Operational resilience has been on the regulatory agenda over the last few years, and it's becoming even more of a hot topic right now with the focus shifting to ensuring that institutions can respond to and manage the impact of disruptive events.
The Basel Committee on Banking Supervision (BCBS) consultation paper on its principles for operational resilience has ignited the debate at a global level. On top of this, the ongoing coronavirus (Covid-19) pandemic has also tested the industry’s ability to manage during disruption, meaning that operational resilience is a topic of focus in boardrooms.
Throughout 2020, we've been working with a group of operational risk professionals from our member firms on operational resilience and how the financial industry is responding. Recently, we ran a study with this group which helped us identify six key operational resilience challenges facing firms today, and what to do about them.
Read on to find out more and download the summary report for even more information.
6 ways to address the challenges of operational resilience
1. Define the relationship between operational risk management and operational resilience
Although it is widely agreed that operational resilience is an outcome of effective operational risk management, our study showed that many are still treating operational resilience as a separate component of operational risk management. Understanding where and how operational resilience fits into organisational models, from roles and responsibilities through to governance and reporting, is crucial. You need to ensure that a silo structure is avoided and that, whatever approach is taken, synergy between the two is achieved.
2 Clear definitions and terminology will support the industry and allow collaboration
As more definitions are released the differences between them are starting to create confusion and disparity in how operational resilience is approached. For example, UK regulators are promoting a view of creating resilient end-to-end (important) business services, while in contrast, the BCBS references “critical operations”. Although reaching industry and regulator-wide consensus on definitions will be difficult to achieve, it would be valuable.
3. Decide whether to rank criticality of business services and how
Our research and discussions with members highlighted that the way in which important business services are defined, identified and/or managed varies across the industry. Some organisations are calculating, weighting, ranking and prioritising certain activities, while others are taking the view that once defined as important/critical work to achieve resilience is a must. The industry as a whole would benefit from further discussions and collaboration in this area.
4. Use existing operational risk management practices to embed resilience
Our working group agreed that leveraging existing operational risk management practices is crucial to the effective embedding of operational resilience. However, our discussions showed that this is not always straightforward in practice. Two key areas of challenge were scenario development and testing and adapting existing risk and control self-assessments to include an operational resilience perspective.
5. Get the correct level of granularity when defining important business services
For firms falling under UK regulation, being able to set and test impact tolerances will be the determining factor when defining the level of granularity at which important business services are defined. The majority of firms are considering ‘the point of harm’ as part of the process; however, the methodology used varies greatly with no single view of important business services which could be adopted. Instead, our study showed that a blend of approaches would be beneficial.
6. Consider what is important to the firm, the customer, and regulatory and market requirements
The challenge of balancing what is important to the firm and what is important to the customer and the wider market can lead to confusion and discord. For example, UK regulation is highly geared towards ensuring the impact of disruption to the end customer is mitigated. Firms need to make strategic operational resilience decisions and set priorities while protecting their organisation and the wider market
Download and share the summary report
For more insights, download the summary report from our study, Operational Resilience: Addressing the regulatory challenge.
A community working together to advance operational resilience
Since the start of 2020, we've been working with a group of operational risk managers from our member firms to understand the direction of travel in the industry on operational resilience. Our Operational Resilience Working Group meets regularly to work together on key operational resilience topics and share and learn from each other's experiences.
The working group part of the wider Operational Resilience Community and is open to all ORX members. Our communities and working groups give operational risk professionals the opportunity to network, discuss important operational risk themes and work together on progressing the operational risk discipline.
If you're not a member, then find out more about ORX Membership to see how you join a global operational risk community.