Operational resilience aims to increase a firm's ability to prevent, adapt to, respond to, and recover from operational disruptions through various means. This includes identifying important business services, setting impact tolerances, stress testing scenarios, communication plans, and lessons learned. Governance and assurance are also important to demonstrate meeting responsibilities. Outsourcing requires understanding all resources supporting business services, including those outside a firm's direct control.
2. Operational
resilience
Is the meeting point between risk management
systems and business continuity systems that serves to
identify, manage, respond and learn from as well as
implement mitigations to allow businesses to operate
comfortably at times when there is disruptive business
changes.
Is the ability of firms and the financial sector as a
whole to prevent, adapt, respond to, recover and
learn from operational disruptions.
3. Operational
disruptions
Operational disruptions can have many causes including,
technology failures or changes to systems. Some
disruptions may also be caused by matters outside of a
firm's control, such as a cyber-attack or wider
telecommunications failure.
Ultimately, the aim is to increase firms’ operational
resilience and drive change where it is needed. Where
the weaknesses in operational resilience are identified,
firms will be expected to act. For example, by investing in
improving processes, better infrastructure or training,
building back-up systems, addressing vulnerabilities in
legacy systems or improving contingency plans.
4. So how do we make operational systems
more resilient ?
• Impact Assessments
• Important Business service mapping
• Outsourcing risk mapping and risk management
• Stress testing – modelling disaster scenario's
• A strong communications plan
• Lessons learned – from disaster modelling scenario's to mitigate operational resilience risks
Regulatory Perspective
5. What
outcome do
you want?
The aim of operational resilience is to increase a firms’
Business resilience and drive change where it is needed.
For example, increasing resilience can be done by
investing in improving processes, better infrastructure or
training, building back-up systems, addressing
vulnerabilities in legacy systems or improving contingency
plans.
We start from outcomes
6. Mapping
important
business
services
Important business services – from an FCA regulatory
point of view are defined as critical services which
have a strong impact on customers – including
customer retention and access to key services such as
accounts.
To stay operationally resilient, relevant
regulated businesses are expected to identify (map)
the key or important business services of this nature
that they offer from a selection of the business
activities they undertake on a day to day basis.
This gives them a starting point on which services are
likely to be impacted and for which services the
disaster models and scenario testing and
impact tolerances are needed.
7. Impact
tolerance
An impact tolerance is a firm’s tolerance for disruption to
a particular business service. For many businesses,
disruption is part and parcel to business life.
It may not happen for a very long time but it is bound to
happen sometime.
HOW IS IT USED IN BUSINESS?
impact tolerance is expressed by referring to specific
outcomes and metrics. It is set at a level that prevents the
company from falling into long term or disastrous
disruptions to service.
This is done through metrics and outcomes based on
time, value and or products types and amount of
customers affected.
The idea is to set impact tolerances high rather than
lower to be able to effectively manage the risks attached
to business disruption. This is not the same as RAG rating or
risk scoring a business continuity plan.
8. Factors considered in setting impact tolerance include
• The number and types of consumers (vulnerability)
impacted and the nature of impact - e.g loss of
account services - lack of access to cash for four days
• Financial loss to consumers
• Financial loss of the type that poses a financial stability
risk
• The level of reputational damage sustained
• Impacts to market or consumer confidence
• The spread of risks to other business services or
products or across the sector
• Loss of function and access to consumers
• Loss of confidentiality, integrity or availability or data
9. Impact tolerance metrics
Impact tolerance metrics could be single or combination style.
Single or combinationstyle metrics couldbe used as a planning or
assurance tool.
Duration based metrics - on its own a single metric can be combined
with a volume or value (cost based) metric.
Duration metrics should always specify that disruption cannot exceed a
period of time. E.g. one business day without causing intolerable harm
to consumers or financial stability.
DURATION BASED VOLUME BASED
VALUE BASEED
10. Communications
Communication within risk management and
business continuity play a key role in maintaining
business operational resilience.
It's Important that Firms' policies include prompt and
meaningful communication arrangements for internal
and external parties, including regulators, consumers
and the media.
Firms are expected to have internal and external
communication strategies in place.
11. Internal communication plans
Firms internal communication plans should also include the escalation paths they
would use to manage communications during an incident, and identify the
appropriate decision makers. For example, the plan should address how to contact
key individuals,operational staff suppliers and the appropriate regulators.
As part of their external communications plans, the FCA expect firms to consider in
advance of a disruption how they would provide important warnings or advice
quickly to consumers and other stakeholders.
This includes where there is no direct line of communication. Firms are expected to
use effective communication to gather information about the cause, extent and
impact of operational incidents.
12. Governance
Board and senior management are expected to have oversight of and to be engaged in
setting the standards for operational resilience.
SM&CR
The SM&CR currently applies to banking firms and insurers and will apply to FCA solo-
Regulated firms from December 2019. Under the SM&CR ,individual that perform the Chief
Operations Function (SMF24)are required to have responsibility for managing the internal
operations or technology of the firm or of a part of the firm.
This includes ,but may not necessarily be limited to, responsibility for areas such as:
business continuity
operational continuity, resilience and strategy
outsourcing, procurement and vendor management
Firms that have an individual performing the SMF24 function may find that responsibility for
implementing the proposals outlined within this CP falls within the Scope of the SMF24’s
responsibilities. MI sent to the board for regular review is part of the remit here.
13. Assurance /
Self
Assessment
it is important for firms to be able to demonstrate to the relevant
supervisory authority that they are meeting their responsibilities in
respect of operational resilience.
The FCA therefore proposes that firms should create a self-assessment
document. The self- assessment document should include:
The firm's important business services the impact tolerances set for
these important business services the firm's approach to
mapping,including how the firm has identified its resources, and how it
has used mapping to identify vulnerabilities and support scenario
testing
The firm’s strategy for testing its ability to deliver important business
services within impact tolerances through severe but plausible
scenarios, including a description of the scenarios used, the types of
testing undertaken and the scenarios under which firms could not
remain within their impact tolerances
14. Self
Assessment
Continued
An identification of the vulnerabilities that threaten thefirm's ability
to deliver its important business services within impact tolerances,
including the actions taken or planned, and justifications for their
completion time
The firm's lessons learned exercise
The methodologies used to undertaketheaboveactivities
The FCA also propose that boards, or the firm's equivalent
management body ,review and approvetheself-assessment
document regularly. Where changes occur that may havea clear
impact to the firm's operational resilience,
e.g structuralchangesto the firm, rapid expansion, poor trading or
entry into new markets, it remains important that more frequent
reviewsof the firm’s self-assessment document are held.
This will not form part of a regulatory report to be submitted to the
regulator's.
15. Outsourcing
Operationally resilient firms are expected to have a comprehensive understanding and
mapping of the resources that support their business services. This includes those outsourced
and third-party services over which the firm may not have direct control. They also expect
firms to be able to identify and document the resources that support their important business
services. This is because firms increasingly outsource important business services, due to data
driven innovation and tech developments. A lot of these outsourcers are outside the
regulatory perimeter - so there is a need for firms to be able to prevent, adapt, respond and
recover and learn from disruptive operational incidents.
For more on this topic contact
Ebere Ikerionwu
Go Spot It
Incillation ltd
E: ebere@incillation.com
T: 02080035962
W: https://www.incillation.com