Since financial regulators published the draft papers on operational resilience last December, I have had several conversations with practitioners looking to get ahead of the deadline of December 2021 by evaluating their existing framework and aligning with the new requirements.
The regulators define operational resilience as “the ability of firms and FMIs and the financial sector as a whole to prevent, adapt, respond to, recover and learn from operational disruptions”. Currently in consultation, the operational resilience requirements are the culmination of the continuous improvement efforts from firms, supervisors and regulators to enhance their risk management activities. .
A focus on digital resilience is evident in the papers referring to mapping of information assets, and concerns for data integrity when recovering from incidents. It is also evident in the increased scrutiny of third-party relationships. As organisations collaborate to deliver innovative products to their customers, third parties are becoming an essential component of the delivery chain.
We must however be careful that we do not focus solely on these driving forces. Although digital resilience is an essential piece of the bigger resilience picture, it is only effective if informed by the context of the whole organisation. Digital resilience is critical today because of our increased dependence on digital technology, and the exponentially growing landscape of risk that we are exposed to due to the digitisation of our world.
However severe and plausible, scenarios of risk that we must guard against are widely varied as proven by events of the past few months. So as we look to implement these new requirements, it is essential that we tie them into the existing frameworks in our organisations.
Operational risk, our risk appetite and environment must help determine which of those scenarios we are looking to become resilient to. The papers offer guidance on considering past events that have occurred in the industry. However, the ingenuity of attackers, the speed of technological change, and the magnitude of change in business models mean that this historical data may be less relevant. The scenarios being tested must be continuously adapted and their scope constantly reassessed. The existing business continuity (BC) and disaster recovery (DR) programmes should be updated to support continued delivery of products to the acceptable level of capacity.
Where business continuity focuses on internal and external critical processes, operational resilience focuses on external important products. These programmes have potential to overlap but are really targeting and focusing on different results.
Therefore we should optimise them to achieve the best results for the organisation and its customers. This requires ownership of the resilience programme to be cross-functional, designed with input from risk teams to frame scenarios of risk, and supported with BC and DR teams to meet the committed impact tolerances.
The regulators have extended their consultation and implementation timelines on these papers in the light of current events. Nonetheless, developing a programme and establishing our resilience capabilities is not a quick nor easy exercise. It is critical that the programmes start to be developed now so deadlines can be comfortably met, and the benefit of the knowledge and understanding can successfully be applied to any required investments.