Operational Resilience for financial services
Adam Gates, Head of Odgers Connect, and James Doolan, independent financial services consultant, discuss how to successfully embed Operational Resilience in financial services and comply with the regulatory requirements
What is Operational Resilience?
Operational Resilience is the ability of firms and the financial sector as a whole to prevent, adapt and respond to, recover and learn from operational disruption. It is a forward-looking approach, that necessarily incorporates a detailed understanding of your important business services and their impact tolerance(s).
Why it is important now
This year of untold disruption from the global pandemic has been an unprecedented test. It has presented an opportunity to financial institutions to assess and evaluate the systems and processes they have in place to support their most important business services. For many, changes to working practices in response to the pandemic were implemented and adapted to quickly, ensuring business continuity. However, even where disaster recovery plans were predominantly successful, firms need to look below the surface where there are inevitably constraints on service delivery and compromised areas of risk management. These weaknesses, although not immediate threats to business continuity, need to be addressed and learnings implemented for longer-term stability.
It is in these areas of risk and service delivery that Operational Resilience comes into play. True Operational Resilience works across end-to-end business services and looks at business outcomes from a customer perspective, incorporating thematic risks such as third party and technology while referencing the risk management framework. In December last year, the Bank of England (BoE), Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) released consultation papers outlining new requirements to strengthen Operational Resilience in the financial services sector. However, in the face of the disruption this year, the consultation period originally planned to close April 2020 was extended to the beginning of this month, and now we anticipate a policy statement to be issued in 2021 with implementation across that year and into 2022. This extension has given financial institutions more flexibility in their approach, allowing them to balance the immediate needs of the crisis at hand with changes required to comply with new regulation.
Differing approaches have been evident across the financial services sector. In some cases, programmes started before the pandemic have been paused to accommodate direct recovery activity. However, we postulate that the firms which adopted a more proactive approach will have been better prepared to maintain customer services throughout this period of disruption. For example, through dynamic business service mapping they will have captured data that will help build in resilience and generate meaningful Impact Tolerance statements and scenario tests. In either case, as this year draws to a close and the clock is ticking, Operational Resilience is again a top business priority. Firms are now reengaging but with a slightly adjusted outlook, taking into consideration how to respond to emergencies such as the global pandemic we have experienced this year.
How to approach the implementation of Operational Resilience
The overall approach to setting out the programme of work has not changed significantly in the past year. Financial institutions need to begin by identifying their important business services and map them and the resources needed to support the services. Once this initial outline is set, the risks for each need to be determined and consideration given to accountability - assigning an owner of each business service. The impact tolerances then need to be set for each service, bearing in mind there could be potentially more than one for each reflecting the differing imperatives of the regulators. Scenarios then need to be devised, testing conducted and a regime for on-going testing and monitoring agreed upon.
To successfully embed Operational Resilience, buy-in from the Board at the outset is critical. The outlined programme needs to engage members of both the executive and non-executive teams. Sponsorship at the very top of the organisation is important for approval and also the cultural element inherent in undergoing change and transformation. Without endorsement from the top decision-makers, adoption and adjustment to change across the organisation is considerably more challenging.
In order to gain the required sponsorship, the case for Operational Resilience needs to be clearly presented in the initial engagement. The Board needs to understand what it is and the importance of successfully embedding it into the organisation. The presentation should consist of clear examples of both what resilience would mean for the organisation - the benefits and how they will be captured - and, for stark comparison, what vulnerabilities are exposed by not undertaking the work, as well as a breakdown of the scope and estimated budget.
The role of the consultant in embedding Operational Resilience
The programme of work to embed Operational Resilience requires a great level of oversight, in-depth analysis of the organisation and effective management of each stage of the process. Hiring an external consultant with in-depth knowledge of the financial services industry and a specialised skillset built to plan and deliver change programmes will ensure the financial institution is not only compliant with the regulations, but has effectively managed the necessary change and is prepared to face future disruption.
The right form of consultancy should bring a wealth of direct delivery experience, while also adapting and tailoring this to the size and complexity of the organisation. For smaller firms, a lighter touch approach might be more appropriate as a means to initiate the process. This could consist of an outline plan with a high-level gap analysis to scope out the length of the project and the budget, facilitating stakeholder and regulatory engagement. Whereas for others, there will be a need to go beyond this, requiring management of the implementation process to lead the programme of work through to completion. In either case, the benefits in piloting one or two important business services through the project phases can be significant.
What to do now
The most recent regulatory communication has given further clarity and consistency across the PRA, FCA and Bank of England. The delayed consultation period (now closed) was in reality helpful in allowing firms that were previously lagging to catch up on the debate, while at the same time perhaps being a little frustrating to the firms which were engaged and planning, or even executing plans to build more resilient organisations. An extended period of consultation is not a reason to stop moving forward. As a minimum, firms need to be able to understand the variance seen in service and risk metrics, while more agile businesses will be applying these insights at an enterprise level across the important business services they have identified.
This year, more than ever, the importance of Operational Resilience has become evident as financial institutions have been greatly impacted by the socio-economic repercussions of the Covid-19 pandemic. With Operational Resilience now at the forefront of the ‘reinvention’ planning of the industry, as well as regulatory thinking, we will see agile financial institutions better understand and improve upon their service delivery, with clear accountability in that regard. They will also become increasingly forward looking in their recovery and risk management over the next 12 months to build themselves up stronger, prepared for the next disruptive force.
For more information please contact Adam Gates.