The concept for a financial services institution to respond, recover, and resume operations at acceptable levels of performance after a disruption occurs, is called Operational Resilience. One of the key priorities for regulators across the globe is to put in place a stronger regulatory framework to promote the operational resilience of financial services firms.
In this blog, we will:
- get into the concept of operational resilience,
- share with you some practical guidance on challenges, and
- why the use of the right technology is pivotal.
What are the key differences between resilience and existing crisis preparedness?
Resilience is often used in a similar context of agility or recovery as well as continuity. In addition, we see firms use similar wording in the context of financial and business resilience and other related crisis and disruption preparations.
We highlight the following most common:
- Operational Resilience vs Agility
- Operational Resilience vs Business Continuity Management
- Operational Resilience vs Recovery and Resolution
1. Operational Resilience vs Agility
We often hear firms talk about “agility” and “resilience” as if they are the same thing. They are not. Our fast-changing world and challenging business environment require organizations to adapt quickly to change and have high levels of resilience.
An agile firm can respond quickly to changing market needs. A resilient firm is prepared to take a beating when it comes. During and after COVID, businesses had to react quickly to stay in business. This required agility in responding to changes in market demand, reduced staff, and shifting to work from home environments.
From previous and current financial crises, we have learned that an operational resilient firm can remain operational as usual when disruptions occur. They had basically planned for disruption (from external or internal drivers) and were able to deliver on improvements needed. This enabled them to respond effectively when disruption occurred.
2. Operational Resilience vs Business Continuity Management
We have learned that operational resilience looks not just internally but also externally (e.g. customers, market integrity, employees). Business Continuity focuses internally on the organization itself and its ability to continue to function.
Business Continuity attempts to deal with all risks that may impact all business activities and mitigate them. Operational Resilience focuses on a relatively small number of identified Important Business Services, accepts that there will be disruption to them, and attempts to ensure they remain within the defined impact tolerances despite this.
3. Operational Resilience vs Recovery and Resolution
Internationally active banks may leverage their recovery and resolution plans for their operational resilience (preparation) activities. But do they differ or are they the somewhat same?
A pragmatic, flexible approach to operational resilience can enhance the ability of banks to withstand, adapt to, and recover from potential hazards and thereby mitigate potentially severe adverse impacts. This is done by ensuring that a firm can continue to deliver important business services even through times of operational disruptions.
Recovery and resolution planning ensure that banks are prepared to restore their viability in a timely manner even in periods of severe financial stress. And in case of resolution, setting appropriate levels of Minimum Requirements for own funds and Eligible Liabilities (MREL), and addressing impediments to resolvability. A resolution plan comprises a comprehensive description of credible and feasible resolution actions.
Can we leverage our efforts?
We see clear opportunities for alignment working through the various concepts. The opportunities for alignment are typically around:
- i. identified critical/ important services/ functions
- ii. taxonomies & terminologies, and
- iii. organizational structure & governance.
How is Operational Resilience regulation impacting financial services institutions today and tomorrow?
Over the past few years, organizations have seen lots of disruption to objectives, operations, processes, and people. Multiple regulatory initiatives to prevent operational disruptions affecting the financial system have been completed and are now being implemented across regions.
- DORA is an initiative from the EU to streamline previous ICT regulations and unify the approach of financial entities towards ICT risk management, as well as to strengthen their operational resilience. This has an implementation timeline of 24 months starting from January 2023.
- In the UK, supervisory authorities (PRA, FCA, Bank of England) expect firms to begin implementing the policy requirements in line with the given timelines ensuring a dynamic operational resilience activity by March 2025. Today, firms are expected to have identified their important business services and associated impact tolerance levels including mapping and identification of vulnerabilities in their operational resilience.
What are the lessons learned?
Staying compliant and simultaneously ensuring preparedness for disruption during times of transformation, is a recipe for complex tasks and challenges. This requires a clear direction and commitment to find a suitable solution.
Key lessons learned can be found across a wide spectrum, from (project) governance to underlying framework as well as measuring and monitoring activities, and are typically linked to:
- Executive ownership and commitment to operational resilience capabilities and investments,
- Communication and information flows,
- Identification and understanding of organizational structures, dependencies, and criticalities,
- Performing appropriate assessments, testing, and remediation activities,
- Define effective processes across various crisis preparedness activities.
Considerations for tomorrow
Firms need to maximize their efforts to achieve their digital transformation ambitions (and to be able to stay relevant alongside the success of new digital native competitors). It is apparent that firms cannot manage risks and prepare for disruption in a traditional way. Identifying technology solutions that provide the toolkit to manage the various operational resilience components should be an integral part of their plan to reach their digital transformation ambition.
This article is a précis of the presentation by Daniël Smidts at the 12th Annual Risk EMEA Convention 2023 in London, on 13th June 2023.
