operation between disciplinary silos – such as operational risk, business continuity, disaster recovery, physical security, cybersecurity– would encourage cross-group resource deployment and improve resource utilisation overall. 

Silos also bring forth unintentional bias, according to Cooper, and employees approach problems from their business function bias standpoint, whether from an audit, controls or technology background.

“This gives rise to a duplication of efforts or separates ‘sources of truth’ because a business continuity person might be asking a slightly different question than someone from risk or IT audit.” 

As large organisations begin to plan the next strategic steps to operational resilience, the objective is clear – to manage risk and adapt to change as well as be able to anticipate and act. Creating synergies across the three lines of defence is part of such best practice, the panel noted.

Having an efficient and stringent three lines of defence risk management approach in place is an important aspect of resiliency planning. Moving forward, a more collaborative approach needs to be actioned for having next-level resilience planning embedded in a firm’s business functions. 

Here, as well, firms need to deploy resources efficiently, dedicate them to every line of defence, and enable a holistic view to bring them together. 

Michele Ushkowitz, head of operational risk, Americas, at Societe Generale, observed from her second-line perspective that there is “tremendous value in having collaboration between first and second line of defence functions like business continuity, cyber-security teams, IT, data management office, and third-party risk”. 

Resiliency is now a ‘board conversation’. As the latest regulatory guidance puts more focus on the role of senior management in building more resilient operations, Ushkowitz said the collaboration must also be driven from the top. 

“[Regulatory guidance] is helping firms start to progress, maybe a little quicker than we did last year. As we move forward, we’re starting to become more mature and the pace is picking up in the industry in the last four or six months or so.”

Boards and other senior management need to better understand and prioritise the risk levels of the firm and readiness for disruptive scenarios, she emphasised.

Scenario testing and next-level tech

Scenario analysis and stress-testing can play a key role in building business agility and resilience but traditional, overly prescriptive approaches can limit their effectiveness. The move now is towards becoming less rigid and more flexible. 

This is expected to simplify and reduce the lead time that is needed to develop scenarios, Ushkowitz noted. “Our playbooks have to be robust, but also flexible enough that if we get thrown a curveball, we’re ready.” 

Building efficiencies upfront, such as developing scenario exercises and having an inventory of scenarios and table-top exercises to call on, will help firms develop a more flexible approach to the tests, added Ushkowitz.

Technology is a vital component of scenario analysis and stress-testing. Next-generation tech and artificial intelligence (AI)-enabled platforms are a useful tool for mapping out issues and building resilient systems. Better data provides greater objectivity and will help firms become more predictive in nature, Ushkowitz noted, “[Data will] help us anticipate and mitigate threats before they happen.”

Advances in data and analytics are also a key enabler of strategic decision-making, according to Paula Fontana, senior director of product marketing at Fusion Risk Management. “There are the modelling capabilities that financial risk management has used historically, but there’s also new potential around the role of AI, and predictive technologies, and in sensing patterns that we, as human beings, don’t necessarily pick up,” she said.

But would AI and predictive technologies prove useful as the industry evolves to better operational resiliency? It can certainly help to better understand their organisation, perhaps better than mapping manually, Fontana believes.

“Some AI applications, in terms of predicting the future, may be a little too futuristic and unreliable at this juncture, but there might be other aspects of it that could be useful to understand the complex web of the organisation,” Fontana added. 

And what of the future? What impact will data have? The consensus view from the panel was that efficiency in operational resilience will be accelerated by agile and next-generation tech. But equally important will be the interpretation of data that is processed and analysed by that technology in the next stage of building resilience.

Resilient outlook

Operational resilience will continue to evolve as a central regulatory principle, providing a blueprint for firms in building operational excellence.

Businesses must move beyond their siloed approaches and unintentional yet inherent bias to encourage collaboration and better guard against unpredictable shocks. Business leaders must also prepare to be agile on the technology front, by adopting next-generation and AI-led technology that can better process and interpret data to elevate resiliency management. 

Today firms are not only addressing regulatory expectations of operational resilience by identifying the critical or important business processes, but they are also mapping out end-to-end processes, and interdependencies and interconnections. Above all, they are identifying new tolerances and thresholds to unlock that next-level resilience potential. 

Sponsored content