By Rich Cooper, Principal, Financial Services, Fusion Risk Management
Throughout the stress test of the past year, resilience rose to the height of visibility as many organizations faced new and daunting challenges. As a result, operational resilience simultaneously rose to the top of executives’ and regulators’ priorities. In fact, our recent exercises demonstrate that resilience is within the top three priorities on executive radars. Organizations and regulatory bodies alike realized that their success, and even survival, depends on the ability to weather disruption and continue delivering on their promises.
Regulators, by very definition, are here to protect us − the people. Their mission is to safeguard the interests of the people whether that be financial, safety, health, or others. For example, the FDA regulates food and medication to keep us healthy, while financial regulators, including the Bank of England, function the same way. They set out to ensure banks remain resilient enough to keep our finances − and therefore our livelihoods − safe. By providing guidelines and responsibilities to organizations, regulators ensure the wellbeing of individuals, regional markets, and the global economy.
Regulators globally have been maturing their thoughts on operational resilience since 2018. In late 2019, the UK regulators released a consultation paper based on previous discussion documents. Then came 2020 with a global pandemic, civil unrest (particularly in Hong Kong and then the US), hurricanes, and wildfires. The maturing guidelines around breaking down silos and focusing on important services became very real. By March 2020, firms were dealing with multiple events simultaneously (MIS) and having to align internally as well as with third parties, Financial Market Infrastructure, and public and government agencies. Not even the most forward-thinking person could predict 2020, and we are now seeing firms and their regulators work through these challenges in a collaborative way.
Regulation roots
Regulation is almost always born from learnings from past events. Regulations are lagging indicators. Most financial regulations we see today are a direct result of the financial crisis of the mid 2000s, as regulators saw the incredible impact on individual and large-scale economies with regard to finances. As such, they continue to determine pain points and possible areas of weakness in current systems to ensure we the people are protected from future devastation.
Needless to say, the global impact of this year’s pandemic catapulted all eyes towards resilience. The maturing regulations around operational resilience are asking firms to not just react to events but to prevent them from happening in the first place.
Going forward, we are seeing firms not only align with regulators’ expectations but gain a full picture of their business operations through a focus on important business services and associated data sets. While there are numerous ways to ensure a firm is more resilient, there are some fundamental steps all organization leaders should do to move forward more effectively and efficiently:
- Set your priorities – important business services
- Break down silos
- Allocate resources
- Lean on experts
Set your priorities
All organizations have an agenda with distinct priorities and focus areas, and regulators today have a hand in setting this agenda. This year, the agenda is clear: focus on resilience and important business services.
Regulators’ yearly “Dear CEO” letters outline the top priorities regulatory bodies want to see from organizations to protect their customers. This year, number three on the list across various sectors was operational resilience. These official letters, stating the necessity of resilience, only reinforced the lessons organizations learned over the past year. Driven by first-hand visibility of interrupted business operations, regulators’ and CEOs’ priorities are in complete alignment: protection from disruption. Resilience is indeed a top pain point and top concern across board rooms and regulatory bodies, and organizations that prioritize their approach and investment in resilience will be well placed to emerge from disruption unscathed. Their activities should be prioritized around important business services and impact to customers.
Break down silos
To be more effective and efficient, as well as to ensure compliance as new regulation arises, organizations can set a foundation of success by breaking down silos.
The breakdown of silos is not in itself a regulation or mandate, but savvy organizations have recognized it is key to ensuring all stakeholders across the organization speak the same language and are all in compliance. By increasing focus on integration and cross-organization communication, businesses can ensure every pocket of their organization is compliant. Remember: if one pocket of your organization − no matter how small − is out of compliance, your entire organization is out of compliance.
Within every organization, there are four categories of resilience decision makers: executives, business owners, risk leaders, and focused practitioners. Resilience is now on all their radars, so what’s the problem? These groups don’t speak the same language about resilience. By breaking down silos and increasing communication and transparency, organizations can create a unified approach to resilience and a common language all parties can speak.
Allocate resources
From financial services to farming, regulators this year mandated budget allocation for resilience programs. They enumerated specific amounts − dependent on the size of firms and businesses − to ensure sufficient funds were set aside to build resilience programs.
Their message is clear: to optimize your resilience strategy, you must allocate proper resources. This means not just assigning budget for incidental cases such as a cyber-attack, but also towards an ongoing, recurring investment into your resilience strategy. This could include investment in a technology platform, advisory consultants, or a hybrid model of both, with the ultimate goal of building tools for consistent protection. Expertise and technology are at the heart of this investment; ultimately, the best investment you can make is a technology-led, advisory program that proactively and constantly detects and protects your organization.
Lean on experts
To ensure a universal taxonomy, complete stakeholder visibility, and streamlined compliance and operations, smart organizations will look to lean on expert partners for advisory. The increasing pace of regulation and deepening complexity to compliance is practically impossible for organizations to keep up with. After all, compliance looks different in different organizations. Financial institutions and others need partners who both understand the changing regulatory landscape and their unique business needs.
Strong technology partners can manage the complexity and nuances of different industry standards. They can advise on best practices and utilize economies of scale to standardize regulatory requirements. They can identify where your organization sits in its resilience journey and provide necessary strategy to progress the journey further.
What’s next on the horizon?
If regulation is set to protect people, we can expect the global pandemic and other events of 2020 to drive regulation at a rate never seen before.
Already, BOE, BASEL, IIA, and FRB are changing their postures towards resilience and looking closely at other specific industries that are integral to human good. As the regulatory landscape around operational resilience matures, forward-thinking firms are responding with increased resilience. Firms must take a data-centric approach to create a more operationally intelligent organization.