When stress, disruption, and uncertainty strike, are you prepared to weather the storm, and are you set up to turn adversity into opportunity? Operational Resilience (OR) has emerged as an industry hot-topic almost overnight as a result of the COVID-19 pandemic. The Bank of England[1], the Basel Committee on Banking Supervision[2] (BCBS), and the Federal Reserve Board[3] (FRB) have all issued significant guidance related to OR over the past two years. Even prior to the COVID-19 pandemic, regulators had started to redefine their expectations for financial institutions’ resiliency frameworks. The momentum of regulatory scrutiny has dramatically accelerated over the past several months, a trend that we expect to carry on well past the current pandemic. Global regulatory bodies are currently in the process of evaluating and assessing feedback received from industry participants, which will help shape the final guidance and regulation forthcoming in 2021/2022. Banks should follow these developments closely and prepare themselves for significant modifications and upgrades to their current practices.
The Bank of England defines operational resilience as ‘the ability of firms and the financial system as a whole to absorb and adapt to shocks, rather than contribute to them’. The Basel Committee on Banking Supervision defines OR as ‘the ability of a bank to deliver critical operations through disruption’. Both definitions reflect the regulatory view that financial services firms are not sufficiently prepared to address systemic industry risks. This Insight will focus on the initial principles-based guidance provided by the BCBS, due to its global perspective and applicability.
Aren’t We Already Doing This?
OR is not a fundamentally new concept. For a long time, banks have identified, measured, monitored, and mitigated operational risks, including those related to their cyber infrastructure and third-party dependencies. Similarly, banks have developed expertise in their business continuity and disaster recovery planning, mostly prompted by the 9/11 terrorist attacks. In an important way, OR simplifies the operational risk challenges faced by financial institutions. Instead of attempting to identify and measure operational risks that may be detrimental to banks, a task that’s almost impossible, OR challenges firms to identify their critical assets and services and find ways to protect those under most circumstances. In the US, large banks have already completed much of this identification work as part of their Recovery and Resolution Planning (RRP) processes.
Well developed OR frameworks have the important advantage that they are agnostic regarding the precise operational risk event that will pose the next threat to a financial institution. OR seeks to protect the critical capabilities of a firm regardless of whether disruption is caused by a terrorist attack, a pandemic, wide-spread cyber-attacks, or a natural disaster.
The Basel Committee’s guidance, published in August 2020, proposes the following seven principles for banks to consider in their adoption of their own OR frameworks:
1. Governance
Each of the seven OR principles are formulated within the context of a bank’s risk appetite, risk capacity, and risk profile. These measures are established and monitored by the board of directors and implemented by executive management. Consequently, the board and senior management are tasked with the formulation of the bank’s OR approach to ensure continuity and consistency with existing processes. This top-down perspective is vital for firms to effectively communicate their OR objectives and to foster a robust, firm-wide risk management culture. As a result, regulators are tasking boards with the oversight of executive management’s ongoing OR framework and elevate the topic to the permanent boardroom agenda. The BCBS expects the board and senior management to consider a “broad range of severe but plausible scenarios” when formulating the bank’s risk tolerance for disruptions to its critical operations.
2. Operational Risk Management (ORM)
“Operational resilience is an outcome that benefits from the effective management of operational risk”.[4] These words from The Committee succinctly sum up the fact that OR is less about ripping up the rule book and starting again and more about building on existing capabilities and re-defining what it means to be operationally resilient. The FRB echoes this sentiment when it defines OR as “the outcome of effective operational risk management combined with sufficient financial and operational resources to prepare, adapt, withstand, and recover from disruptions.”[5] Today, a bank’s operational risk management function identifies threats to the business (specifically people, processes, and systems) and ensures controls and procedures exist to measure, monitor, and mitigate these threats. However, with the focus now shifting towards business resiliency and critical vulnerabilities, it is imperative that ORM is integrated with other relevant functions within the bank so that a consistent approach to OR is achieved. These controls and procedures need to be kept up-to-date through regular reviews by respective functions (i.e. the bank’s three lines of defense, consisting of business unit management, an independent operational risk management function, and independent assurance) in an effort to keep the business current in an ever-changing business landscape. This elevation of ORM from a passive to an active capability embodies the essence of the Committee’s seven principles.
3. Business Continuity Planning and Testing
Not only must business continuity plans be put in place but they must be tested on a regular basis. Banks are encouraged to run a series of business continuity exercises conducted under a range of “severe but plausible scenarios” so that their ability to continue operating critical functions amidst disruption can be assessed. Unsurprisingly, if these plans are to prove effective and robust then they must include impact analyses, recovery strategies, testing programs, training and awareness programs, and communication programs. While it is important to train staff on the roles and responsibilities within the plans themselves and to define triggers for invoking these plans, it is equally important to train them on the importance of resilience and to promote a “resilience culture” within the bank. Both a top-down and bottom-up approach to OR increase the chances of successful implementation and, in turn, establishing a competitive edge for the firm when severe scenarios strike.
4. Mapping Interconnections and Interdependencies
The increasing complexity of internationally active banks has made it even more important to stay on top of the interconnections between the people, technology, processes, information, and facilities. Each of these functions plays an individual and collective role in delivering a bank’s critical functions. Therefore, extensive mapping of the interdependencies across the organizations should be performed to a level of granularity that exposes any weakness in their ability to stay within the firm’s risk tolerance. Firms that are subject to recovery or resolution planning requirements will have mapped out the aforementioned interdependencies in these plans and so are encouraged by both BCBS and FRB to leverage relevant components when building out their OR frameworks. Consistent with the harmonization objectives the Committee promotes across the 7 principles, an adequate governance process (principle 1) grounds the sufficient interconnection and interdependent mapping needed for a bank to effectively manage OR.
5. Third-party Dependency Management
Internal interdependency mapping is only half the battle, however, as each firm must expand that mapping to then tackle the impact of interdependencies outside of the firm’s immediate environment. The bank must conduct due diligence on any third party with whom it intends to enter an arrangement to ensure operational resilience alignment. Specifically, the bank must verify that the third party “has at least equivalent operational resilience conditions to safeguard the bank’s critical operations”[6]. Such arrangements should be formalized via written agreements that specify not only how operational resilience will be maintained but also the least disruptive third-party exit strategies.
6. Incident management
It was stated earlier in this Insight that OR is a pro-active adaptation of its more passive cousin, Operational Risk Management, and that concept of proactivity extends to incident management. Not only do incident response and recovery plans need to ensure that a firm is in the best possible position to minimize disruption and quickly restore business as usual, but they must be kept up-to-date and relevant. Lessons learned are intrinsic to the effectiveness of incident management and must form the basis of regular reviews, tests, and root causes analysis (RCA) sessions. It is those banks that design fully executable incident response and recovery procedures that will avoid being left flat-footed, and instead, emerge from disruption with their prioritized assets intact and levels of service quality maintained.
7. Resilient Information Communication Technology (ICT) Including Cyber Security
Unsurprisingly, a higher degree of digital operational resilience and cybersecurity maturity is expected of an industry that accounts for a fifth of all ICT expenditure.[7] ICT and financial services have long complemented one another but their bond grew even stronger because of the 2008 financial crash. The convergence of these two rapidly growing sectors is the driving force behind such fast-paced innovation in financial services. However, the financial services industry increasingly reliant on ICT systems brings fresh challenges in terms of operational resilience. The Committee asks that banks have a documented ICT policy, including cybersecurity, that outlines governance, and transparency requirements but also characteristically promotes a more proactive approach to ensuring the security of information assets and integrity of data. Firms must adopt prioritization mechanisms to classify information assets and their supporting processes based on their criticality. The COVID-19 global pandemic, an example of a “severe but plausible scenario”, has seen a rapid pivot to remote working and further underscored the importance of cybersecurity and customer data protection. The scaling up of remote work capabilities and the increased likelihood that this will be the “new normal” has The Committee encouraging banks to make regular updates to ICT including cybersecurity in order to maintain an appropriate security posture going forward.
Strategy and Implementation
Successful OR programs are not ‘tick-the-box’ exercises established to meet compliance and regulatory demands. Well-designed programs are broad-based and capture all critical activities of a banking institution, whilst following the prudent guidance of regulatory bodies. To be effective, an OR strategy needs to be designed to get everyone within an organization to think about resilience and how operations can be maintained during challenging environments. This is most easily achieved by elevating OR to a board-level topic and to formulate clear strategic objectives. Developing a clear and shared understanding of critical business services and impact tolerances represents an important fundamental step when establishing an OR framework.
Firms need to be realistic regarding their current OR status and proactively prioritize critical activities and related resources. Open and frank discussions of priorities and gaps represent a critical starting point for programs to get off the ground. While it is good practice to document the OR framework in charter and policy documents, firms should encourage creativity and a future-thinking mindset across all business functions. Developing effective mitigation strategies is not the exclusive domain of a few high-level executives but a shared responsibility across an entire organization. There is a wealth of pressing regulatory programs in flight and all claim to demand more attention than the other, but it is hard to argue with the fact that operational resilience appears to be staking its claim as the front runner. It is those firms that shift their mindset sooner rather than later and establish a culture of resilience that will emerge from “severe but plausible scenarios” with their critical operations intact. Monticello expects additional regulatory guidance and standards for financial services to emerging over the next several months and years as this topic continues to gather pace.
About Monticello
Monticello Consulting Group is a management consulting firm supporting the financial services industry through deep knowledge and expertise in digital transformation, change management, and financial services advisory. Our understanding of the competitive forces reshaping business models in capital markets, lending, payments, and digital banking are proven enablers that help our clients remain in compliance with regulations, innovate to be more competitive, and gain market share in new and existing businesses. By leveraging our Operational Resilience Center of Excellence and Change Management Practice, Monticello will manage a shift in culture and mindset within your business to one where resilience takes center stage.
[1] https://www.bankofengland.co.uk/financial-stability/financial-sector-continuity
[2] https://www.bis.org/bcbs/publ/d509.pdf
[3] https://www.federalreserve.gov/newsevents/pressreleases/files/bcreg20201030a1.pdf
[4] See Basel Committee on Banking Supervision, Consultative Document: Revisions to the principles for sound management of operational risk, paragraph 5, 2020
[5] https://www.federalreserve.gov/newsevents/pressreleases/files/bcreg20201030a1.pdf
[6] Basel Committee on Banking Supervision, Consultative Document- Revisions to the Principles for the Sound Management of Operational Risk, paragraph 5, 2020.
[7] Basel Committee on Banking Supervision, Consultative Document- Revisions to the Principles for the Sound Management of Operational Risk