Some firms mistakenly conclude that reporting on their business continuity activities using the regulator’s parlance is sufficient. It is not.
In reality, the obligations that the policy statements describe are considerably further reaching, detailing the necessity for a step-change in a firm’s approach to ensuring operational resilience. They explain the need to translate the five intervention steps described in the policy statements (prepare, detect, respond, recover and adapt) to solution design principles and then identify areas of strategic and operational importance for future investment and improvement. Services need to be identified and mapped to processes and resources. Customer, firm and market impact tolerances need to be set and plausible disruption scenarios defined and tested.
To achieve all of these a view of the firm’s wider resource ecosystem is needed. It is essential that an up-to-date holistic view of the firms overall operational resilience health is readily accessible to all key stakeholders, all of the time. Improved oversight of the entire range of resource types and the timely detection of resource vulnerabilities is key to making sure that those responsible for ensuring the operational resilience of important business services have the data they need.
Traditional business intelligence and data visualisation tools do a great job of retroactively reporting on trends and helping discover patterns of past behaviour. They are an essential part of a firms reporting capability and IT ecosystem but they do not deliver the actionable insight required, nor do they support the workflows and processes required, to continually assure a firm’s operational resilience.
Reporting that includes the documentation of workflows, the decision-making processes and the curation of evidence is another area in which BI tools simply are not able to provide the functionality required. The regulators make it clear that a firm is expected to show evidence of processes such as:
- Why a service is considered to be important or is not?
- Why impact tolerances have been set where they have?
- Which criteria have been used, why, and how often have important services been tested against plausible business scenarios; in addition to the results of the testing.
- The IBS reassessments, the logic used; opinions of stakeholders; justifications and the individuals responsible.
- Why investment decisions have been taken, why and what they will deliver towards the aim of improving the firm’s operating resilience.
The FCA’s and PRA’s Building Operational Resilience Policy Statements 21/3 & 6/21 describe the need for firms to:
- Identify important business services and determine appropriate impact tolerances.
- Identify and document the necessary people, processes, technology, facilities and resources required to deliver the important business services.
- Use scenarios and learning to determine if services are resilient against defined impact tolerances.
A solution with the FCA/PRA’s policy statement/s at its heart is needed, rather than trying to retrofit the requirements and repurposing existing BI solutions. The solution needs to be focused on translation of the five intervention steps described in Building Operational Resilience PS21/3 and 6/21 to key solution design principles. This will allow firms to better prioritise areas of strategic and operational importance for investment. It must be comprehensive and allow firms to identify and map all services, processes and resources. Customer, firm and market impact tolerances then need to be set and plausible disruption scenarios defined and tested. The solution must support all of these elements, end to end. Finally, the solution must be connected as it must integrate with the wider IT ecosystem to enable the detection of resource vulnerabilities and deliver the holistic oversight of a firm’s operational resilience that is demanded.
Corporater Operational Resilience Solution
Corporater’s Operational Resilience software solution’s out of the box functionality allows firms to prepare, detect, respond, recover and adapt to disruptions to important business services.
For more information see Corporater Operational Resilience Solution.
Interested to see a demo? Contact us.
Operational Resilience in the UK financial sector: Frequently Asked Questions
Learn more about Operational Resilience in the UK financial sector. Click here to access Operational Resilience FAQs answered by our specialists on the implications, practice and implementation of the operational resilience framework in the UK.