By Gary Lynam, Director of ERM Advisory, Protecht
On January 10th 2023, the Bank of England’s Prudential Regulation Authority (PRA) wrote to chief executives of financial services companies setting out its “planned work” for the year ahead. Operational Resilience was a key theme, and there is no doubt the regulators are going to get much tougher when it comes to the robustness of the impact tolerance performance around critical services.
The reasons for this are extremely important. In today’s world, organisations are facing unprecedented challenges and a wide variety of risks that could result in operational disruption. According to a study from EY, for example, cybersecurity is seen by over 70% of Chief Risk Officers (CROs) in the banking sector globally as the current top risk. This is followed by credit and environmental risks, while 69% over half of European CROs place credit risk as their major concern for this year followed by geopolitical risks.
As a result, banking and finance is one of many sectors that must demonstrate greater resilience, quickly adapt to change and show they can thrive in today’s agile ecosystems. In particular, organisations will need to prove that they can recover quickly from contemporary risks and vulnerabilities. Together with the suppliers they work with, they must be in a position to demonstrate that they have robust systems in place that can be quickly rebooted should they run into difficulties.
What is organisational resilience?
Stepping back for a moment, what does it actually mean to be resilient? A widely used generic definition says it is “a dynamic process of maintaining positive adaptation and effective coping strategies in the face of adversity.”
Pointing the lens at the banking and finance sector, it can be more specifically seen as “the ability of firms, financial market infrastructures and the financial sector as a whole to prevent, adapt, respond to, recover and learn from operational disruptions”.
Digging deeper, though, resilience is not just about bouncing back to the status quo after a crisis but is also about learning from challenges and adversity to emerge stronger than before. It is also about the ability to anticipate and respond to changes in the industry environment, minimise the impact of disruptions, and maintain continuity of operations.
Given the impact of resilience shortcomings and failures in the financial sector over the years, ensuring better standards and performance has become a key focus for regulators. It’s crucial to note, however, that this represents more than critical operations and includes the ability of the organisation to adapt to changes and difficulties beyond those that are strictly operational.
Developing a resilience culture
An embedded culture of resilience ensures it is considered at all levels, consistently and as second nature. Creating and maintaining the necessary environment processes and behaviours should be based on establishing the right tone from the top, alongside the importance of effective business processes, robust reporting and the acceptance that resilience is everyone’s job.
For instance, organisations should articulate their resilience objectives and expectations, so they are aligned to wider company objectives and business strategy. In practical terms, understanding how embedding and enhancing resilience supports business objectives makes it much easier for employees to understand its importance and where they may be able to add value. What’s more, by including resilience risk in strategic business decisions, it becomes possible to drive a proactive strategy.
As part of this approach, resilience successes and failures should be highlighted across the organisation to continually underline the relevance of resilience risk awareness and support an effective culture. This should be supplemented by the use of a positive feedback loop to ensure ongoing investment and engagement.
Dependencies and tolerances
To achieve operational resilience, organisations also need a clear understanding of their Important Business Services (IBS), their dependencies on people, processes, technology and third parties, and their impact tolerance thresholds for different scenarios. In addition, they also need to test their ability to withstand disruptions within those thresholds and monitor their performance against them.
Each IBS should have a clearly identifiable customer, and for banks, this means they must understand which stakeholders are using which services, such as those delivering an outcome to the customer. For instance, if there is a process that supports other services, it is probably not an important business service. This might include, for example, withdrawing money from an ATM – a service to the customer – but the system verifying that there is a sufficient account balance is merely a process supporting that capability.
For each IBS, firms should be able to articulate an overall level of resilience. This is usually done in the form of a Red Amber Green status, which makes it easy for stakeholders to quickly identify which IBS’s need attention from a governance and risk perspective.
For example, processes and controls should be designed to ensure appropriate data is produced to articulate the current state of resilience within the organisation. This includes identifying the level of risk permitted within an IBS – such as the number of resources with resilience gaps – before it is considered non-resilient. Alternatively, firms could use outstanding or overdue remediation actions as an indicator of risk.
A key question to consider is if any business service were disrupted by an incident such as a cyber-attack, would there be a material adverse impact on customers or external stakeholders? This represents a minimum standard when considering impact tolerances, which may also include other factors, such as requirements to satisfy regulators or acknowledge the effects on the organisations’ markets. For instance, in the UK financial services sector, an assessment may include market integrity, safety and soundness and the financial stability of the market.
The benefit of an approach that prioritises Important Business Services in this way is that the meaningful reporting it delivers enables effective and timely decision-making. This, in turn, reduces the likelihood and impact of disruptions and should be articulated in such a way that it encourages stakeholder buy-in for the resilience culture as a whole.
Ineffective communicators have less chance of being resilient
One area that can sometimes be overlooked when organisations are preparing to address resilience and mitigating operational disruption is that of communication. This can manifest itself in a number of ways, such as a failure to effectively transmit and share critical knowledge. This can occur for a variety of reasons, such as individuals being unwilling to receive information or acting as blockers, a lack of clear communication pathways or accessible digital platforms, or the use of language and messaging that is misunderstood or confusing.
When developing recovery plans, it’s essential to use simple language and avoid acronyms to ensure that messages are easily understood. Additionally, overloaded communication can lead to individuals being overwhelmed with too much information, while distorted information that isn’t accurate, valid, or relevant can also hinder effective communication and decision-making.
In meeting increasingly stringent resilience requirements, organisations across the financial sector should focus on embracing a dynamic process of maintaining positive adaptation and effective coping strategies. To demonstrate their ability to navigate through rough waters and recover quickly from contemporary risks and vulnerabilities, organisations must have robust systems in place that can be relied upon irrespective of the potential for operational disruption.
The recent sudden collapse of Silicon Valley Bank (SVB) is a stark reminder of the volatility and instability of the global financial system and the urgent need for financial institutions to build a risk framework to withstand any potential operational disruption.
Looking ahead, financial institutions should understand that the Bank of England is likely to exercise its powers to protect and enhance UK financial stability, ensure the continuity of banking services, and protect public funds. Market integrity and financial stability are two of the core elements underpinning the operational resilience guidelines. Banks will need to prove that they can recover quickly from operational disruption, while the suppliers they have must demonstrate to regulators that they have robust systems in place that can quickly recover critical operations under stress.
In today’s world, when financial institutions are facing unprecedented challenges and a wide variety of risks, building operational resilience – especially when it comes to the robustness of the impact tolerance performance around critical services – is key. Instead of planning under the assumption something might happen, plan assuming that it already has.