Operational Resilience

What is Operational Resilience?

The ability of an enterprise to continue providing services to consumers despite a sudden disturbance is known as operational resilience. The ability to prevent, respond to, recover from, and learn from operational interruptions is a key priority of operational resilience.

Previously, that concept was associated with catastrophe recovery or business continuity. Operational resilience has evolved into a blend of business continuity, vendor risk management, cybersecurity, and more as a result of technological advancements and the digital transformation of corporate processes.

What is
Operational
Resilience?

What is Operational
Resilience?

The ability of an enterprise to continue providing services to consumers despite a sudden disturbance is known as operational resilience. The ability to prevent, respond to, recover from, and learn from operational interruptions is a key priority of operational resilience.

Previously, that concept was associated with catastrophe recovery or business continuity. Operational resilience has evolved into a blend of business continuity, vendor risk management, cybersecurity, and more as a result of technological advancements and the digital transformation of corporate processes.

Impact Tolerance

Impact Tolerance is quantifying the level of disruption, a critical business service can accommodate or absorb, before such disruption creates a significant impact or harm on the organisation or its customers. These impact could be financial, operational, regulatory etc. Regulators now mandating the financial services organisations to quantify these impact tolerances in terms of time or such other measures like volume, value etc. Impact tolerance is a good measure to track as they provide useful insights to the board and helps in decision making. 

Business Impact Analysis

A Business Impact Analysis (BIA) is a systematic process to determine and evaluate the consequences of disruption to a business service. The primary objective of  BIA is to come up with a list of services which has substantial impact and hence are important services for the business. A well carried out Business Impact Analysis helps in clear identification of critical services, drawing up a focused response and remediation plans and thereby making the service more resilient.

Why is Operational Resilience Vital?

Financial institutions have long prioritized service continuity. After all, disruptions can have a negative impact on income, client satisfaction, and franchise value.

WhyResOps

Higher customer expectations:
Customers in most industries demand services to be available on a 24/7 basis. Customer expectations include dependable service delivery and response under challenging situations. This also aids in the development and maintenance of trust between businesses and their customers.

WhyResOps – 1

Severe natural disasters and extreme weather events: Extreme natural events are linked to climate change. If an enterprise or its customers are based all over the world, such occurrences will almost certainly effect them.

WhyResOps – 2

Increased cyber threats: Technological advancements have benefited a wide range of businesses. However, technological advancements have enabled masterminds to develop low-cost but powerful cyber weapons, the use of which has unforeseen implications.

WhyResOps – 3

Higher risk linked to internal change failures: As technology evolves, businesses frequently upgrade to more modern systems. This results in modifications that must be addressed. In the event of internal change failure, more complex systems would increase the risk and related potential damage, either financial or operational.

WhyResOps – 4

Increased regulatory scrutiny: To
safeguard clients, the financial services industry has evolved into a highly regulated landscape since the financial crisis of 2008-2009. A company that is not operationally robust may find itself unable to adapt to the changing regulatory environment.

The firm is more effective and efficient

There is a clear understanding of crucial service delivery that can:

help to decrease costs, for example, by optimising outsourcing arrangements

TheFirm_Icons

streamline processes, for example, by introducing tools, automation, and aid to improve quality.

Improve efficacy, for example, by identifying and correcting problem-causing steps.

Who addresses Operational Resilience?

Operational resilience should not be viewed as a one-time event, but rather as part of a foundational set of ideas and practices embedded in the company’s DNA and culture. It is everyone’s responsibility, and planning should begin at the top of the company.

Board members needs to see actions and progress across the enterprise, as well as the implementation of a single approach to deliver resilient services. This should result in senior-level involvement and critical thinking throughout the company, as well as appropriate investments, responsibility, and continuous oversight. As operational resilience is coupled to change, financial institutions should undergo regular evaluations and respond to emerging threats and solutions on a regular basis.

What is
Operational
Resilience?

Who Addresses Operational
Resilience?

Operational resilience should not be viewed as a one-time event, but rather as part of a foundational set of ideas and practices embedded in the company’s DNA and culture. It is everyone’s responsibility, and planning should begin at the top of the company.

Board members needs to see actions and progress across the enterprise, as well as the implementation of a single approach to deliver resilient services. This should result in senior-level involvement and critical thinking throughout the company, as well as appropriate investments, responsibility, and continuous oversight. As operational resilience is coupled to change, financial institutions should undergo regular evaluations and respond to emerging threats and solutions on a regular basis.

Five Steps to Rollout an Operational Resilience Program

1

Identify the Critical Business Service

These are services offered by the enterprise to their customers and other related stake holders. FCA says services which, if disrupted, would most likely cause intolerable harm to consumers or market integrity. Eg: payment services by banks, payment of annuities by life insurers, ATM cash withdrawal etc.

2

Mapping people, process, and systems

The firm must identify and document the process, people and systems required to deliver each of the critical business service. Business service process maps along with the connected people and IT systems should be clearly documented.

3

Set Impact Tolerance

Impact Tolerance is quantification of maximum tolerable level of disruption to the important business service both in terms of value and duration.  

Eg: maximum number of transactions, number of customers, also define the duration up to which the important business service will be affected. The tolerance level should also consider peak times and non-peak time variations.

4

Scenario Testing

Testing of a firm`s ability to remain within its impact tolerance for each of the identified important business service in case of a disruption.

5

Building Resilience

Continuous monitoring and measuring the operational resilience framework and taking corrective actions to improve the same for better results.

Operational Resilience Framework

To develop operational resilience, an enterprise must implement the following pillars:

Framework_Icon

Define the framework to achieve operational resilience

The framework must be up to date, conveyed, and comprehended by the enterprise. It has been implemented throughout the enterprise, with clear definitions and accountability for the many parts of resilience.

Framework_Icon – 1

Embed operational resilience in the governance structure

The Boards and Senior management should actively oversee the firm’s resilience framework in relation to its strategy and risk appetite; this will enable them to make the best investment and risk decisions possible

Framework_Icon – 2

Ensure effective
capacity management

Organizations can demonstrate the success of capacity management through testing and monitoring

Framework_Icon – 4

Strengthen the management
of own risks

In order to minimise the impact on customers in the event of a stress scenario, resilience necessitates proper risk management. Splitting tasks into separate major hurdles and ensuring that these lines have components of resilience are all part of managing the hazards of a stress scenario

Framework_Icon – 5

Enhance
resilience capability

To deliver and help ensure operational resilience, the enterprise has sufficient skills, resources, adaptability, and a clear understanding of roles and responsibilities

Framework_Icon – 3

Promote a culture of continuous
learning and improving

The enterprise should not only foresee, but also learn from, undesirable occurrences that affect the company or the industry as a whole

Actionable Steps to Achieving Resilience

1

Know your clients: Identifying the products and services that are critical to the clients is the first step in establishing resilience. However, before it can be appraised, a more important question must be answered: who are the enterprise’s clients and what do they require?

2

Determine which items and services are most important for customers: The focus should be on the value chain that produces the key products and services after they have been identified. The critical processes that lead to that outcome are identified. In complex enterprises, all products are the result of a number of processes and interactions. The critical processes are those that have an impact on the output or the enterprises success. These ensure a company’s competitiveness.

3

Identify the primary processes and personnel associated with the core business, as well as any existing or planned dependencies: The attention now shifts to developing the major products and services that have been identified. But first, the essential processes that contribute to their production must be identified.

4

Map third-party dependencies: It’s also crucial to comprehend all of the processes’ interdependencies. This issue should be thoroughly studied in order to identify all third parties involved in all internal operations that provide services.

5

Define possible threat scenarios: At this point, it’s crucial to figure out which services and products must be maintained in stressful situations, as well as the critical processes, personnel, IT systems, and third parties that deliver or assist in delivering those products and services. Rather than single, isolated incidents, it is vital to identify potential risk scenarios that affect the entire value chain.

6

Map risks to the value chain: All risks should be linked to the value chain of the critical products and services at this point. It is critical to identify all hazards and threats prior to their emergence in order to adopt suitable mitigation methods.

7

Learn from the past: It is critical to guarantee that previous crisis management experiences are leveraged to develop improved plans and measures for essential processes and infrastructure. When a company gets hit by a stress event that they weren’t expecting, the event should be put to the list of threats and risks to be prepared for in the future. Measures to be taken as a result of this incident should be put in place for future use as well.

Basel Committee Recommendations For Operational Resilience

Basel Committee Recommendations

The Principles for Operational Resilience were published by the Basel Committee on Banking Supervision on March31,2021, with the goal of promoting a principle-based approach to improving banks’ operational resilience, making them better able to withstand, adapt to, and recover from severe adverse events. The rise of technology-related risks has prompted banks to strengthen their operational resilience in recent years, a trend exacerbated by COVID-19.

Principles for Operational Resilience

The Committee established seven principles for operational resilience

To reduce the impact on vital operations, banks should adjust their governance structure to allow them to respond, adapt, recover, and learn from disruptive occurrences. For instance, effectively allocating financial, technical, and other resources, delivering timely updates on business units to the board, and clearly communicating their approach to resilience and its objectives to all relevant parties are just a few examples.

Banks should use their operational risk management to identify external and internal threats on a continuous basis, including potential breakdowns in people, processes, and systems, by assessing the vulnerabilities of critical operations and controlling the risks that emerge. Implementing controls and procedures to identify threats and vulnerabilities in a timely manner, leveraging change management capabilities to assess the potential effect on critical operations and their interconnections and interdependencies, and coordinating business continuity frameworks, third-party dependency management, and recovery and resolution planning are just a few instances.

Banks should have a business continuity plan in place and stress test it under a variety of severe but credible scenarios to see if they can maintain vital activities in the event of a disaster. Identification of vital processes, major internal and external dependencies, business impact analyses, and recovery plans are all important factors in a good business continuity strategy, according to the report. Business continuity plans, as well as recovery and resolution plans, should be in line with a bank’s overall operational resilience strategy.

Banks should map out the internal and external interconnections and interdependencies that are necessary or critical to operations once they’ve identified their critical operations. Banks should be able to discover vulnerabilities thanks to the precision of the mapping.

For the delivery of important operations, banks should manage their reliance on relationships, particularly those with third parties or intragroup entities.

In accordance with their risk appetite and tolerance for interruption, banks should establish and implement reaction and recovery strategies to manage situations that could disrupt vital operations. Lessons learnt should be used to strengthen incident response and recovery plans in the future.

To fully support and facilitate the delivery of a bank’s critical operations, banks should ensure that ICT includes regularly tested protection, detection, response, and recovery programmes, incorporate appropriate situational awareness, and convey relevant timely information for risk management and decision-making processes.

FAQ's

1. Operational Resilience

Basel Committee issued principles of Operational Resilience in March 2021 followed by the Operational Resilience Policy Statements 21/3 and 6/21 by the FCA and PRA respectively in March 2022. Many other regulators viz. Central Bank of Ireland, Hong King Monetary Authority, South African Reserve Bank and many more came up with regulations around operational resilience. Risk and Resilience professionals have a lot of questions about the understanding, practical approach, impact and implementation methodology. Our Resilience expert has tried to provide answers to some of the FAQ`s. To know more, reach out to us.

Operational resilience is important because disruptions can cause financial losses, reputational damage, and even legal consequences. By ensuring operational resilience, organizations can minimize the impact of disruptions on their operations and services.

Typically regulators have given time frames from 18 to 36 months to implement the same. By and large, every organization will need to implement the resilience framework within three years from now.

Identifying critical business services, resource mapping, linking of risk and controls, defining the impact tolerances, scenario testing, performance analysis, action and remediation plans are the various steps to implement the program. 

By and large, all type of financial service providers are covered by the scope of the regulation. Banks, Insurance companies, Financial Services companies, Asset & Wealth Management firms and others.

There is lot of confusion around both these terms and some organisations have even gone ahead and considered both as the same. However, in reality, both of these are quite different.

Operational resilience is making available your business and to keep products and services working even during disruption times. However, BCP is where executives develop plans for specific scenarios and the steps your business can take in advance to minimize or eliminate that disruption.

Organizations have multiple options (a) manage this manually through spreadsheets (b) hybrid approach , some areas using technology system and some manually (c) An integrated technology system. While it is not mandated that firms must use a software solution, to achieve the aims of and assure compliance with the policy, it is difficult to see how a firm of any significant size would be able to meet their obligations without one.

To manually perform the required tasks and following a step-by-step approach is resource exhaustive and can lead to lot of manual errors. Additionally having silo systems will put additional pressure in terms of time and effort into collecting, analyzing, reporting, following up etc.

Hence to achieve the desired objective and have a robust resilience program running, organizations should look at implementing an integrated solution. The risk and resilience area is fairly dynamic and one can expect constant changes to happen and hence a manual or hybrid approach would lead to multiple challenges over a period of time.

Risk Central, our Risk and Resilience solution is built using a low-code platform, which primarily means everything is configurable. workflows, tasks, hierarchy, forms and fields, dashboards etc.

Our solution follows an integrated approach of risk and resilience as we believe both are critical to make an organization resilient. The solution follows a five-step approach to implement a resilience program and each step is backed by tools which help the teams to carry out the activity in a guided way.

  1. Identification – Important Business Line, Resource Mapping, Risk & Control
  2. Planning – Impact Tolerances, Key Risk Indicators
  3. Exercise – RCSA, Control Testing, Incident tracking, Action & Remediation Plan
  4. Testing – Scenario Testing, Implement process changes, Control management
  5. Monitoring – Health Checkup, Consolidated 360 degree view

2. Impact Tolerance

The PRA and FCA regulators have issued a suite of policy and supervisory statements including a shared final policy summary on setting impact tolerances. Of most relevance to firms is the FCA’s policy statement (PS21/3) articulating their expectations for firms to set impact tolerances as part of a set of wider requirements for firms to build their operational resilience.

Impact tolerance is the ability of an individual or organization to tolerate or absorb the impact of unexpected events or disruptions and to recover from them quickly. Impact tolerance is important because unexpected events and disruptions can cause financial losses, reputational damage, and other negative consequences. By building and maintaining impact tolerance, organizations can minimize the effects of disruptions and recover more quickly.

Regulators have mandated setting up of impact tolerances for each of your important business lines. So apart from the compliance requirement, setting up impact tolerance helps organizations to have better clarity of their resource dependencies. In the process of keeping your important business lines within tolerance levels, the organization can direct investments to the right areas and also get the competitive edge in the market.   

A risk appetite is the amount of risk which the organization is ready to take in case the risk occurs. The focus here is, if the risk occurs, however in the case of impact tolerance it is assumed that the risk will happen, and organizations need to get the operation to be resilient to overcome these disruptions. The recovery time objective is a metric which says how long will it take for a process to come back to normalcy. While RTO focus on the process coming back impact tolerance looks into the overall important business lineup to the point that it does not cause any harm to the customer or reputation of the market or integrity of the organization.   

By and large, organisations look at time as a metric for defining impact tolerances. However, some of the other metrics which can be considered include volume, amount, duration etc.

Steps for setting impact tolerances include:

  1. Identifying important business lines
  2. Carrying out resource mapping – all the dependencies for the business line
  3. Gathering baseline data
  4. Identify potential harm
  5. Re-adjust the baseline considering potential harms
  6. Set acceptable thresholds for impact tolerances

Risk Central’s impact tolerance functionality comes up with these features:

  1. For each important business line set the impact tolerance level
  2. Giving a description for the impact tolerance
  3. Define if increasing value or decreasing value is better
  4. Setup based on multiple units of measurement – minutes, hours, days, currency, volume etc.
  5. Ability to define thresholds for Red /Amber/Green
  6. Set up notification rules with alerts to one or multiple users on breach of thresholds
  7. Notification rules are freely configurable
  8. Impact tolerance reports over a period of time

Interested to learn more?

Resources

Whitepapers

Operational Resilience

Operational Resilience Covid-19 pandemic have made financial institutions realize, the need to adopt an industry recognized operational resilience framework to be able to withstand the …

Download
Whitepapers

Mapping of Resources

Mapping of Resources The operationally resilient firm would be expected to have a comprehensive understanding and mapping of the resources and dependencies that support their …

Download
Whitepapers

Risk Management – Measure & Monitor

Risk Management – Measure & Monitor A firm should be prepared to manage all types of risks which has the potential to affect the critical …

Download
Whitepapers

Guide to Implement an Operational Resilience Program

Guide to Implement an Operational Resilience Program This guide provides resourceful insights and best practices to implement the guidance of operational resilience as mandated by …

Download
Operational Resilience
Brochures

Operational Resilience

Enterprises have understood that disruption are not a one-off event but part of the business as usual. Things will go wrong, and enterprises are forced …

Download
Whitepapers

Scenario Testing

Scenario Testing Financial firms would be required to carry out regular scenario testing of their ability to remain within their impact tolerances for each of …

Download
Whitepapers

Impact Tolerance

Impact Tolerance Impact tolerance is defined as a firm’s tolerance for disruption to a particular business service. Setting impact tolerances for critical business services may …

Download
Whitepapers

Identifying Critical Business Service

Identifying Critical Business Service Operational Resilience is about having a comprehensive understanding of the core, or critical services that an enterprise offers to its customers …

Download
Process Mapping – The What, Why and How?
Operational Resilience

Process Mapping – The What, Why and How?

What is Process Mapping? Let us break down the words. Process means “a series of actions you do for a particular purpose that produce an …

Read More →
The Role of Process Mapping in Change Management
Operational Resilience

The Role of Process Mapping in Change Management

Change is constant in the fast-paced world of business. Companies must frequently adjust operations to respond to market developments, technology advancements, or internal reorganisation. Process …

Read More →
Overview of the Australian Operational Resilience Regulatory Guidelines
Operational Resilience

Overview of the Australian Operational Resilience Regulatory Guidelines

The objective of this Prudential Standard CPS 230 is to establish and uphold operational resilience for APRA (Australian Prudential Regulation Authority) regulated entities. Such entities …

Read More →
Building Resilience: The Crucial Role of Policy Management Solutions in Compliance with the Digital Operational Resilience Act(DORA)
Operational Resilience

Building Resilience: The Crucial Role of Policy Management Solutions in Compliance with the Digital Operational Resilience Act(DORA)

A policy management solution is of utmost importance from a Digital Operational Resilience Act (DORA) regulation perspective. The DORA regulation aims to ensure the operational …

Read More →
6 Simple Steps for Implementing an Operational Resilience Framework
Operational Resilience

6 Simple Steps for Implementing an Operational Resilience Framework

On March 29, 2021, the Bank of England (BoE), Prudential Regulation Authority (PRA), and Financial Conduct Authority (FCA) jointly issued policy and supervisory statements to …

Read More →
Digital Operational Resilience Act (DORA) – A Brief Overview
Operational Resilience

Digital Operational Resilience Act (DORA) – A Brief Overview

The use of information and technology is essential in the modern era as it supports complex systems used for daily activities. It plays a critical …

Read More →