Melissa Bosse – Risk and Resilience Consultant
What is operational resilience and where does it come from?
Operational resilience is not a new concept. It has roots in existing risk disciplines like operational risk and business continuity. Where this new methodology differs from the traditional frameworks is that it sees a significant shift from the existing response and recovery plans towards a more sustainable approach.
This methodology considers the entire product and service value chain of the business, which consists of operational dependencies like technology, people, facilities, data and suppliers. These are required to support and deliver the product and service to the client. Operational resilience also analyses the immediate business community and the interconnectedness of the products and services within the economic system as a whole.
Why is it suddenly on the radar of both regulators and business?
The focus is shifting to operational resilience these days. The UK began driving operational resilience objectives in 2018, and resilience risk has since been added to the Top 10 Operational Risks for 2020.
Increased operational failures and systemic risk
Due to the increase in operational failures, and the severe impact of these types of incidents, consequences are felt not only by an enterprise itself but also by external stakeholders and the economy. The root cause of most events is usually either IT disruption, cyber-attack, third-party risk or natural disasters like extreme weather and pandemics. As a result, regulators in the UK have taken on a supervisory approach to operational resilience, with the public interest at heart. There are several regulatory initiatives underway in the financial services sector, primarily driven by the Financial Conduct Authority and the Prudential Regulation Authority, namely:
- A joint discussion paper on operational resilience was distributed to financial services institutions in July 2018, which portrayed the seven key themes of resilience.
- A consultation paper and draft statement of policy was released in December 2019. This paper takes an in-depth look at the proposed guidelines on important business services and their impact tolerances. This has been released for comment and responses are due to be consolidated in October this year.
The Basel Committee on Banking Supervision (BCBS) has also taken an interest and has included operational resilience under the supervisory theme of its 2019-20 work programme. The committee is focusing on enhancing banks’ operational resilience and has indicated intentions regarding publishing an updated set of operational risk standards, as well as conducting a survey on supervisory metrics for measuring operational resilience.
Technological change and global interconnectedness
The banking industry has a legacy of outdated IT infrastructure, which is costly and cumbersome to replace. Recent years have seen an increase in IT system outages, with far-reaching impact. Coupled with this is the increased complexity of global connection, where the world is fielding a massive increase in cyber- security attacks such as the WannaCry ransomware attack.
A Financial Conduct Authority survey, conducted on UK financial services firms in 2018, reflected a 138% increase in disruptions caused by IT outages and 18% increase in cyber incidents. In addition, more than 80% of the survey’s respondents confirmed that they do not have a complete picture of their supply chain.
Increased customer demand means that businesses are rapidly transforming themselves in the digital space. It is vital that resilience practices are designed upfront and embedded in order to ensure that potential disruption to digital products and services is minimised. Where possible, alternative options for services should be investigated.
How will operational resilience benefit my organisation?
Through embedding more sustainable and resilient business practices, the organisation will build customer trust. Potential customers are likely to respond more positively to your brand, whilst existing customers will be inclined to remain loyal, resulting in enhanced brand credibility.
One of the elements of an effective operational resilience programme is to identify critical business products and services and map the operational dependencies that support the delivery of the service. By performing this mapping exercise, management will have a more informed picture of their value chain and an improved understanding of service costs.
This service view will also help businesses identify any vulnerability gaps, which will drive remediation plans. Boards will be in a better position to make informed investment-related decisions and improve the businesses resiliency profile in the long term.
Will COVID-19 have an impact on the rise of the operational resilience?
Due to the coronavirus forcing populations around the world to remain indoors for prolonged periods of time, many businesses of various sizes and sectors have found themselves in a position of being unable to continue supplying their services.
This is currently affecting the viability of businesses, with many having already closed their doors. In addition, the wider economy is beginning to suffer as growth is drastically slowed.
Faced with this challenge, some businesses have been able to adapt and swiftly pivot their business model by selling their products and services online. This has resulted in a sudden and rapid increase in digital transformation. Once these businesses stabilise their digital channels, they will need to think about how they will ensure future continuity of products and services in the face of disruption in the online world.
What practical elements can I implement to start building operational resilience in my business?
- Training and awareness programme: Roll out awareness training to all employees to understand what operational resilience is and what part they play in it.
- Resilience strategy: Review the business strategy and identify how resilience principles and objectives could be integrated.
- Short term roadmap: In line with the revised strategy, compile a three- to six-month plan to help your business become a more resilient organisation.
- Ownership and accountability: Identify which business unit in your organisation could most appropropriately own and drive resilience.
- Identification and mapping of dependencies: Start documenting which products and services you would consider critical, and the rationale for this.
Success and sustainability are interwoven
Those businesses which begin to design and build resilience capability will demonstrate to their community and broader society that their interests lie not only in the ongoing success of their business, but in serving staff, customers and society as a whole. They show in a meaningful, visible way that they do not solely prioritise profits but also the resources involved in getting their products and services to market.