By Christopher Thackray
Operational Resilience delivers assurance to stakeholders that a firm can absorb and mitigate disruptions to its operations and that the company is a safe and trusted place for investor and consumer money, regardless of the size of interruption. It secures operational viability, thus protecting the sustainability of the company.
Companies seeking resilience must consider the following:
- The foundations and five matrices of resilience — Important Business Services, impact tolerances, scenario and stress testing, mapping, and communications;
- Strengthening their underlying data infrastructure;
- Developing a “resilience by design” ecosystem;
- The importance of leadership buy-in.
Though resilience as a company concept is not new, it has gained industry-wide recognition as a leading concentration, not least of these within financial services.
The answer lies partly in the cluster of innovation that is changing the industry foundations including new, and often risky, financial products and new channels for delivering services. Proliferating technology, major company model changes, new and more complex risks, and real-time interconnectedness expose companies to disruption that can cause irrevocable harm. Confronting these changes has compelled many companies to include Operational Resilience as an essential programme to company and product strategy.
The multi-year journey towards embedding Operational Resilience into company strategy begins with a commitment from the Board and C-suite to develop “resilience by design”, a process in which companies address the causes of operational risk and their potential impact from the outset of a new product or service. While Operational Resilience presents a new approach to the design concept of products and services, it also exists to promote the continuing improvement of existing capabilities across the pillars of Operational Resilience – including business continuity, crisis & incident management, information technology, cyber & information security, supplier management, and operational risk management – that have existed for decades. It is important for the pillars of Operational Resilience to integrate into the risk management system and to rely on analytics deriving from the system to inform priorities for risk mitigation, prevention, response, and recovery planning.
Linking data to operational resilience
Operational Resilience reflects the strength of a firm’s operational control environment, with controls designed to anticipate, prevent, respond to and recover from operational disruptions to agreed Important Business Services. These controls should be linked to defined measures of impact tolerances reflecting the firms risk appetite and assessed levels of intolerable harm to customers, the firm’s safety and soundness, when disruptions to services occur. The use of service stress testing will validate a firm’s ability to contain the impact of disruptions within the measures of risk appetite and impact tolerances, which should then be reflected in future capital holding for operational risk. To develop, deliver and embed Operational Resilience, companies should look to invest in existing operational risk capabilities. Operational Resilience relies on a fully integrated operational risk management system, providing visibility of risks-to-resilience and an understanding of the operational control environment to detect, prevent, respond to and recover from operational disruptions. In short, Operational Resilience cannot be achieved in isolation, without a sound and integrated system of operational risk management.
Traditionally, data has been used reactively, and though not the entire solution, it is core to the future of Operational Resilience. It will provide companies with capabilities to facilitate forward-looking proactive analysis of risks that may cause disruptions and offer opportunities to build resiliency into the firm that will facilitate:
- Better customer outcomes;
- The safety and soundness of the company; and
- Wider market financial stability.
The importance of process management and integrated data structures between risk, operations and product data sets to provide consolidated views and analysis of critical processes in the delivery of important business services, the risk and control profile of these processes, and the severity of impact to customers before and during times of disruption. It is as important to understand the continuing preparedness of substitute delivery channels and capacities where primary delivery channels fail to further enhance a firm’s resilience capabilities.
Resilience by design
Operational Resilience is an outcome that benefits from the effective management of operational risk. While operational risk can be viewed as the way in which potential threats are identified, a company’s preparedness for disruption is what defines Operational Resilience. The ability of a company to achieve maturity in the field of Operational Resilience will only ever be aligned to the maturity, capability and embeddedness of its operational risk function and framework.
Developing resilience from the outset (i.e. during the product or service design phase) requires companies to consider both the causes of operational risk and their potential impacts which could result in customer harm, uncertainty of company sustainability, and/or instability in the wider financial market. As firms advance the embedding of Operational Resilience principles into the running of the company, they should consider how to embed new and/or advanced practices of Operational Resilience into the design and/or change of business products and services. This is commonly known as resilience-by-design. A common mistake made by firms is to jump to resilience-by-design without investing sufficient resources to building the underlying resilience infrastructure to support the desired objectives of resilience in the product development lifecycle. This differentiates Operational Resilience from traditional practices of Business Continuity Management.
Resilience-by-design is integral when introducing new products, services, relationships, and company model changes. It requires assessing products and services to determine potential causes and impacts of disruptions that exist within the features, dependencies, and the wider market. The firm has to recognise upfront that its customers are dependent on the services provided and ensure that failure of a service does not cause vulnerability amongst its customer base by having predefined resiliency measures in place. The firm has to be confident that substitute services have the capacity to take on customers affected by failure of another service across its service line. Further, companies should consider third-party arrangements at the beginning of the supplier lifecycle and analyse the potential risks including whether the third party possesses the same level of company continuity capabilities as the company. Lastly, during company model changes, companies need to reassess their ability to recover from an incident end-to-end, including downstream and upstream risk.
Developing a culture of resilience
A culture of resilience must start at the top — it is a fundamental truth that the culture of a company is an indicator of good leadership. Risk-focused leadership can improve the company’s ability to tackle issues while keeping core functions operational and achieving this comprehensive connection is the true differentiator in the effect of resilience within a company.
As Boards and C-suites work in an ever more competitive environment to deliver new products and services, they take risks that they may not have fully vetted. In the pursuit of profits within today’s competitive markets, companies tend to offer new products to the market without spending sufficient time considering both points of failure for the product or service, as well as ways to respond, recover, and maintain the relevant product or service during times of disruption.
From this lesson, Boards and C-Suites can engage with risk and resilience programmes as enablers of sustainability and create a cultural change within their companies that will encourage a culture of resilience. Over time, these programmes can become second nature, part of the everyday strategy to ensure company continuity.
Building Operational Resilience means presuming a 100% probability that an incident will occur, then creating a course of action to maintain integrity and protect the company, its customers, investors, employees, and stability in the market.
Companies have the opportunity to begin or strengthen operational resilience programs while they look toward a future after COVID-19. To find out more, book a call with one of our risk practitioners today or get more information at firstname.lastname@example.org.