Cyber attacks resulting in data breaches, ransomware attacks, and the outright destruction of data are all on the rise. Other disruptive forces like social unrest, worldwide pandemics, and natural disasters add to possible sources of business risk. Risk managers across all industries are well versed in addressing these concerns, but the financial industry, in particular, faces additional scrutiny. Business continuity and financial resilience are no longer the core of what is required of financial institutions. Operational resilience in finance has taken up residence as a major focus of regulators in some nations, and it is a trend that shows signs of spreading.
The Need for Operational Resilience in the Finance Industry
Financial institutions, in particular, are a central feature of a functioning society. Without the services of the banking sector and others within the financial system, it is easy to see how quickly an entire economy can crumble. This is why regulators in some countries are taking a much broader view of operational resilience in the financial services sector.
Even before the Covid-19 pandemic, regulators and supervisory authorities within the United Kingdom spearheaded an effort to make financial institutions more resilient to disruptions by changing how they defined operational resilience. The Bank of England and the European Banking Authority began by shifting their regulatory stance to consider operational resilience to be the ability of a financial firm to prevent, adapt, respond to, recover from, and learn from a disruption of their business operations. Regulatory authorities in Europe, Australia, and the US are all beginning to broaden the scope of their regulations concerning the resiliency of enterprises in this sector.
Operational Resilience Versus Business Continuity
You may think that this seems redundant, considering that responsible entities should already be factoring business continuity into their risk management programs, but operational resilience is so much more than business continuity alone. For one, the regulatory framework gives you a clue in that the Bank of England specifically requires institutions to predict likely, plausible, and severe operational disruptions and assess to what extent they would be able to continue critical business services. Not only must they report these impact tolerances, but they must also assess their risk profile and determine where their business activities may exceed these tolerances and alter their stance respectively.
Operational resilience integrates cyber security, business continuity, compliance, and vendor risk management workflow in a single area of planning. This holistic approach provides the best opportunity for an enterprise to adapt to, respond to, and recover from an adverse event that may even be entirely outside their control or one of several concurrent events.
Principles of Operational Resilience
The foundation of a successful operational resilience management program is built upon a framework of several key principles. These principles can be broken down into three main areas of responsibility.
Much like any other enterprise-wide task, operational resilience will not take root without support from the executive level. Lasting change in an area as significant as this has to be driven from the top down. The prior method of tasking resilience planning as a segment of a business continuity plan will no longer be sufficient.
Business leaders should be guiding dialogue between board members and operations personnel on risk assessments, evaluations, remediation, and technology integration. These same leaders must also make IT and operations aware of what specific systems are mission critical, why they’re critical, and how their eventual disruption would affect business function.
Executives must also guide and develop specific policies and procedures that shape the resiliency program and codify flexible and robust business service restoration practices. These policies provide structure and accountability for the program. They work even better when reporting is streamlined to a single executive with the ability to unite mid-level management across silos within the enterprise.
Tools and Processes
The second major area of responsibility is where specific tools and processes are developed and structured to form the heart of the operational resilience program. The first step is the identification of critical business services. This includes mapping out interdependent services within the business and critical third-party vendors and suppliers. This map can rapidly speed the program implementation process as it lays out a visual representation of the critical services network and also helps to prevent duplication of effort.
The next step is identifying and mapping relationships between these previously identified critical services and vendors and their related processes and systems. This is a massive undertaking and can even seem impossibly complex at first glance. So many different departments have one task or another somehow involved in a critical service or system, but all is not lost. If your company has recently invested in cyber security upgrades, information system hygiene efforts, lean process design, or other technological implementations, those processes may provide important information that can inform and speed up the resiliency process.
Perhaps the most important subsection of your process development segment is scenario design and impact assessment. Here is where you must brainstorm significantly diverse disruption scenarios and effectively war game their resolution, the restoration of business operations, and the return of providing services to clients. Building out multi-failure scenarios, those in which certain systems cannot be restored, and other difficulties will only serve to make these exercises more worthwhile. A thorough after-action review and reassessment process will help refine and improve this technique over time.
Strategies and Decision Making
You have identified your critical services, systems, vendors, and suppliers. You also developed business operations recovery procedures and streamlined their implementation while removing redundancy in effort throughout your organization. Now what?
Taking this gleaned information and feeding it back into your decision-making process can alter your path forward. Using this guidance to make personnel decisions, systems upgrades and build-outs, and other infrastructure and financial investments are what will truly solidify operational resilience as a cornerstone of your business. At the same time, applying this information to bolster your critical systems is another way to use the work you have already done. Investing in backup systems or alternate vendors are just two ways that you can harden your posture through the application of this information and create a true business transformation.
Just as you implemented recovery and restoration testing in the previous phase, making that a permanent aspect of your business operations is the final step in truly embracing operational resilience. The goal is to foster a sense of flexibility in response and embrace the concept of rapid restoration of services. Continuing to strive for improvements in these areas will ensure you’re ahead of the game as regulators in many areas broaden the scope of their evaluations.
This is not a process that you need to tackle on your own. Venture Lynk is staffed with industry experts from various backgrounds and areas of expertise. Specializing in working with the financial services industry, we have a wealth of services that can be applied to increase your operational resilience, from project resources and advisory capabilities to vendor financial risk assessments and everything in between. Please visit us today to see what customized services we can offer for your specific situation.