Operational Resilience

What is Operational Resilience?

The ability of an enterprise to continue providing services to consumers despite a sudden disturbance is known as operational resilience. The ability to prevent, respond to, recover from, and learn from operational interruptions is a key priority of operational resilience.

Previously, that concept was associated with catastrophe recovery or business continuity. Operational resilience has evolved into a blend of business continuity, vendor risk management, cybersecurity, and more as a result of technological advancements and the digital transformation of corporate processes.

What is
Operational
Resilience?

What is Operational
Resilience?

The purpose of Operational Resilience is to enable organizations to effectively respond to and overcome adverse circumstances during operations, ensuring they can withstand, adapt to, and recover from disruptions like cyberattacks, natural disasters, supply chain issues, or technical failures. Operational Resilience aims to minimize the impact of disruptive events on an organization by implementing strategies that allow it to continue functioning even in the face of unexpected challenges. This involves proactive planning, risk management, and the ability to adapt quickly to changing circumstances, ultimately leading to increased business agility, collaboration, reputation, and reduced risk. Operational Resilience is crucial for organizations to maintain continuity, protect their reputation, and ensure the well-being of their stakeholders amidst various operational disruptions

Operational Resilience requires executive engagement, placing demands on the time of the organizations most highly skilled resources, all of which compete with the demands of the business-as-usual services.

At Gieom, we have revolutionized operational resilience with our automated approach, providing a forward-looking solution designed to address any gaps in your strategy. Our pre-populated ten-step operational resilience management system is meticulously crafted to showcase the art and science of operational resilience, seamlessly connecting each step to create a cohesive framework.

The true strength of our system lies in its ability to act as the binding agent between these steps, empowering organizations with the resilience needed to navigate challenges effectively. It strikes a balance between proactive risk management, emphasizing prevention over cure, and reactive response plans that safeguard the continuity of important business services within their defined impact tolerances.

By leveraging our comprehensive system, organizations can proactively enhance their operational resilience, ensuring they are well-equipped to handle disruptions while maintaining the integrity of their critical business functions.

Impact Tolerance

Impact Tolerance is quantifying the level of disruption, a critical business service can accommodate or absorb, before such disruption creates a significant impact or harm on the organisation or its customers. These impact could be financial, operational, regulatory etc. Regulators now mandating the financial services organisations to quantify these impact tolerances in terms of time or such other measures like volume, value etc. Impact tolerance is a good measure to track as they provide useful insights to the board and helps in decision making. 

Business Impact Analysis

A Business Impact Analysis (BIA) is a systematic process to determine and evaluate the consequences of disruption to a business service. The primary objective of  BIA is to come up with a list of services which has substantial impact and hence are important services for the business. A well carried out Business Impact Analysis helps in clear identification of critical services, drawing up a focused response and remediation plans and thereby making the service more resilient.

Why is Operational Resilience Vital?

Financial institutions have long prioritized service continuity. After all, disruptions can have a negative impact on income, client satisfaction, and franchise value.

WhyResOps

Higher customer expectations:
Customers in most industries demand services to be available on a 24/7 basis. Customer expectations include dependable service delivery and response under challenging situations. This also aids in the development and maintenance of trust between businesses and their customers.

WhyResOps – 1

Severe natural disasters and extreme weather events: Extreme natural events are linked to climate change. If an enterprise or its customers are based all over the world, such occurrences will almost certainly effect them.

WhyResOps – 2

Increased cyber threats: Technological advancements have benefited a wide range of businesses. However, technological advancements have enabled masterminds to develop low-cost but powerful cyber weapons, the use of which has unforeseen implications.

WhyResOps – 3

Higher risk linked to internal change failures: As technology evolves, businesses frequently upgrade to more modern systems. This results in modifications that must be addressed. In the event of internal change failure, more complex systems would increase the risk and related potential damage, either financial or operational.

WhyResOps – 4

Increased regulatory scrutiny: To
safeguard clients, the financial services industry has evolved into a highly regulated landscape since the financial crisis of 2008-2009. A company that is not operationally robust may find itself unable to adapt to the changing regulatory environment.

The firm is more effective and efficient

There is a clear understanding of crucial service delivery that can:

help to decrease costs, for example, by optimising outsourcing arrangements

TheFirm_Icons

streamline processes, for example, by introducing tools, automation, and aid to improve quality.

Improve efficacy, for example, by identifying and correcting problem-causing steps.

Who addresses Operational Resilience?

Operational resilience should not be viewed as a one-time event, but rather as part of a foundational set of ideas and practices embedded in the company’s DNA and culture. It is everyone’s responsibility, and planning should begin at the top of the company.

Board members needs to see actions and progress across the enterprise, as well as the implementation of a single approach to deliver resilient services. This should result in senior-level involvement and critical thinking throughout the company, as well as appropriate investments, responsibility, and continuous oversight. As operational resilience is coupled to change, financial institutions should undergo regular evaluations and respond to emerging threats and solutions on a regular basis.

What is
Operational
Resilience?

Who Addresses Operational
Resilience?

Operational resilience should not be viewed as a one-time event, but rather as part of a foundational set of ideas and practices embedded in the company’s DNA and culture. It is everyone’s responsibility, and planning should begin at the top of the company.

Board members needs to see actions and progress across the enterprise, as well as the implementation of a single approach to deliver resilient services. This should result in senior-level involvement and critical thinking throughout the company, as well as appropriate investments, responsibility, and continuous oversight. As operational resilience is coupled to change, financial institutions should undergo regular evaluations and respond to emerging threats and solutions on a regular basis.

10 Steps Of the cycle Of The Operational Resilience Management System

This embodies the continuous and sustainable cycle at the core of Gieom’s operational resilience management system

1 Governance Identify and define the scope, resilience strategy, policy & programme. Setup oversight and RACI (Responsible, Accountable, Consulted and Informed) for organization stakeholders. Establish Annual Attestation Cycle, Operating Frameworks and Target Operating Model
2 Important Business Services Identify Important Business Services that could cause harm to customers, markets and the supply chain.
3 Mapping Conduct comprehensive end-to-end process mapping of important business services, covering all essential resources: personnel, facilities, procedures, technology, information, and critical third-party dependencies.
4 Impact Tolerance Setting impact tolerances by time of each important business service for each harm.
5 Vulnerabilities Identify and Implement Risk and Control treatments against each vulnerability of critical resources that underpin the important business service
6 Third Party Suppliers Establish a system for assessing, monitoring, and developing exit strategies for key suppliers, outsourced service partners, and managed service providers based on their material impact on operations.
7 Communication, Response and Recovery Develop responsive strategies for addressing and communicating during service disruptions of important business services, encompassing emergency response, incident management, crisis management, business continuity, and disaster recovery.
8 Stress Testing Conduct rigorous stress testing of critical resources through simulated scenarios that mimic plausible yet severe disruptions, thereby reducing risk, enhancing capabilities, and refining response plans
9 Continual Improvement Embrace a culture of continual improvement for operational resilience through the iterative Plan-Do-Check-Act cycle within a management system.
10 Self-Assessment Provide Board level assurance on the status of compliance to the Operational Resilience Regulations

Digital Operational Resilience Platform

Gieom’s Platform offers a transformative approach to enhancing organisations risk management and response capabilities. It provides pre-configured industry best practices, empowering the organisation to navigate the complexities of risk & resilience management with ease and efficiency.

Gieom’s Platform adaptability supports a high level of configurability, allowing seamless integration with the organisations existing processes. By leveraging its structured framework, one can swiftly address any gaps in the organisations resilience strategy.

1. Governance

Identify and define the scope, resilience strategy, policy & programme. Setup oversight and RACI (Responsible, Accountable, Consulted and Informed) for organization stakeholders. Establish Annual Attestation Cycle, Operating Frameworks and Target Operating Model

Gieom Platform Automation Advantages:

Gieom’s Operational Resilience Management system is a comprehensive solution that enables organizations to effectively manage their resilience strategy and governance policies. It provides a structured approach to establishing clear oversight and RACI (Responsible, Accountable, Consulted, Informed) models for stakeholders within the organization, using workflows to ensure efficient collaboration and decision-making.


The system also facilitates the implementation of annual review and attestation cycles for operating frameworks, ensuring that resilience policies and procedures remain up-to-date and aligned with the organization’s objectives.

 

The system takes a systems-based approach, streamlining the implementation of automated scoring models for operational risk and resilience, providing timely insights into elevated risks and thresholds being breached. These insights are then communicated to governing teams, enabling them to take prompt action and mitigate potential disruptions. By leveraging this innovative system, organizations can enhance their operational resilience, minimize the impact of disruptions, and ensure business continuity in the face of challenges.

2. Important Business Services

Identify Important Business Services that could cause harm to customers, markets and the supply chain.

Gieom Platform Automation Advantages:

Gieom’s Operational Resilience Management platform offers a robust framework for identifying and managing Important Business Services (IBS) within an organization. The platform provides tailored templates that align with the organization’s practices, enabling the setup of IBS that are critical to its operations. The system allows for periodic reviews of IBS identification criteria, ensuring that the criteria remain relevant and effective. This review process is guided by industry benchmarks and Board approval, ensuring that the IBS identification process is informed by best practices and strategic objectives.

The platform’s comprehensive approach extends beyond IBS identification, enabling the linking of related activities such as end-to-end mapping, impact tolerance definition, monitoring, and testing for disruptions. These activities are centered around each IBS, providing a holistic view of the potential risks and vulnerabilities associated with each critical service.

To facilitate effective monitoring and oversight, the platform offers rich, intuitive dashboards that provide real-time insights into the trends and current position of IBS. These dashboards are designed to support the monitoring needs of the Board and financial ecosystem, enabling informed decision-making and proactive risk management

3. Mapping

Conduct comprehensive end-to-end process mapping of important business services, covering all essential resources: personnel, facilities, procedures, technology, information, and critical third-party dependencies.

Gieom Platform Automation Advantages:

Gieom’s platform offers a comprehensive solution for end-to-end process mapping tailored to the level of detail required for monitoring Important Business Services (IBS). The system includes an inbuilt drawing tool that enables the creation of detailed process flows. Additionally, it provides the functionality to import existing process flows, enhancing flexibility and efficiency in process mapping. Within the platform, each resource associated with an IBS can undergo analysis based on four key vulnerability questions throughout the end-to-end process:

  1. Is the resource a single point of failure?
  2. Is the resource a concentration risk?
  3. Is the resource substitutable?
  4. Is the resource complex?

If any of these questions are answered affirmatively, it signifies a vulnerability that is linked to risk treatment strategies. Moreover, these vulnerabilities are connected to the scenario library within the platform, which informs stress testing activities. This integrated approach ensures that vulnerabilities are identified, assessed, and addressed proactively, enhancing the organization’s resilience and risk management capabilities.

4. Impact Tolerance

Setting impact tolerances by time of each important business service for each harm.

Gieom Platform Automation Advantages:

Gieom’s platform offers a comprehensive solution for setting impact tolerances tailored to each important business service (IBS) and the specific harm it may cause. The system allows the definition of one or more impact tolerances (IToLs) for each IBS, categorized by the type of harm it may inflict on customers, the market, suppliers, or the firm itself.

During the definition process, the system requires setting up of the specification of thresholds within which disruptions should be recovered, along with a justification for these thresholds. This ensures that the impact tolerance is grounded in a clear understanding of the acceptable level of disruption for each IBS and the harm it may cause.

To facilitate proactive management, the platform includes notification rules for when these thresholds are breached. This ensures that relevant stakeholders are informed promptly, enabling them to take timely action to mitigate the impact of the disruption.

The system also includes reporting capabilities that link incidents to the defined IToLs and IBS. This allows the system to calculate the recovery time and assess whether it was within the tolerance levels set for each IBS. This integrated approach enables organizations to monitor and manage their impact tolerances effectively, ensuring that they are prepared to respond to disruptions and maintain operational resilience.

5. Vulnerabilities

Identify and Implement Risk and Control treatments against each vulnerability of critical resources that underpin the important business service

Gieom Platform Automation Advantages:

Gieom’s platform offers a comprehensive risk management solution that leverages the end-to-end mapping of critical resources to identify vulnerabilities and corresponding risks. The system enables to perform risk control self-assessment (RCSA), which includes inherent and residual risk scoring.
This assessment helps identify the four risk response treatments: Treat, Tolerate, Transfer, or Terminate.

By applying mitigating controls and conducting periodic testing, organizations can ensure the effectiveness of these controls in managing risks. The system automates the calculation of risk scores based on incidents and control test failures, providing timely notifications to stakeholders. This enables stakeholders to promptly implement necessary mitigations, initiate actions, or develop remediation plans to address and manage elevated risks effectively.

The platform’s risk management capabilities also include a feedback loop that informs scenario testing. Newly identified vulnerabilities are incorporated into the scenario testing process, ensuring that the organization’s risk management strategy remains dynamic and effective in addressing emerging risks.

6. Third Party Suppliers

Establish a system for assessing, monitoring, and developing exit strategies for key suppliers, outsourced service partners, and managed service providers based on their material impact on operations.

Gieom Platform Automation Advantages:

As part of the comprehensive end-to-end mapping for each Important Business Service, the system identifies and derives all outsourced resources involved in corresponding process activities. This ensures a thorough understanding of the organization’s reliance on third-party providers.

The platform facilitates detailed vendor assessments during the onboarding process to determine if a vendor is a Critical Service Provider. This assessment includes evaluating the vendor’s materiality of services, identifying potential concentration and systemic risks, and gathering evidence on their adherence to resilience requirements outlined in service level agreements (SLAs), key performance indicators (KPIs), and key risk indicators (KRIs) for each Critical Third Party (CTP).

The system also enables the monitoring of resilience test results for material services, allowing for proactive identification and mitigation of potential risks. Additionally, the platform allows for the definition of exit strategies for both stressed and non-stressed exits, ensuring that the organization is prepared for any eventuality and can effectively manage the transition of critical services.

7. Communication, Response and Recovery

Develop responsive strategies for addressing and communicating during service disruptions of important business services, encompassing emergency response, incident management, crisis management, business continuity, and disaster recovery.

Gieom Platform Automation Advantages:

Gieom’s platform offers a comprehensive suite of pre-populated good practice plans and procedures to support organizations in their operational resilience efforts. These include:

Pre-populated plans and procedures for effective corporate communications, ensuring timely and accurate information dissemination to stakeholders during critical situations.

Pre-populated plans and procedures for emergency response, incident management, and crisis management, providing a structured approach to managing disruptions and maintaining business continuity.

The system facilitates developing existing business impact analysis into business continuity and IT disaster recovery response plans that address operational resilience impact tolerances.

8. Stress Testing

Conduct rigorous stress testing of critical resources through simulated scenarios that mimic plausible yet severe disruptions, thereby reducing risk, enhancing capabilities, and refining response plans

Gieom Platform Automation Advantages:

Gieom’s platform enables organizations to maintain a comprehensive scenario library that facilitates the testing of critical resources underpinning Important Business Services (IBS). This scenario library serves as a centralized repository for various disruption scenarios, allowing organizations to assess their resilience and preparedness.

The system allows for the scheduling and execution of scenario tests at defined periodicities. These tests assess the effectiveness of action plans in recovering from disruptions, ensuring that the organization is well-equipped to respond to various scenarios.

During the testing process, new actions and vulnerabilities may be identified. The platform enables organizations to incorporate these insights, helping them enhance their resilience and address emerging risks proactively. Additionally, risks identified during testing can be added to the system for ongoing monitoring and mitigation, ensuring that vulnerabilities are addressed effectively.

By maintaining a robust scenario library and conducting regular testing, organizations can continuously assess and improve their operational resilience, minimizing the impact of disruptions and ensuring business continuity.

9. Continual Improvement

Embrace a culture of continual improvement for operational resilience through the iterative Plan-Do-Check-Act cycle within a management system.

Gieom Platform Automation Advantages:

Gieom’s platform is designed with RACI (Responsible, Accountable, Consulted, Informed) matrices and workflows tailored for various resilience operations, creating a connected and continuous improvement framework within the organization.

The Action and Remediation plan features empower users to initiate improvement actions, monitor their implementation, and evaluate the success of these plans effectively.

With Gieom’s platform, users can seamlessly connect all elements related to each Important Business Service (IBS) and visualize comprehensive reports and dashboards. These tools not only facilitate in-depth analysis but also serve as valuable resources for identifying areas that require attention and improvement.

By leveraging the platform’s capabilities, organizations can work towards achieving their target operating model, fostering a culture of resilience, efficiency, and adaptability within the organization. This approach enables continual enhancement and optimization of operational processes to align with strategic objectives and ensure sustained success.

10. Self-Assessment

Provide Board level assurance on the status of compliance to the Operational Resilience Regulations

Gieom Platform Automation Advantages:

Gieom’s platform offers a digitalized self-assessment solution that records all activities in real-time, creating a living record that informs the annual self-assessment process. This approach ensures that the self-assessment is a continuous and dynamic process, reflecting the organization’s current state and progress.

The platform enables the generation of dashboards that provide a comprehensive view of the organization’s resilience journey. These dashboards present historical data, current status, and future projections, allowing for informed decision-making and strategic planning.

The system’s reporting features automatically generate reports and dashboards that showcase evidence of improvement. These reports can be tailored to meet the specific requirements of the board and regulators, ensuring transparency and compliance.

By leveraging the platform’s self-assessment and reporting capabilities, organizations can demonstrate their commitment to operational resilience, highlight areas of improvement, and communicate their progress effectively to stakeholders, including the board and regulators.

1

Identify the Critical Business Service

These are services offered by the enterprise to their customers and other related stake holders. FCA says services which, if disrupted, would most likely cause intolerable harm to consumers or market integrity. Eg: payment services by banks, payment of annuities by life insurers, ATM cash withdrawal etc.

2

Mapping people, process, and systems

The firm must identify and document the process, people and systems required to deliver each of the critical business service. Business service process maps along with the connected people and IT systems should be clearly documented.

3

Set Impact Tolerance

Impact Tolerance is quantification of maximum tolerable level of disruption to the important business service both in terms of value and duration.  

Eg: maximum number of transactions, number of customers, also define the duration up to which the important business service will be affected. The tolerance level should also consider peak times and non-peak time variations.

4

Scenario Testing

Testing of a firm`s ability to remain within its impact tolerance for each of the identified important business service in case of a disruption.

5

Building Resilience

Continuous monitoring and measuring the operational resilience framework and taking corrective actions to improve the same for better results.

Operational Resilience Framework

To develop operational resilience, an enterprise must implement the following pillars:

Framework_Icon

Define the framework to achieve operational resilience

The framework must be up to date, conveyed, and comprehended by the enterprise. It has been implemented throughout the enterprise, with clear definitions and accountability for the many parts of resilience.

Framework_Icon – 1

Embed operational resilience in the governance structure

The Boards and Senior management should actively oversee the firm’s resilience framework in relation to its strategy and risk appetite; this will enable them to make the best investment and risk decisions possible

Framework_Icon – 2

Ensure effective
capacity management

Organizations can demonstrate the success of capacity management through testing and monitoring

Framework_Icon – 4

Strengthen the management
of own risks

In order to minimise the impact on customers in the event of a stress scenario, resilience necessitates proper risk management. Splitting tasks into separate major hurdles and ensuring that these lines have components of resilience are all part of managing the hazards of a stress scenario

Framework_Icon – 5

Enhance
resilience capability

To deliver and help ensure operational resilience, the enterprise has sufficient skills, resources, adaptability, and a clear understanding of roles and responsibilities

Framework_Icon – 3

Promote a culture of continuous
learning and improving

The enterprise should not only foresee, but also learn from, undesirable occurrences that affect the company or the industry as a whole

Actionable Steps to Achieving Resilience

1

Know your clients: Identifying the products and services that are critical to the clients is the first step in establishing resilience. However, before it can be appraised, a more important question must be answered: who are the enterprise’s clients and what do they require?

2

Determine which items and services are most important for customers: The focus should be on the value chain that produces the key products and services after they have been identified. The critical processes that lead to that outcome are identified. In complex enterprises, all products are the result of a number of processes and interactions. The critical processes are those that have an impact on the output or the enterprises success. These ensure a company’s competitiveness.

3

Identify the primary processes and personnel associated with the core business, as well as any existing or planned dependencies: The attention now shifts to developing the major products and services that have been identified. But first, the essential processes that contribute to their production must be identified.

4

Map third-party dependencies: It’s also crucial to comprehend all of the processes’ interdependencies. This issue should be thoroughly studied in order to identify all third parties involved in all internal operations that provide services.

5

Define possible threat scenarios: At this point, it’s crucial to figure out which services and products must be maintained in stressful situations, as well as the critical processes, personnel, IT systems, and third parties that deliver or assist in delivering those products and services. Rather than single, isolated incidents, it is vital to identify potential risk scenarios that affect the entire value chain.

6

Map risks to the value chain: All risks should be linked to the value chain of the critical products and services at this point. It is critical to identify all hazards and threats prior to their emergence in order to adopt suitable mitigation methods.

7

Learn from the past: It is critical to guarantee that previous crisis management experiences are leveraged to develop improved plans and measures for essential processes and infrastructure. When a company gets hit by a stress event that they weren’t expecting, the event should be put to the list of threats and risks to be prepared for in the future. Measures to be taken as a result of this incident should be put in place for future use as well.

Basel Committee Recommendations For Operational Resilience

Basel Committee Recommendations

The Principles for Operational Resilience were published by the Basel Committee on Banking Supervision on March31,2021, with the goal of promoting a principle-based approach to improving banks’ operational resilience, making them better able to withstand, adapt to, and recover from severe adverse events. The rise of technology-related risks has prompted banks to strengthen their operational resilience in recent years, a trend exacerbated by COVID-19.

Principles for Operational Resilience

The Committee established seven principles for operational resilience

To reduce the impact on vital operations, banks should adjust their governance structure to allow them to respond, adapt, recover, and learn from disruptive occurrences. For instance, effectively allocating financial, technical, and other resources, delivering timely updates on business units to the board, and clearly communicating their approach to resilience and its objectives to all relevant parties are just a few examples.

Banks should use their operational risk management to identify external and internal threats on a continuous basis, including potential breakdowns in people, processes, and systems, by assessing the vulnerabilities of critical operations and controlling the risks that emerge. Implementing controls and procedures to identify threats and vulnerabilities in a timely manner, leveraging change management capabilities to assess the potential effect on critical operations and their interconnections and interdependencies, and coordinating business continuity frameworks, third-party dependency management, and recovery and resolution planning are just a few instances.

Banks should have a business continuity plan in place and stress test it under a variety of severe but credible scenarios to see if they can maintain vital activities in the event of a disaster. Identification of vital processes, major internal and external dependencies, business impact analyses, and recovery plans are all important factors in a good business continuity strategy, according to the report. Business continuity plans, as well as recovery and resolution plans, should be in line with a bank’s overall operational resilience strategy.

Banks should map out the internal and external interconnections and interdependencies that are necessary or critical to operations once they’ve identified their critical operations. Banks should be able to discover vulnerabilities thanks to the precision of the mapping.

For the delivery of important operations, banks should manage their reliance on relationships, particularly those with third parties or intragroup entities.

In accordance with their risk appetite and tolerance for interruption, banks should establish and implement reaction and recovery strategies to manage situations that could disrupt vital operations. Lessons learnt should be used to strengthen incident response and recovery plans in the future.

To fully support and facilitate the delivery of a bank’s critical operations, banks should ensure that ICT includes regularly tested protection, detection, response, and recovery programmes, incorporate appropriate situational awareness, and convey relevant timely information for risk management and decision-making processes.

FAQ's

1. Operational Resilience

Basel Committee issued principles of Operational Resilience in March 2021 followed by the Operational Resilience Policy Statements 21/3 and 6/21 by the FCA and PRA respectively in March 2022. Many other regulators viz. Central Bank of Ireland, Hong King Monetary Authority, South African Reserve Bank and many more came up with regulations around operational resilience. Risk and Resilience professionals have a lot of questions about the understanding, practical approach, impact and implementation methodology. Our Resilience expert has tried to provide answers to some of the FAQ`s. To know more, reach out to us.

Operational resilience is important because disruptions can cause financial losses, reputational damage, and even legal consequences. By ensuring operational resilience, organizations can minimize the impact of disruptions on their operations and services.

Typically regulators have given time frames from 18 to 36 months to implement the same. By and large, every organization will need to implement the resilience framework within three years from now.

Identifying critical business services, resource mapping, linking of risk and controls, defining the impact tolerances, scenario testing, performance analysis, action and remediation plans are the various steps to implement the program. 

By and large, all type of financial service providers are covered by the scope of the regulation. Banks, Insurance companies, Financial Services companies, Asset & Wealth Management firms and others.

There is lot of confusion around both these terms and some organisations have even gone ahead and considered both as the same. However, in reality, both of these are quite different.

Operational resilience is making available your business and to keep products and services working even during disruption times. However, BCP is where executives develop plans for specific scenarios and the steps your business can take in advance to minimize or eliminate that disruption.

Organizations have multiple options (a) manage this manually through spreadsheets (b) hybrid approach , some areas using technology system and some manually (c) An integrated technology system. While it is not mandated that firms must use a software solution, to achieve the aims of and assure compliance with the policy, it is difficult to see how a firm of any significant size would be able to meet their obligations without one.

To manually perform the required tasks and following a step-by-step approach is resource exhaustive and can lead to lot of manual errors. Additionally having silo systems will put additional pressure in terms of time and effort into collecting, analyzing, reporting, following up etc.

Hence to achieve the desired objective and have a robust resilience program running, organizations should look at implementing an integrated solution. The risk and resilience area is fairly dynamic and one can expect constant changes to happen and hence a manual or hybrid approach would lead to multiple challenges over a period of time.

Risk Central, our Risk and Resilience solution is built using a low-code platform, which primarily means everything is configurable. workflows, tasks, hierarchy, forms and fields, dashboards etc.

Our solution follows an integrated approach of risk and resilience as we believe both are critical to make an organization resilient. The solution follows a five-step approach to implement a resilience program and each step is backed by tools which help the teams to carry out the activity in a guided way.

  1. Identification – Important Business Line, Resource Mapping, Risk & Control
  2. Planning – Impact Tolerances, Key Risk Indicators
  3. Exercise – RCSA, Control Testing, Incident tracking, Action & Remediation Plan
  4. Testing – Scenario Testing, Implement process changes, Control management
  5. Monitoring – Health Checkup, Consolidated 360 degree view

2. Impact Tolerance

The PRA and FCA regulators have issued a suite of policy and supervisory statements including a shared final policy summary on setting impact tolerances. Of most relevance to firms is the FCA’s policy statement (PS21/3) articulating their expectations for firms to set impact tolerances as part of a set of wider requirements for firms to build their operational resilience.

Impact tolerance is the ability of an individual or organization to tolerate or absorb the impact of unexpected events or disruptions and to recover from them quickly. Impact tolerance is important because unexpected events and disruptions can cause financial losses, reputational damage, and other negative consequences. By building and maintaining impact tolerance, organizations can minimize the effects of disruptions and recover more quickly.

Regulators have mandated setting up of impact tolerances for each of your important business lines. So apart from the compliance requirement, setting up impact tolerance helps organizations to have better clarity of their resource dependencies. In the process of keeping your important business lines within tolerance levels, the organization can direct investments to the right areas and also get the competitive edge in the market.   

A risk appetite is the amount of risk which the organization is ready to take in case the risk occurs. The focus here is, if the risk occurs, however in the case of impact tolerance it is assumed that the risk will happen, and organizations need to get the operation to be resilient to overcome these disruptions. The recovery time objective is a metric which says how long will it take for a process to come back to normalcy. While RTO focus on the process coming back impact tolerance looks into the overall important business lineup to the point that it does not cause any harm to the customer or reputation of the market or integrity of the organization.   

By and large, organisations look at time as a metric for defining impact tolerances. However, some of the other metrics which can be considered include volume, amount, duration etc.

Steps for setting impact tolerances include:

  1. Identifying important business lines
  2. Carrying out resource mapping – all the dependencies for the business line
  3. Gathering baseline data
  4. Identify potential harm
  5. Re-adjust the baseline considering potential harms
  6. Set acceptable thresholds for impact tolerances

Risk Central’s impact tolerance functionality comes up with these features:

  1. For each important business line set the impact tolerance level
  2. Giving a description for the impact tolerance
  3. Define if increasing value or decreasing value is better
  4. Setup based on multiple units of measurement – minutes, hours, days, currency, volume etc.
  5. Ability to define thresholds for Red /Amber/Green
  6. Set up notification rules with alerts to one or multiple users on breach of thresholds
  7. Notification rules are freely configurable
  8. Impact tolerance reports over a period of time

Interested to learn more?

Resources

Whitepapers

Operational Resilience

Operational Resilience Covid-19 pandemic have made financial institutions realize, the need to adopt an industry recognized operational resilience framework to be able to withstand the …

Download
Whitepapers

Mapping of Resources

Mapping of Resources The operationally resilient firm would be expected to have a comprehensive understanding and mapping of the resources and dependencies that support their …

Download
Whitepapers

Risk Management – Measure & Monitor

Risk Management – Measure & Monitor A firm should be prepared to manage all types of risks which has the potential to affect the critical …

Download
Whitepapers

Guide to Implement an Operational Resilience Program

Guide to Implement an Operational Resilience Program This guide provides resourceful insights and best practices to implement the guidance of operational resilience as mandated by …

Download
Operational Resilience
Brochures

Operational Resilience Brochure

Enterprises have understood that disruption are not a one-off event but part of the business as usual. Things will go wrong, and enterprises are forced …

Download
Whitepapers

Scenario Testing

Scenario Testing Financial firms would be required to carry out regular scenario testing of their ability to remain within their impact tolerances for each of …

Download
Whitepapers

Impact Tolerance

Impact Tolerance Impact tolerance is defined as a firm’s tolerance for disruption to a particular business service. Setting impact tolerances for critical business services may …

Download
Whitepapers

Identifying Critical Business Service

Identifying Critical Business Service Operational Resilience is about having a comprehensive understanding of the core, or critical services that an enterprise offers to its customers …

Download
Process Mapping – The What, Why and How?
Operational Resilience

Process Mapping – The What, Why and How?

What is Process Mapping? Let us break down the words. Process means “a series of actions you do for a particular purpose that produce an …

Read More →
The Role of Process Mapping in Change Management
Operational Resilience

The Role of Process Mapping in Change Management

Change is constant in the fast-paced world of business. Companies must frequently adjust operations to respond to market developments, technology advancements, or internal reorganisation. Process …

Read More →
Overview of the Australian Operational Resilience Regulatory Guidelines
Operational Resilience

Overview of the Australian Operational Resilience Regulatory Guidelines

The objective of this Prudential Standard CPS 230 is to establish and uphold operational resilience for APRA (Australian Prudential Regulation Authority) regulated entities. Such entities …

Read More →
Building Resilience: The Crucial Role of Policy Management Solutions in Compliance with the Digital Operational Resilience Act(DORA)
Operational Resilience

Policy Management Solutions: Your Key to DORA Compliance

A policy management solution is of utmost importance from a Digital Operational Resilience Act (DORA) regulation perspective. The DORA regulation aims to ensure the operational …

Read More →
6 Simple Steps for Implementing an Operational Resilience Framework
Operational Resilience

6 Simple Steps for Implementing an Operational Resilience Framework

On March 29, 2021, the Bank of England (BoE), Prudential Regulation Authority (PRA), and Financial Conduct Authority (FCA) jointly issued policy and supervisory statements to …

Read More →
Digital Operational Resilience Act (DORA) – A Brief Overview
Operational Resilience

Digital Operational Resilience Act (DORA) – A Brief Overview

The use of information and technology is essential in the modern era as it supports complex systems used for daily activities. It plays a critical …

Read More →