Operational Resilience
What is Operational Resilience?
The ability of an enterprise to continue providing services to consumers despite a sudden disturbance is known as operational resilience. The ability to prevent, respond to, recover from, and learn from operational interruptions is a key priority of operational resilience.
Previously, that concept was associated with catastrophe recovery or business continuity. Operational resilience has evolved into a blend of business continuity, vendor risk management, cybersecurity, and more as a result of technological advancements and the digital transformation of corporate processes.
What is
Operational
Resilience?
What is Operational
Resilience?
The ability of an enterprise to continue providing services to consumers despite a sudden disturbance is known as operational resilience. The ability to prevent, respond to, recover from, and learn from operational interruptions is a key priority of operational resilience.
Previously, that concept was associated with catastrophe recovery or business continuity. Operational resilience has evolved into a blend of business continuity, vendor risk management, cybersecurity, and more as a result of technological advancements and the digital transformation of corporate processes.
Impact Tolerance
Impact Tolerance is quantifying the level of disruption, a critical business service can accommodate or absorb, before such disruption creates a significant impact or harm on the organisation or its customers. These impact could be financial, operational, regulatory etc. Regulators now mandating the financial services organisations to quantify these impact tolerances in terms of time or such other measures like volume, value etc. Impact tolerance is a good measure to track as they provide useful insights to the board and helps in decision making.
Business Impact Analysis
A Business Impact Analysis (BIA) is a systematic process to determine and evaluate the consequences of disruption to a business service. The primary objective of BIA is to come up with a list of services which has substantial impact and hence are important services for the business. A well carried out Business Impact Analysis helps in clear identification of critical services, drawing up a focused response and remediation plans and thereby making the service more resilient.
Why is Operational Resilience Vital?
Financial institutions have long prioritized service continuity. After all, disruptions can have a negative impact on income, client satisfaction, and franchise value.
Higher customer expectations:
Customers in most industries demand services to be available on a 24/7 basis. Customer expectations include dependable service delivery and response under challenging situations. This also aids in the development and maintenance of trust between businesses and their customers.
Severe natural disasters and extreme weather events: Extreme natural events are linked to climate change. If an enterprise or its customers are based all over the world, such occurrences will almost certainly effect them.
Increased cyber threats: Technological advancements have benefited a wide range of businesses. However, technological advancements have enabled masterminds to develop low-cost but powerful cyber weapons, the use of which has unforeseen implications.
Higher risk linked to internal change failures: As technology evolves, businesses frequently upgrade to more modern systems. This results in modifications that must be addressed. In the event of internal change failure, more complex systems would increase the risk and related potential damage, either financial or operational.
Increased regulatory scrutiny: To
safeguard clients, the financial services industry has evolved into a highly regulated landscape since the financial crisis of 2008-2009. A company that is not operationally robust may find itself unable to adapt to the changing regulatory environment.
The firm is more effective and efficient
There is a clear understanding of crucial service delivery that can:
help to decrease costs, for example, by optimising outsourcing arrangements
streamline processes, for example, by introducing tools, automation, and aid to improve quality.
Improve efficacy, for example, by identifying and correcting problem-causing steps.
Who addresses Operational Resilience?
Operational resilience should not be viewed as a one-time event, but rather as part of a foundational set of ideas and practices embedded in the company’s DNA and culture. It is everyone’s responsibility, and planning should begin at the top of the company.
Board members needs to see actions and progress across the enterprise, as well as the implementation of a single approach to deliver resilient services. This should result in senior-level involvement and critical thinking throughout the company, as well as appropriate investments, responsibility, and continuous oversight. As operational resilience is coupled to change, financial institutions should undergo regular evaluations and respond to emerging threats and solutions on a regular basis.
What is
Operational
Resilience?
Who Addresses Operational
Resilience?
Operational resilience should not be viewed as a one-time event, but rather as part of a foundational set of ideas and practices embedded in the company’s DNA and culture. It is everyone’s responsibility, and planning should begin at the top of the company.
Board members needs to see actions and progress across the enterprise, as well as the implementation of a single approach to deliver resilient services. This should result in senior-level involvement and critical thinking throughout the company, as well as appropriate investments, responsibility, and continuous oversight. As operational resilience is coupled to change, financial institutions should undergo regular evaluations and respond to emerging threats and solutions on a regular basis.
Five Steps to Rollout an Operational Resilience Program
1
Identify the Critical Business Service
These are services offered by the enterprise to their customers and other related stake holders. FCA says services which, if disrupted, would most likely cause intolerable harm to consumers or market integrity. Eg: payment services by banks, payment of annuities by life insurers, ATM cash withdrawal etc.
2
Mapping people, process, and systems
The firm must identify and document the process, people and systems required to deliver each of the critical business service. Business service process maps along with the connected people and IT systems should be clearly documented.
3
Set Impact Tolerance
Eg: maximum number of transactions, number of customers, also define the duration up to which the important business service will be affected. The tolerance level should also consider peak times and non-peak time variations.
4
Scenario Testing
Testing of a firm`s ability to remain within its impact tolerance for each of the identified important business service in case of a disruption.
5
Building Resilience
Continuous monitoring and measuring the operational resilience framework and taking corrective actions to improve the same for better results.
Operational Resilience Framework
To develop operational resilience, an enterprise must implement the following pillars:
Define the framework to achieve operational resilience
The framework must be up to date, conveyed, and comprehended by the enterprise. It has been implemented throughout the enterprise, with clear definitions and accountability for the many parts of resilience.
Embed operational resilience in the governance structure
The Boards and Senior management should actively oversee the firm’s resilience framework in relation to its strategy and risk appetite; this will enable them to make the best investment and risk decisions possible
Ensure effective
capacity management
Organizations can demonstrate the success of capacity management through testing and monitoring
Strengthen the management
of own risks
In order to minimise the impact on customers in the event of a stress scenario, resilience necessitates proper risk management. Splitting tasks into separate major hurdles and ensuring that these lines have components of resilience are all part of managing the hazards of a stress scenario
Enhance
resilience capability
To deliver and help ensure operational resilience, the enterprise has sufficient skills, resources, adaptability, and a clear understanding of roles and responsibilities
Promote a culture of continuous
learning and improving
The enterprise should not only foresee, but also learn from, undesirable occurrences that affect the company or the industry as a whole
Actionable Steps to Achieving Resilience
Know your clients: Identifying the products and services that are critical to the clients is the first step in establishing resilience. However, before it can be appraised, a more important question must be answered: who are the enterprise’s clients and what do they require?
2
Determine which items and services are most important for customers: The focus should be on the value chain that produces the key products and services after they have been identified. The critical processes that lead to that outcome are identified. In complex enterprises, all products are the result of a number of processes and interactions. The critical processes are those that have an impact on the output or the enterprises success. These ensure a company’s competitiveness.
3
Identify the primary processes and personnel associated with the core business, as well as any existing or planned dependencies: The attention now shifts to developing the major products and services that have been identified. But first, the essential processes that contribute to their production must be identified.
4
Map third-party dependencies: It’s also crucial to comprehend all of the processes’ interdependencies. This issue should be thoroughly studied in order to identify all third parties involved in all internal operations that provide services.
5
Define possible threat scenarios: At this point, it’s crucial to figure out which services and products must be maintained in stressful situations, as well as the critical processes, personnel, IT systems, and third parties that deliver or assist in delivering those products and services. Rather than single, isolated incidents, it is vital to identify potential risk scenarios that affect the entire value chain.
6
Map risks to the value chain: All risks should be linked to the value chain of the critical products and services at this point. It is critical to identify all hazards and threats prior to their emergence in order to adopt suitable mitigation methods.
7
Learn from the past: It is critical to guarantee that previous crisis management experiences are leveraged to develop improved plans and measures for essential processes and infrastructure. When a company gets hit by a stress event that they weren’t expecting, the event should be put to the list of threats and risks to be prepared for in the future. Measures to be taken as a result of this incident should be put in place for future use as well.
Basel Committee Recommendations For Operational Resilience
Basel Committee Recommendations
The Principles for Operational Resilience were published by the Basel Committee on Banking Supervision on March31,2021, with the goal of promoting a principle-based approach to improving banks’ operational resilience, making them better able to withstand, adapt to, and recover from severe adverse events. The rise of technology-related risks has prompted banks to strengthen their operational resilience in recent years, a trend exacerbated by COVID-19.
Principles for Operational Resilience
The Committee established seven principles for operational resilience
To reduce the impact on vital operations, banks should adjust their governance structure to allow them to respond, adapt, recover, and learn from disruptive occurrences. For instance, effectively allocating financial, technical, and other resources, delivering timely updates on business units to the board, and clearly communicating their approach to resilience and its objectives to all relevant parties are just a few examples.
Banks should use their operational risk management to identify external and internal threats on a continuous basis, including potential breakdowns in people, processes, and systems, by assessing the vulnerabilities of critical operations and controlling the risks that emerge. Implementing controls and procedures to identify threats and vulnerabilities in a timely manner, leveraging change management capabilities to assess the potential effect on critical operations and their interconnections and interdependencies, and coordinating business continuity frameworks, third-party dependency management, and recovery and resolution planning are just a few instances.
Banks should have a business continuity plan in place and stress test it under a variety of severe but credible scenarios to see if they can maintain vital activities in the event of a disaster. Identification of vital processes, major internal and external dependencies, business impact analyses, and recovery plans are all important factors in a good business continuity strategy, according to the report. Business continuity plans, as well as recovery and resolution plans, should be in line with a bank’s overall operational resilience strategy.
Banks should map out the internal and external interconnections and interdependencies that are necessary or critical to operations once they’ve identified their critical operations. Banks should be able to discover vulnerabilities thanks to the precision of the mapping.
For the delivery of important operations, banks should manage their reliance on relationships, particularly those with third parties or intragroup entities.
In accordance with their risk appetite and tolerance for interruption, banks should establish and implement reaction and recovery strategies to manage situations that could disrupt vital operations. Lessons learnt should be used to strengthen incident response and recovery plans in the future.
To fully support and facilitate the delivery of a bank’s critical operations, banks should ensure that ICT includes regularly tested protection, detection, response, and recovery programmes, incorporate appropriate situational awareness, and convey relevant timely information for risk management and decision-making processes.
FAQ's
1. Operational Resilience
Basel Committee issued principles of Operational Resilience in March 2021 followed by the Operational Resilience Policy Statements 21/3 and 6/21 by the FCA and PRA respectively in March 2022. Many other regulators viz. Central Bank of Ireland, Hong King Monetary Authority, South African Reserve Bank and many more came up with regulations around operational resilience. Risk and Resilience professionals have a lot of questions about the understanding, practical approach, impact and implementation methodology. Our Resilience expert has tried to provide answers to some of the FAQ`s. To know more, reach out to us.
Operational resilience is important because disruptions can cause financial losses, reputational damage, and even legal consequences. By ensuring operational resilience, organizations can minimize the impact of disruptions on their operations and services.
Typically regulators have given time frames from 18 to 36 months to implement the same. By and large, every organization will need to implement the resilience framework within three years from now.
Identifying critical business services, resource mapping, linking of risk and controls, defining the impact tolerances, scenario testing, performance analysis, action and remediation plans are the various steps to implement the program.
By and large, all type of financial service providers are covered by the scope of the regulation. Banks, Insurance companies, Financial Services companies, Asset & Wealth Management firms and others.
There is lot of confusion around both these terms and some organisations have even gone ahead and considered both as the same. However, in reality, both of these are quite different.
Operational resilience is making available your business and to keep products and services working even during disruption times. However, BCP is where executives develop plans for specific scenarios and the steps your business can take in advance to minimize or eliminate that disruption.
Organizations have multiple options (a) manage this manually through spreadsheets (b) hybrid approach , some areas using technology system and some manually (c) An integrated technology system. While it is not mandated that firms must use a software solution, to achieve the aims of and assure compliance with the policy, it is difficult to see how a firm of any significant size would be able to meet their obligations without one.
To manually perform the required tasks and following a step-by-step approach is resource exhaustive and can lead to lot of manual errors. Additionally having silo systems will put additional pressure in terms of time and effort into collecting, analyzing, reporting, following up etc.
Hence to achieve the desired objective and have a robust resilience program running, organizations should look at implementing an integrated solution. The risk and resilience area is fairly dynamic and one can expect constant changes to happen and hence a manual or hybrid approach would lead to multiple challenges over a period of time.
Risk Central, our Risk and Resilience solution is built using a low-code platform, which primarily means everything is configurable. workflows, tasks, hierarchy, forms and fields, dashboards etc.
Our solution follows an integrated approach of risk and resilience as we believe both are critical to make an organization resilient. The solution follows a five-step approach to implement a resilience program and each step is backed by tools which help the teams to carry out the activity in a guided way.
- Identification – Important Business Line, Resource Mapping, Risk & Control
- Planning – Impact Tolerances, Key Risk Indicators
- Exercise – RCSA, Control Testing, Incident tracking, Action & Remediation Plan
- Testing – Scenario Testing, Implement process changes, Control management
- Monitoring – Health Checkup, Consolidated 360 degree view
2. Impact Tolerance
The PRA and FCA regulators have issued a suite of policy and supervisory statements including a shared final policy summary on setting impact tolerances. Of most relevance to firms is the FCA’s policy statement (PS21/3) articulating their expectations for firms to set impact tolerances as part of a set of wider requirements for firms to build their operational resilience.
Impact tolerance is the ability of an individual or organization to tolerate or absorb the impact of unexpected events or disruptions and to recover from them quickly. Impact tolerance is important because unexpected events and disruptions can cause financial losses, reputational damage, and other negative consequences. By building and maintaining impact tolerance, organizations can minimize the effects of disruptions and recover more quickly.
Regulators have mandated setting up of impact tolerances for each of your important business lines. So apart from the compliance requirement, setting up impact tolerance helps organizations to have better clarity of their resource dependencies. In the process of keeping your important business lines within tolerance levels, the organization can direct investments to the right areas and also get the competitive edge in the market.
A risk appetite is the amount of risk which the organization is ready to take in case the risk occurs. The focus here is, if the risk occurs, however in the case of impact tolerance it is assumed that the risk will happen, and organizations need to get the operation to be resilient to overcome these disruptions. The recovery time objective is a metric which says how long will it take for a process to come back to normalcy. While RTO focus on the process coming back impact tolerance looks into the overall important business lineup to the point that it does not cause any harm to the customer or reputation of the market or integrity of the organization.
By and large, organisations look at time as a metric for defining impact tolerances. However, some of the other metrics which can be considered include volume, amount, duration etc.
Steps for setting impact tolerances include:
- Identifying important business lines
- Carrying out resource mapping – all the dependencies for the business line
- Gathering baseline data
- Identify potential harm
- Re-adjust the baseline considering potential harms
- Set acceptable thresholds for impact tolerances
Risk Central’s impact tolerance functionality comes up with these features:
- For each important business line set the impact tolerance level
- Giving a description for the impact tolerance
- Define if increasing value or decreasing value is better
- Setup based on multiple units of measurement – minutes, hours, days, currency, volume etc.
- Ability to define thresholds for Red /Amber/Green
- Set up notification rules with alerts to one or multiple users on breach of thresholds
- Notification rules are freely configurable
- Impact tolerance reports over a period of time
Interested to learn more?
Resources
Growing Importance of Operational Resilience in the Digital Era
Operational Resilience assumes that things will go wrong, and it will force organizations to plan on how to recover from the disruption. It is a …
Process Mapping is an important step in building an Operational Resilience Framework
The Covid -19 pandemic has clearly shown two trends within firms: The intensified use of technology and Operations can be managed through digital work force …
New Operational Resilience Regulation for Financial Institutions in United States (USA)
The Federal Reserve, the Central Bank of the United States in August 2021 has released a paper intended to help community banks assess threats when …
Irelands’ Financial Service Sector Guidance on Operational Resilience
The Central Bank of Ireland`s objective of this guidance is to communicate to industry how to prepare for, respond to and recover and learn from …
Hongkong’s Regulations for Operational Resilience
On 22nd December, 2021 HKMA (Hong Kong Monetary Authority) came up with a Supervisory Policy Manual for Operational Resilience to provide Authorized Institutions (AI) with …
Synopsis of the Operational Resilience guideline of MAS- Monetary Authority of Singapore
Operational disruptions, if not recovered speedily, may compromise the ability of financial institutions (“FIs”) to meet their business obligations, resulting in financial and reputational damage, …
Operational Resilience Programme – Digitize your BIA (Business Impact Analysis) – An Important Step
Let’s first try and understand what is a BIA? Business Impact Analysis is a methodology which allows to predict the impact of disruption on your …
Impact Tolerance – Setting Impact Tolerance is a Vital Step to Build and Enhance Operational Resilience of an Organisation.
Impact Tolerance is quantifying the level of disruption, a critical business service can accommodate or absorb, before such disruption creates a significant impact or harm …
Operational Resilience Program – Steps to Conduct a Failure Modes and Effect Analysis (FMEA)
Basel defines Operational Resilience as a bank`s ability to deliver critical operations even at times of disruption. This would mean that the bank should have …
