Beyond Compliance: A strategic approach to Operational Resilience
Resilience has long been a focus for financial services firms, and their regulators. Until 2018 however, the focus was mostly confined to business continuity, the narrow risks presented by IT security and outsourcing. Or talked about only in the context of the prevention of disruptions rather predicting, and also responding to, and recovering from, disruptions.
More recently, the global regulatory perspective on operational resilience has fundamentally shifted. Since 2018, the UK regulators have taken a much broader view, covering all risks to the provision of critical and important business services and focusing increasingly on the continuity of services in the event of disruptions. The UK regulators published the final rules and guidance on 29 March 2021; they will come into force on 31 March 2022. By this date, firms must have identified their important business services, set impact tolerances and carried out testing to demonstrate that the tolerances are appropriate.
In the US, Europe and the Asia Pacific region although not (yet) specifically committing to new rules, the mood music from regulators is mirroring the UK regulatory view – the range and depth of new requirements relating to operational resilience are expanding, with the topic moving to the top of supervisory agendas. Covid-19 is only likely to increase the regulators focus on operational resilience.
As with all regulation, meeting the written (and sometimes hidden expectations) clearly creates a cost. But operational resilience should not be a compliance exercise. There are opportunities to strengthen operation resilience and unlock business benefits.
Operational resilience, if properly approached, should enable firms to:
These benefits are not possible without a broad and considered view of operational resilience, beyond the stated regulatory position.
In our view, operational resilience is a complex topic because it cuts across traditionally recognised business lines, across entities and also jurisdictions.
Firms already manage risks that fall under the broad view of operational resilience, and have long experience in business continuity planning and incident management. However. To a large extent these activities have been vertically discrete, focuses on individual processes or systems, or narrowly focused only on technology. This is not to say that those activities are not important. Of course they are. But the broad view of operational resilience should act to augment these existing activities, creating an end-to-end holistic view of key risks and the most considered approach to risk management.
Whilst it is clear that any framework for operational resilience is predicated upon a clear, accurate and complete identification of “critical operations and important business services” (as per regulatory guidance) this is simply the starting point and a more effective approach requires additional focus. The focus should also be on each of the (numbered) building blocks shown in the diagram below:
These building blocks together provide the foundations upon which operational resilience is based.
And their individual effectiveness can be assessed.
For example, the “Delivery & Control” building block emphasises that clear and effective processes and a high degree of consistently and adherence to standards, ensures less mistakes and breaches that otherwise would lead to operational weaknesses, poor customer outcomes, and losses. The additional benefits is a lower cost of services and operations.
Morae supports clients in exploring the readiness of each of these building blocks to support the challenges of operational resilience; in other words, are they currently designed, embedded, and operating effectively so that operational resilience can be supported. We use a diagnostic assessment tool, that creates a view of the current state of each of these blocks and helps clients identify any gaps compared to where they want to be in future, and helps them prioritise resources to make change happen.
Subsequent blogs will explore these topics in more detail. Some topics are already explored in existing Morae thought leadership.
As before, there has been new requirements relating to operational resilience emerging from regulators outside of the UK. For example:
US. The Federal Reserve has issued guidance on the IT supervisory examination process, indicating how examination staff would assess a firm’s risk management processes to identify, measure, monitor and control IT-related risks. It has also updated its guidance on business continuity and disaster recovery, including measures to promote the continuous operation of financial markets and to ensure the continuity of operations in the event of a crisis. The Federal Financial Institutions Examination Council issued updated guidance on strengthening the resilience of outsourced technology services. And the Financial Services Sector Coordinating Council has issued guidance on business services resilience and restoration.
Europe. The European Banking Authority recently issued guidelines on ICT and security risk management, and also relating to outsourcing arrangements. Across Europe, the TIBER-EU framework was established, the first European framework for controlled cyber hacking to test the resilience of financial institutions.
Asia Pacific. The Monetary Authority of Singapore regulations on cyber security and technology risk, business continuity and outsourcing have all been updated. In Australia, there are new and updated APRA standards on operational risk, outsourcing and service provision, business continuity and information security.
It is unlikely that regulators will reach a global consensus view, and so the application of operational resilience is likely to be patchy and uneven across countries and sectors. That will present additional complexity for global firms.
Moreover, although at the moment operational resilience is a financial services conversation, the theory and aims of it are equally relevant to all firms – corporates, Law firms, and others. And so they should be keenly watching how financial services firm respond. It is true that financial services often leads the way in setting standards that carry-over to other sectors, especially those that are highly regulated or where high standards of compliance and governance are expected. In some cases, non-financial services firms may even decide to act now, to unlock the myriad benefits in establishing and maintaining robust and effective operations, and the competitive edge that this could provide.
Notwithstanding the differences in approach to date, several things are clear: operational resilience is an important theme for 2021, it is here to stay, it is complex, and only a fully considered approach to meeting its challenges will provide regulatory conformance and business benefit. There is a building body of requirements in this area, and the possibility of more to follow.
Since financial services rules often find their way in to the requirements or best practices applied to other sectors, operational resilience may become much more relevant to other regulated industries, or those with high standards to uphold. So Morae already see this as not only a current challenge for financial services firms but is an immediate opportunity for all firms.
Morae enables digital and legal business transformation for law firms, legal departments, compliance functions, and financial services firms. We help improve our clients’ performance by improving strategy, creating processes, deploying resources, implementing technology and measuring with data.
Stay in the Know
Subscribe to our newsletter for the latest news about legal, risk, and compliance issues.