While Financial Institutions around the globe have generally waited for the regulators to define Operational Resilience (OpRes), real-world events proved that the regulatory frame of reference is too narrow. Operational Resilience is not something a firm should wait to be ‘made to do’.
The financial system relies on various technologies interacting seamlessly. Institutions are built on IT architectures, and people use IT tools and platforms to perform almost every task. IT is such a significant and integral part of this fabric that a resilient business model should be viewed as a precious source of competitive advantage to those who master it, and the greatest risk to those who do not.
Despite the obvious importance of resilience at the systemic and institutional levels, the first tangible regulatory focus can be traced to the relatively recent ring-fencing of universal banks in the UK, which came into force on 1 January 2019. In the 16 months since, global progress on broader Operational Resilience regulation has been slow and the rule book remains incomplete.
As technology accelerates and morphs at a seemingly exponential rate – and the role of digital tools across the enterprise continues to proliferate – it is fair to ask whether the regulators are able to move quickly enough to mandate resilience. Even if they do, it is unclear whether their definition of resilient will also satisfy commercial imperatives. We consider that those Financial Institutions who use Operational Resilience as a competitive differentiator, even without regulatory oversight, will not only insulate themselves and their customers from systemic risks, but they will also set themselves positively apart from their peers.
Operational Resilience is about far more than Disaster Recovery or Business Continuity Planning. Less mature Operational Resilience conversations tend to focus on short-term, one-off, and often discrete events such as DDoS attacks, Head Office or data centre outages, or terror-related alerts. Impactful, yes, but (usually) restricted to the organisation and concluded relatively quickly. For example, as the philosophy of resilience evolved in the UK, Brexit was viewed as a true test of the ability of an institution to react to a rapid and impactful systemic scenario (admittedly ‘rapid’ here is relative). However, in a typical ‘OpRes scenario’ style, something has now arrived that has forced everyone to kick in Operation Resilience with practically no notice.
True Operational Resilience has to go beyond these ‘war-gamed’ events. Regulatory guidance is in place, or in the pipeline, but Operation Resilience needs to encompass more than the regulatory priorities and definitions. It must focus on an organisation’s ability to flex its operating model over both short- and long-term, idiosyncratic, and systemic disruption.
If the past weeks have taught us anything, it is that the global economy can come to a juddering halt despite all the regulations laid down since the last recession began. Whilst most Financial Institutions had some continuity plan in place, the all-encompassing nature of the current situation has raised an array of new questions. Across our client base we have seen some core considerations emerge out of an agile approach to resilience, for example:
- Balancing the importance of team interaction with the ability to rapidly move to dispersed ways of working
- Understanding the differences between ‘flexible working practices’ and full dispersed working, along with challenging your assumptions about impact on the organisation, your people, and your customers
- Avoiding the false comfort of exchanging one type of operational risk for another (for example, single site concentration with systems stability to support dispersed teams)
- Tracing resilience all the way through the customer journey and value chain to test reliance on third parties (and their ability, both contractually and practically, to step in)
- Having in place a fully empowered and representative ‘rapid decision-making forum’ which can kick in to own any resilience actions
- Having the agility to address the inevitable unexpected impacts and opportunities
These conditions cannot be created ‘as needed’. Achieving this level of preparedness requires an embedded culture of agility and flexibility. Many of our clients, notably those exploring agile working environments, were already moving along the route to resilience. Their journey has been accelerated by the events of the past month, and you can assess your strategic view of Operational Resilience by:
- Considering Operational Resilience as a differentiator for competitive advantage
- Understanding the relative reliance placed on People, Process and Platforms in your resilience model – and the implications of this mix
- Building resilience into your governance and decision-making, both structurally (clear responsibility and rapid issue resolution) and culturally (embedding resilience thinking in product, operations, and tech)
It’s far better to be ready for as many given outcomes as possible than to merely think in the short term, or worse, not put a plan in place at all. In fact, maintaining your business by employing a flexible, yet durable model that acknowledges Operational Resilience is imperative to keep a consistent pace with and mitigate risks within today’s ever-evolving technological landscape.
Ultimately, Operational Resilience not only allows people, processes, informational systems, and companies to adapt to rapidly changing systemic and institutional patterns, but it also provides the abilities to absorb and adapt to shocks, rather than contribute to them. To paraphrase the Scout motto: Always be prepared.