Building Operational Resilience
Updated: Oct 27
An estimated 20,000 people suffered from thyroid cancer and 130,000 people received significant radiation doses, on top of the countless lives lost, as a result of the Chernobyl nuclear power plant disaster in 1986.
Operational resilience can lead to materially different outcomes depending on which industry a business operates in. Life or death, people’s livelihood, or more depending on the circumstances. The world we live in has never been so prone to disruption, which makes resiliency a must have attribute for all organisations, and especially so for financial institutions.
“The operational resilience policy is outcomes-based. There are many roads to resilience.”
Duncan Mackinnon (Executive Director for Supervisory Risk Specialists at the PRA)
The financial regulators across the world have been taking notice and action. As they mature their regulatory approach and requirements, the financial industry is led to rethink how it operates, how it manages its risks, how it puts its customers and clients back at the centre of what it does.
Operational failures and disruptions, sometimes on a very large scale as we have seen with COVID19, are inevitable. Firms must be ready to respond to them and think about how to alleviate the impacts of such disruptions on people. They must think about how to protect them from intolerable harms.
Many financial institutions weren’t ready and were lucky that the pandemic did not impact their business models to a significant extent, unlike other sectors such as travel or healthcare.
We cannot plan for everything, but assuming anything can happen is a good start.
The industry must go beyond being ready to respond to a crisis. It must embed the notion of resilience by design in everything it does. It is easier to get things right from the beginning than retrofitting after the facts, as the dramatic events resulting from the flawed Boeing 737-8 Max aircraft design taught us.
This blog aims to introduce and position the notion of operational resilience and what it means. I do not intend to repeat what the regulators have published; for this purpose, I have included a number of links at the end of this article which will provide much better background information I could ever do. I will also complement this article with short and focused blog posts on change, third party risk, culture, and more in the near future. So stay tuned and subscribe here if you have not already done so.
Operational Resilience: A definition
I like the definition used by Megan Butler, FCA Executive Director of Supervision – Investment, Wholesale and Specialists
“We define operational resilience as the ability of firms and FMIs and the financial sector as a whole to prevent, adapt, respond to, recover and learn from operational disruptions.”
So, building resilient firms is about considering both prevention and recovery. This is about sustainable business model aligning scalability with resiliency and efficiency.
This is also about looking at both financial and operational resilience. The former has long been a focus of the regulators through capital and liquidity management, and I will not cover it in any detail in this series of articles. Operational resilience on the other hand, is a fairly new area of policy, though firms should already have implemented a lot of the requirements by now. It came about as a result of multiple major operational disruptions in the banking sector (see next section) and was the result of the regulators realising a simple truth:
It is always possible to bail-out a financial firm if it runs out of cash, even though this is not a desired outcome. But it is not possible to “bail-out” a firm which is unable to run its operations. There isn’t any substitute for a failed database somewhere in a datacentre of a major bank; it has to be fixed by the same firm.
The UK Regulatory Journey
By the time the TSB incident occurred in April 2018, the UK Treasury Select Committee had already been pushing for more regulatory scrutiny over financial institutions' operational resilience following multiple incidents across the industry. TSB acted as a catalyst for real change and opened the door for more actions across the world
Figure 1. The UK Regulatory Journey
Introducing Operational Resilience Core Capability Framework
Operational resilience is an outcome: a firm must remain operational. And with that comes the requirement to map out the end-to-end business operations and service delivery model to identify and assess potential failure points. To achieve such an outcome, it is necessary to have in place some core organisational capabilities.
Figure 2. Capability Framework
There cannot be operational resilience (recovery) without effective incident response and crisis management including internal / external communication.
There cannot be operational resilience (prevention) without effective cyber security, change (see my article on this here) or vendor management.
There cannot be organisation wide operational resilience without interconnecting these various frameworks to ensure they complement and supplement each other, and in particular business continuity.
In that context, strategy and culture act as enablers through clear direction and alignment. For example, the organisational blueprint must enable the sustainable delivery of the business objectives and the strategy should clearly articulate the way to implement and maintain this organisational blueprint (e.g. location, simplification, digitalisation, etc.) A particular attention must be paid to strategic risk and potential change in velocity and emerging / emerged trends to maintain or slow / accelerate the course if necessary.
Oversight functions monitor and assure on behalf of the Board that the enterprise recovery and prevention mechanisms are effective and adequate. This includes establishing relevant policies and standards, designing and rolling out / embedding risk management identification and management toolkit, etc.
Operational Resilience Management
There are seven focus areas and management capabilities any business needs to pay attention to to enable and monitor resiliency.
Figure 3. Operational Resilience Management Tools
People, Technology, 3rd party and location are all about the organisational resources upon which operational resilience is built. These would be the equivalent of capital and liquidity in the financial resilience space.
These resources support the operations of a business through the so-called Important Business Services (or IBS)
IBS means a service provided by a firm, or by another person on behalf of the firm, to one or more clients of the firm which, if disrupted, could:
(1) cause intolerable levels of harm to any one or more of the firm’s clients; or
(2) pose a risk to the soundness, stability or resilience of the UK financial system or the orderly operation of the financial markets.”
Source – FCA Handbook
I will explore these components in more details in future blogs. But at this stage, I would like to emphasise the need to connect IBS’ ownership and management with the roles and responsibilities as defined under the Senior Manager and Certification Regime in the UK (or equivalent in other jurisdictions) and especially with the SMF24 role (ie. Chief Operations Function)
Specifically, it is necessary to ensure consistency of decision making and oversight of IBS with the responsibilities as defined in the statement of responsibilities of the senior managers, to avoid exposing the latter to unnecessary regulatory risks.
Operational resilience is about continuity of business service, including recovery in case of disruption. Getting this right will protect customers and clients from potential intolerable harms and market instability.
By developing and nurturing the core management capabilities, culture and frameworks that a firm requires to establish and run a resilient business, Executives and Board Directors can not only comply with regulatory expectations, but also deliver outstanding and sustainable services to their clients and customers.
It should be simple, but it is not. Years of layering and fragmentation have rendered a number of firms too big and complex to manage. But I hope this regulation will act as a catalyst for change and enable bold but necessary simplification of many financial firms. This will be an opportunity, albeit I expect a bumpy road for many of them.
Some Interesting Links