Operational Resilience

What is Operational Resilience?

The ability of an enterprise to continue providing services to consumers despite a sudden disturbance is known as operational resilience. The ability to prevent, respond to, recover from, and learn from operational interruptions is a key priority of operational resilience.

Previously, that concept was associated with catastrophe recovery or business continuity. Operational resilience has evolved into a blend of business continuity, vendor risk management, cybersecurity, and more as a result of technological advancements and the digital transformation of corporate processes.

What is
Operational
Resilience?

What is Operational
Resilience?

Impact Tolerance

Impact Tolerance is quantifying the level of disruption, a critical business service can accommodate or absorb, before such disruption creates a significant impact or harm on the organisation or its customers. These impact could be financial, operational, regulatory etc. Regulators now mandating the financial services organisations to quantify these impact tolerances in terms of time or such other measures like volume, value etc. Impact tolerance is a good measure to track as they provide useful insights to the board and helps in decision making.

Business Impact Analysis

A Business Impact Analysis (BIA) is a systematic process to determine and evaluate the consequences of disruption to a business service. The primary objective of BIA is to come up with a list of services which has substantial impact and hence are important services for the business. A well carried out Business Impact Analysis helps in clear identification of critical services, drawing up a focused response and remediation plans and thereby making the service more resilient.

Why is Operational Resilience Vital?

Financial institutions have long prioritized service continuity. After all, disruptions can have a negative impact on income, client satisfaction, and franchise value.

Higher customer expectations:
Customers in most industries demand services to be available on a 24/7 basis. Customer expectations include dependable service delivery and response under challenging situations. This also aids in the development and maintenance of trust between businesses and their customers.

Severe natural disasters and extreme weather events: Extreme natural events are linked to climate change. If an enterprise or its customers are based all over the world, such occurrences will almost certainly effect them.

Increased cyber threats: Technological advancements have benefited a wide range of businesses. However, technological advancements have enabled masterminds to develop low-cost but powerful cyber weapons, the use of which has unforeseen implications.

Higher risk linked to internal change failures: As technology evolves, businesses frequently upgrade to more modern systems. This results in modifications that must be addressed. In the event of internal change failure, more complex systems would increase the risk and related potential damage, either financial or operational.

Increased regulatory scrutiny: To
safeguard clients, the financial services industry has evolved into a highly regulated landscape since the financial crisis of 2008-2009. A company that is not operationally robust may find itself unable to adapt to the changing regulatory environment.

The firm is more effective and efficient

There is a clear understanding of crucial service delivery that can:

help to decrease costs, for example, by optimising outsourcing arrangements

streamline processes, for example, by introducing tools, automation, and aid to improve quality.

Improve efficacy, for example, by identifying and correcting problem-causing steps.

Who addresses Operational Resilience?

Operational resilience should not be viewed as a one-time event, but rather as part of a foundational set of ideas and practices embedded in the company’s DNA and culture. It is everyone’s responsibility, and planning should begin at the top of the company.

Board members needs to see actions and progress across the enterprise, as well as the implementation of a single approach to deliver resilient services. This should result in senior-level involvement and critical thinking throughout the company, as well as appropriate investments, responsibility, and continuous oversight. As operational resilience is coupled to change, financial institutions should undergo regular evaluations and respond to emerging threats and solutions on a regular basis.

What is
Operational
Resilience?

Who Addresses Operational
Resilience?

Five Steps to Rollout an Operational Resilience Program

Identify the Critical Business Service

These are services offered by the enterprise to their customers and other related stake holders. FCA says services which, if disrupted, would most likely cause intolerable harm to consumers or market integrity. Eg: payment services by banks, payment of annuities by life insurers, ATM cash withdrawal etc.

Mapping people, process, and systems

The firm must identify and document the process, people and systems required to deliver each of the critical business service. Business service process maps along with the connected people and IT systems should be clearly documented.

Set Impact Tolerance

Impact Tolerance is quantification of maximum tolerable level of disruption to the important business service both in terms of value and duration.

Eg: maximum number of transactions, number of customers, also define the duration up to which the important business service will be affected. The tolerance level should also consider peak times and non-peak time variations.

Scenario Testing

Testing of a firm`s ability to remain within its impact tolerance for each of the identified important business service in case of a disruption.

Building Resilience

Continuous monitoring and measuring the operational resilience framework and taking corrective actions to improve the same for better results.

Operational Resilience Framework

To develop operational resilience, an enterprise must implement the following pillars:

Define the framework to achieve operational resilience

The framework must be up to date, conveyed, and comprehended by the enterprise. It has been implemented throughout the enterprise, with clear definitions and accountability for the many parts of resilience.

Embed operational resilience in the governance structure

The Boards and Senior management should actively oversee the firm’s resilience framework in relation to its strategy and risk appetite; this will enable them to make the best investment and risk decisions possible

Ensure effective
capacity management

Organizations can demonstrate the success of capacity management through testing and monitoring

Strengthen the management
of own risks

In order to minimise the impact on customers in the event of a stress scenario, resilience necessitates proper risk management. Splitting tasks into separate major hurdles and ensuring that these lines have components of resilience are all part of managing the hazards of a stress scenario

Enhance
resilience capability

To deliver and help ensure operational resilience, the enterprise has sufficient skills, resources, adaptability, and a clear understanding of roles and responsibilities

Promote a culture of continuous
learning and improving

The enterprise should not only foresee, but also learn from, undesirable occurrences that affect the company or the industry as a whole

Actionable Steps to Achieving Resilience

Know your clients: Identifying the products and services that are critical to the clients is the first step in establishing resilience. However, before it can be appraised, a more important question must be answered: who are the enterprise’s clients and what do they require?

Determine which items and services are most important for customers: The focus should be on the value chain that produces the key products and services after they have been identified. The critical processes that lead to that outcome are identified. In complex enterprises, all products are the result of a number of processes and interactions. The critical processes are those that have an impact on the output or the enterprises success. These ensure a company’s competitiveness.

Identify the primary processes and personnel associated with the core business, as well as any existing or planned dependencies: The attention now shifts to developing the major products and services that have been identified. But first, the essential processes that contribute to their production must be identified.

Map third-party dependencies: It’s also crucial to comprehend all of the processes’ interdependencies. This issue should be thoroughly studied in order to identify all third parties involved in all internal operations that provide services.

Define possible threat scenarios: At this point, it’s crucial to figure out which services and products must be maintained in stressful situations, as well as the critical processes, personnel, IT systems, and third parties that deliver or assist in delivering those products and services. Rather than single, isolated incidents, it is vital to identify potential risk scenarios that affect the entire value chain.

Map risks to the value chain: All risks should be linked to the value chain of the critical products and services at this point. It is critical to identify all hazards and threats prior to their emergence in order to adopt suitable mitigation methods.

Learn from the past: It is critical to guarantee that previous crisis management experiences are leveraged to develop improved plans and measures for essential processes and infrastructure. When a company gets hit by a stress event that they weren’t expecting, the event should be put to the list of threats and risks to be prepared for in the future. Measures to be taken as a result of this incident should be put in place for future use as well.

Basel Committee Recommendations For Operational Resilience

Basel Committee Recommendations

The Principles for Operational Resilience were published by the Basel Committee on Banking Supervision on March31,2021, with the goal of promoting a principle-based approach to improving banks’ operational resilience, making them better able to withstand, adapt to, and recover from severe adverse events. The rise of technology-related risks has prompted banks to strengthen their operational resilience in recent years, a trend exacerbated by COVID-19.

Principles for Operational Resilience

The Committee established seven principles for operational resilience

1. Governance

To reduce the impact on vital operations, banks should adjust their governance structure to allow them to respond, adapt, recover, and learn from disruptive occurrences. For instance, effectively allocating financial, technical, and other resources, delivering timely updates on business units to the board, and clearly communicating their approach to resilience and its objectives to all relevant parties are just a few examples.

2. Operational risk management

Banks should use their operational risk management to identify external and internal threats on a continuous basis, including potential breakdowns in people, processes, and systems, by assessing the vulnerabilities of critical operations and controlling the risks that emerge. Implementing controls and procedures to identify threats and vulnerabilities in a timely manner, leveraging change management capabilities to assess the potential effect on critical operations and their interconnections and interdependencies, and coordinating business continuity frameworks, third-party dependency management, and recovery and resolution planning are just a few instances.

3. Business continuity planning and testing

Banks should have a business continuity plan in place and stress test it under a variety of severe but credible scenarios to see if they can maintain vital activities in the event of a disaster. Identification of vital processes, major internal and external dependencies, business impact analyses, and recovery plans are all important factors in a good business continuity strategy, according to the report. Business continuity plans, as well as recovery and resolution plans, should be in line with a bank’s overall operational resilience strategy.

4. Mapping of interconnections and interdependencies of critical operations

Banks should map out the internal and external interconnections and interdependencies that are necessary or critical to operations once they’ve identified their critical operations. Banks should be able to discover vulnerabilities thanks to the precision of the mapping.

5. Third party dependency management

For the delivery of important operations, banks should manage their reliance on relationships, particularly those with third parties or intragroup entities.

6. Incident management

In accordance with their risk appetite and tolerance for interruption, banks should establish and implement reaction and recovery strategies to manage situations that could disrupt vital operations. Lessons learnt should be used to strengthen incident response and recovery plans in the future.

7. Resilient information and communication technology (ICT), including cyber security

To fully support and facilitate the delivery of a bank’s critical operations, banks should ensure that ICT includes regularly tested protection, detection, response, and recovery programmes, incorporate appropriate situational awareness, and convey relevant timely information for risk management and decision-making processes.

FAQ's

1. Operational Resilience

Basel Committee issued principles of Operational Resilience in March 2021 followed by the Operational Resilience Policy Statements 21/3 and 6/21 by the FCA and PRA respectively in March 2022. Many other regulators viz. Central Bank of Ireland, Hong King Monetary Authority, South African Reserve Bank and many more came up with regulations around operational resilience. Risk and Resilience professionals have a lot of questions about the understanding, practical approach, impact and implementation methodology. Our Resilience expert has tried to provide answers to some of the FAQ`s. To know more, reach out to us.

1. Why is there a focus on Operational Resilience by regulators across geographies?

Operational resilience is important because disruptions can cause financial losses, reputational damage, and even legal consequences. By ensuring operational resilience, organizations can minimize the impact of disruptions on their operations and services.

2. What is the timeline provided by the regulators to implement the operational resilience framework?

Typically regulators have given time frames from 18 to 36 months to implement the same. By and large, every organization will need to implement the resilience framework within three years from now.

3. What are the steps involved in implementing an Operational Resilience program?

Identifying critical business services, resource mapping, linking of risk and controls, defining the impact tolerances, scenario testing, performance analysis, action and remediation plans are the various steps to implement the program.

4. Which type of organizations need to abide by the operational resilience guideline?

By and large, all type of financial service providers are covered by the scope of the regulation. Banks, Insurance companies, Financial Services companies, Asset & Wealth Management firms and others.

5. Is there a difference between Operational Resilience and Business Continuity Planning?

There is lot of confusion around both these terms and some organisations have even gone ahead and considered both as the same. However, in reality, both of these are quite different.

Operational resilience is making available your business and to keep products and services working even during disruption times. However, BCP is where executives develop plans for specific scenarios and the steps your business can take in advance to minimize or eliminate that disruption.

6. What is the best method to implement an operational resilience program?

Organizations have multiple options (a) manage this manually through spreadsheets (b) hybrid approach , some areas using technology system and some manually (c) An integrated technology system. While it is not mandated that firms must use a software solution, to achieve the aims of and assure compliance with the policy, it is difficult to see how a firm of any significant size would be able to meet their obligations without one.

To manually perform the required tasks and following a step-by-step approach is resource exhaustive and can lead to lot of manual errors. Additionally having silo systems will put additional pressure in terms of time and effort into collecting, analyzing, reporting, following up etc.

Hence to achieve the desired objective and have a robust resilience program running, organizations should look at implementing an integrated solution. The risk and resilience area is fairly dynamic and one can expect constant changes to happen and hence a manual or hybrid approach would lead to multiple challenges over a period of time.

7. What are the key differentiators of Gieom`s resilience solution?

Risk Central, our Risk and Resilience solution is built using a low-code platform, which primarily means everything is configurable. workflows, tasks, hierarchy, forms and fields, dashboards etc.

Our solution follows an integrated approach of risk and resilience as we believe both are critical to make an organization resilient. The solution follows a five-step approach to implement a resilience program and each step is backed by tools which help the teams to carry out the activity in a guided way.

Identification – Important Business Line, Resource Mapping, Risk & Control
Planning – Impact Tolerances, Key Risk Indicators
Exercise – RCSA, Control Testing, Incident tracking, Action & Remediation Plan
Testing – Scenario Testing, Implement process changes, Control management
Monitoring – Health Checkup, Consolidated 360 degree view

2. Impact Tolerance

The PRA and FCA regulators have issued a suite of policy and supervisory statements including a shared final policy summary on setting impact tolerances. Of most relevance to firms is the FCA’s policy statement (PS21/3) articulating their expectations for firms to set impact tolerances as part of a set of wider requirements for firms to build their operational resilience.

1. What is Impact Tolerance and why is it important?

Impact tolerance is the ability of an individual or organization to tolerate or absorb the impact of unexpected events or disruptions and to recover from them quickly. Impact tolerance is important because unexpected events and disruptions can cause financial losses, reputational damage, and other negative consequences. By building and maintaining impact tolerance, organizations can minimize the effects of disruptions and recover more quickly.

2. Why should you set an impact tolerance?

Regulators have mandated setting up of impact tolerances for each of your important business lines. So apart from the compliance requirement, setting up impact tolerance helps organizations to have better clarity of their resource dependencies. In the process of keeping your important business lines within tolerance levels, the organization can direct investments to the right areas and also get the competitive edge in the market.

3. Is there a difference between impact tolerance, risk appetite and recovery time objective (RTO)?

A risk appetite is the amount of risk which the organization is ready to take in case the risk occurs. The focus here is, if the risk occurs, however in the case of impact tolerance it is assumed that the risk will happen, and organizations need to get the operation to be resilient to overcome these disruptions. The recovery time objective is a metric which says how long will it take for a process to come back to normalcy. While RTO focus on the process coming back impact tolerance looks into the overall important business lineup to the point that it does not cause any harm to the customer or reputation of the market or integrity of the organization.

4. What are the typical metrics that one can use to define impact tolerances?

By and large, organisations look at time as a metric for defining impact tolerances. However, some of the other metrics which can be considered include volume, amount, duration etc.

5. What are the prerequisites for setting up the impact tolerances?

Steps for setting impact tolerances include:

Identifying important business lines
Carrying out resource mapping – all the dependencies for the business line
Gathering baseline data
Identify potential harm
Re-adjust the baseline considering potential harms
Set acceptable thresholds for impact tolerances

6. What are some of the features supported by Risk Central’s Impact Tolerance functionality?

Risk Central’s impact tolerance functionality comes up with these features:

For each important business line set the impact tolerance level
Giving a description for the impact tolerance
Define if increasing value or decreasing value is better
Setup based on multiple units of measurement – minutes, hours, days, currency, volume etc.
Ability to define thresholds for Red /Amber/Green
Set up notification rules with alerts to one or multiple users on breach of thresholds
Notification rules are freely configurable
Impact tolerance reports over a period of time

Interested to learn more?

Resources

Whitepapers

Operational Resilience

Operational Resilience Covid-19 pandemic have made financial institutions realize, the need to adopt an industry recognized operational resilience framework to be able to withstand the …

Download

Whitepapers

Mapping of Resources

On 22nd December, 2021 HKMA (Hong Kong Monetary Authority) came up with a Supervisory Policy Manual for Operational Resilience to provide Authorized Institutions (AI) with …

Operational Resilience

What is Operational Resilience?

What is Operational Resilience?

What is Operational Resilience?

Impact Tolerance

Business Impact Analysis

Why is Operational Resilience Vital?

The firm is more effective and efficient

Who addresses Operational Resilience?

What is Operational Resilience?

Who Addresses Operational Resilience?

Five Steps to Rollout an Operational Resilience Program

Identify the Critical Business Service

Mapping people, process, and systems

Set Impact Tolerance

Scenario Testing

Building Resilience

Operational Resilience Framework

Define the framework to achieve operational resilience

Embed operational resilience in the governance structure

Ensure effective capacity management

Strengthen the management of own risks

Enhance resilience capability

Promote a culture of continuous learning and improving

Actionable Steps to Achieving Resilience

Basel Committee Recommendations For Operational Resilience

Basel Committee Recommendations

Principles for Operational Resilience

FAQ's

1. Operational Resilience

2. Impact Tolerance

Interested to learn more?

Resources

What is
Operational
Resilience?

What is Operational
Resilience?

What is
Operational
Resilience?

Who Addresses Operational
Resilience?

Ensure effective
capacity management

Strengthen the management
of own risks

Enhance
resilience capability

Promote a culture of continuous
learning and improving