Operational Resilience

What is Operational Resilience?

The ability of an enterprise to continue providing services to consumers despite a sudden disturbance is known as operational resilience. The ability to prevent, respond to, recover from, and learn from operational interruptions is a key priority of operational resilience.

Previously, that concept was associated with catastrophe recovery or business continuity. Operational resilience has evolved into a blend of business continuity, vendor risk management, cybersecurity, and more as a result of technological advancements and the digital transformation of corporate processes.

What is
Operational
Resilience?

What is Operational
Resilience?

The ability of an enterprise to continue providing services to consumers despite a sudden disturbance is known as operational resilience. The ability to prevent, respond to, recover from, and learn from operational interruptions is a key priority of operational resilience.

Previously, that concept was associated with catastrophe recovery or business continuity. Operational resilience has evolved into a blend of business continuity, vendor risk management, cybersecurity, and more as a result of technological advancements and the digital transformation of corporate processes.

Why is Operational Resilience Vital?

Financial institutions have long prioritized service continuity. After all, disruptions can have a negative impact on income, client satisfaction, and franchise value.

WhyResOps

Higher customer expectations:
Customers in most industries demand services to be available on a 24/7 basis. Customer expectations include dependable service delivery and response under challenging situations. This also aids in the development and maintenance of trust between businesses and their customers.

WhyResOps – 1

Severe natural disasters and extreme weather events: Extreme natural events are linked to climate change. If an enterprise or its customers are based all over the world, such occurrences will almost certainly effect them.

WhyResOps – 2

Increased cyber threats: Technological advancements have benefited a wide range of businesses. However, technological advancements have enabled masterminds to develop low-cost but powerful cyber weapons, the use of which has unforeseen implications.

WhyResOps – 3

Higher risk linked to internal change failures: As technology evolves, businesses frequently upgrade to more modern systems. This results in modifications that must be addressed. In the event of internal change failure, more complex systems would increase the risk and related potential damage, either financial or operational.

WhyResOps – 4

Increased regulatory scrutiny: To
safeguard clients, the financial services industry has evolved into a highly regulated landscape since the financial crisis of 2008-2009. A company that is not operationally robust may find itself unable to adapt to the changing regulatory environment.

The firm is more effective and efficient

There is a clear understanding of crucial service delivery that can:

help to decrease costs, for example, by optimising outsourcing arrangements

TheFirm_Icons

streamline processes, for example, by introducing tools, automation, and aid to improve quality.

Improve efficacy, for example, by identifying and correcting problem-causing steps.

Who addresses Operational Resilience?

Operational resilience should not be viewed as a one-time event, but rather as part of a foundational set of ideas and practices embedded in the company’s DNA and culture. It is everyone’s responsibility, and planning should begin at the top of the company.

Board members needs to see actions and progress across the enterprise, as well as the implementation of a single approach to deliver resilient services. This should result in senior-level involvement and critical thinking throughout the company, as well as appropriate investments, responsibility, and continuous oversight. As operational resilience is coupled to change, financial institutions should undergo regular evaluations and respond to emerging threats and solutions on a regular basis.

What is
Operational
Resilience?

Who Addresses Operational
Resilience?

Operational resilience should not be viewed as a one-time event, but rather as part of a foundational set of ideas and practices embedded in the company’s DNA and culture. It is everyone’s responsibility, and planning should begin at the top of the company.

Board members needs to see actions and progress across the enterprise, as well as the implementation of a single approach to deliver resilient services. This should result in senior-level involvement and critical thinking throughout the company, as well as appropriate investments, responsibility, and continuous oversight. As operational resilience is coupled to change, financial institutions should undergo regular evaluations and respond to emerging threats and solutions on a regular basis.

Five Steps to Rollout an Operational Resilience Program

1

Identify the Critical Business Service

These are services offered by the enterprise to their customers and other related stake holders. FCA says services which, if disrupted, would most likely cause intolerable harm to consumers or market integrity. Eg: payment services by banks, payment of annuities by life insurers, ATM cash withdrawal etc.

2

Mapping people, process, and systems

The firm must identify and document the process, people and systems required to deliver each of the critical business service. Business service process maps along with the connected people and IT systems should be clearly documented.

3

Set Impact Tolerance

Impact Tolerance is quantification of maximum tolerable level of disruption to the important business service both in terms of value and duration.  

Eg: maximum number of transactions, number of customers, also define the duration up to which the important business service will be affected. The tolerance level should also consider peak times and non-peak time variations.

4

Scenario Testing

Testing of a firm`s ability to remain within its impact tolerance for each of the identified important business service in case of a disruption.

5

Building Resilience

Continuous monitoring and measuring the operational resilience framework and taking corrective actions to improve the same for better results.

Framework of Operational Resilience

To develop operational resilience, an enterprise must implement the following pillars:

Framework_Icon

Define the framework to achieve operational resilience

The framework must be up to date, conveyed, and comprehended by the enterprise. It has been implemented throughout the enterprise, with clear definitions and accountability for the many parts of resilience.

Framework_Icon – 1

Embed operational resilience in the governance structure

The Boards and Senior management should actively oversee the firm’s resilience framework in relation to its strategy and risk appetite; this will enable them to make the best investment and risk decisions possible

Framework_Icon – 2

Ensure effective
capacity management

Organizations can demonstrate the success of capacity management through testing and monitoring

Framework_Icon – 4

Strengthen the management
of own risks

In order to minimise the impact on customers in the event of a stress scenario, resilience necessitates proper risk management. Splitting tasks into separate major hurdles and ensuring that these lines have components of resilience are all part of managing the hazards of a stress scenario

Framework_Icon – 5

Enhance
resilience capability

To deliver and help ensure operational resilience, the enterprise has sufficient skills, resources, adaptability, and a clear understanding of roles and responsibilities

Framework_Icon – 3

Promote a culture of continuous
learning and improving

The enterprise should not only foresee, but also learn from, undesirable occurrences that affect the company or the industry as a whole

Actionable Steps to Achieving Resilience

1

Know your clients: Identifying the products and services that are critical to the clients is the first step in establishing resilience. However, before it can be appraised, a more important question must be answered: who are the enterprise’s clients and what do they require?

2

Determine which items and services are most important for customers: The focus should be on the value chain that produces the key products and services after they have been identified. The critical processes that lead to that outcome are identified. In complex enterprises, all products are the result of a number of processes and interactions. The critical processes are those that have an impact on the output or the enterprises success. These ensure a company’s competitiveness.

3

Identify the primary processes and personnel associated with the core business, as well as any existing or planned dependencies: The attention now shifts to developing the major products and services that have been identified. But first, the essential processes that contribute to their production must be identified.

4

Map third-party dependencies: It’s also crucial to comprehend all of the processes’ interdependencies. This issue should be thoroughly studied in order to identify all third parties involved in all internal operations that provide services.

5

Define possible threat scenarios: At this point, it’s crucial to figure out which services and products must be maintained in stressful situations, as well as the critical processes, personnel, IT systems, and third parties that deliver or assist in delivering those products and services. Rather than single, isolated incidents, it is vital to identify potential risk scenarios that affect the entire value chain.

6

Map risks to the value chain: All risks should be linked to the value chain of the critical products and services at this point. It is critical to identify all hazards and threats prior to their emergence in order to adopt suitable mitigation methods.

7

Learn from the past: It is critical to guarantee that previous crisis management experiences are leveraged to develop improved plans and measures for essential processes and infrastructure. When a company gets hit by a stress event that they weren’t expecting, the event should be put to the list of threats and risks to be prepared for in the future. Measures to be taken as a result of this incident should be put in place for future use as well.

Basel Committee Recommendations For Operational Resilience

Basel Committee Recommendations

The Principles for Operational Resilience were published by the Basel Committee on Banking Supervision on March31,2021, with the goal of promoting a principle-based approach to improving banks’ operational resilience, making them better able to withstand, adapt to, and recover from severe adverse events. The rise of technology-related risks has prompted banks to strengthen their operational resilience in recent years, a trend exacerbated by COVID-19.

Principles for Operational Resilience

The Committee established seven principles for operational resilience

To reduce the impact on vital operations, banks should adjust their governance structure to allow them to respond, adapt, recover, and learn from disruptive occurrences. For instance, effectively allocating financial, technical, and other resources, delivering timely updates on business units to the board, and clearly communicating their approach to resilience and its objectives to all relevant parties are just a few examples.

Banks should use their operational risk management to identify external and internal threats on a continuous basis, including potential breakdowns in people, processes, and systems, by assessing the vulnerabilities of critical operations and controlling the risks that emerge. Implementing controls and procedures to identify threats and vulnerabilities in a timely manner, leveraging change management capabilities to assess the potential effect on critical operations and their interconnections and interdependencies, and coordinating business continuity frameworks, third-party dependency management, and recovery and resolution planning are just a few instances.

Banks should have a business continuity plan in place and stress test it under a variety of severe but credible scenarios to see if they can maintain vital activities in the event of a disaster. Identification of vital processes, major internal and external dependencies, business impact analyses, and recovery plans are all important factors in a good business continuity strategy, according to the report. Business continuity plans, as well as recovery and resolution plans, should be in line with a bank’s overall operational resilience strategy.

Banks should map out the internal and external interconnections and interdependencies that are necessary or critical to operations once they’ve identified their critical operations. Banks should be able to discover vulnerabilities thanks to the precision of the mapping.

For the delivery of important operations, banks should manage their reliance on relationships, particularly those with third parties or intragroup entities.

In accordance with their risk appetite and tolerance for interruption, banks should establish and implement reaction and recovery strategies to manage situations that could disrupt vital operations. Lessons learnt should be used to strengthen incident response and recovery plans in the future.

To fully support and facilitate the delivery of a bank’s critical operations, banks should ensure that ICT includes regularly tested protection, detection, response, and recovery programmes, incorporate appropriate situational awareness, and convey relevant timely information for risk management and decision-making processes.

Resources

OR-1
Operational Resilience

Growing Importance of Operational Resilience in the Digital Era

Operational Resilience assumes that things will go wrong, and it will force organizations to plan on how to recover from the disruption. It is a …

Process-mapping-Blog-Featured-image
Operational Resilience

Process Mapping is an important step in building an Operational Resilience Framework

The Covid -19 pandemic has clearly shown two trends within firms: The intensified use of technology and Operations can be managed through digital work force …

US Regulation Blog-Gieom
Operational Resilience

New Operational Resilience Regulation for Financial Institutions in United States (USA)

The Federal Reserve, the Central Bank of the United States in August 2021 has released a paper intended to help community banks assess threats when …

Operational Resilience

Irelands’ Financial Service Sector Guidance on Operational Resilience

The Central Bank of Ireland`s objective of this guidance is to communicate to industry how to prepare for, respond to and recover and learn from …

Hongkong regulation blog| Gieom Operational Resilience
Operational Resilience

Hongkong’s Regulations for Operational Resilience

On 22nd December, 2021 HKMA (Hong Kong Monetary Authority) came up with a Supervisory Policy Manual for Operational Resilience to provide Authorized Institutions (AI) with …

Interested to learn more?