Operational Resilience and Shadow IT - business as usual or raising the bar?

The Operational Resilience discussion paper, published by the Bank of England (as DP 1/18), the FCA and the PRA in July last year, is making its presence felt.

The fundamental premise - that a resilient financial system is one that can 'absorb shocks rather than contribute to them' - goes well beyond the current norms of operational risk and recovery capabilities. 

This initiative poses two issues in particular for institutions. Firstly, they will need to consider which functions and roles will actually own Operational Resilience. The Operational Risk function will have a solid grasp of the essential business processes and controls that an institution relies on. Equally the IT and Business Continuity Management (BCM) functions might be responsible, as they will have a detailed understanding of how the IT infrastructure supports the business, and how it can be best recovered during an interruption.  

A blended approach, mixing IT, BCM and Operational Risk will seem a likely response to manage the corporate IT environment, extending their ?business as usual? processes.  

However there is a second issue that may oblige institutions to raise the bar in response to Operational Resilience. 

Many institution make extensive use of ?informal? business systems and processes - commonly termed Shadow IT - that fall outside the remit of the corporate IT function. These can encompass a range of applications ranging from complex spreadsheets, powerful relational databases, sophisticated development environments and data visualization tools, and are used to enhance flexibility, innovation and ultimately results. They typically lack the same level of controls found in corporate IT systems. However, Operational Resilience will likely mean that these would likely be placed under regulatory scrutiny for the first time. 

In this context, the challenges of Operational Resilience will focus on identifying, documenting and managing these Shadow systems, so they meet these same high corporate standards, while still offering the power and flexibility that end users value.  

There are some fundamental questions that might be posed to help businesses formulate their thinking around this topic: 

  • How aware is the board about the contingencies of Operational Risk?
  • Who is best placed to own and drive it?
  • How integrated are the risk management systems across the business, and how will they work with Operational Resilience?
  • Is a dedicated Operational Resilience function required?
  • How will this best fit into other regulatory regimes, including SMCR?

To help you grasp the issues in more depth, UK Finance and ClusterSeven are running a webinar at 11am on Thursday 28 February. Click here to register.