The recent guidance issued by Basel Committee on Operational Resilience aims to strengthen the ability of banks to withstand operational risk-related events which could cause significant operational failures or wide-scale disruptions in financial markets, such as pandemics, cyber incidents, technology failures, or natural disasters.
In this paper, we outline an integrated approach to building operational resilience, its key components, and practical insights on how to address key challenges.
Most Banks, perhaps justifiably believe that they have handled the Covid-19 crisis relatively well, given the severity and longevity of this sudden disruption. Most are yet to undertake any structured “lessons learned” study to identify what worked well and what didn’t, but the non-occurrence of any significant operational losses to date provides them some assurance to reinforce their view. A closer look at the operational loss data published by ORX for the period 2014- 2019 and the first half of 2020, also reflects an overall decrease in the operational risk losses.
On the other hand, recent supervisory guidance from BIS on “Operational Resilience” indicates that the current preparedness of Banks globally is not adequate, and supervisors expect banks to enhance their operational risk and business continuity management practices to improve their operational resilience.
The UK regulator (FCA, PRA & BoE) are at the forefront of shaping the industry thinking on operational resilience and have published a series of consultative papers outlining the overall approach to operational resilience for banking financial services firms.
In line with regulatory thinking this article covers critical aspects of building a robust operational resilience framework and outlines the linkages with existing operational risk management and business continuity management.
Defining Operational Resilience
The Basel Committee defines operational resilience as the ability of a bank to deliver critical operations through disruption. This ability enables a bank to identify and protect itself from threats and potential failures, respond and adapt to, and recover and learn from disruptive events to minimise their impact on the delivery of critical operations through disruption. In considering its operational resilience, a bank should consider its overall risk appetite, risk capacity, and risk profile.
The ORX’s COVID Risk Review, published in June 2020, provides the view of the top 5 risks as ranked by industry risk professionals (Figure 1). It is clear that the overall risk profile has evolved considerably since the beginning of the year with the top 5 risks now the ones that closely relate to areas of operational resilience
The overriding risk impact concern is operational (including business disruption), with staff/internal impact also a key concern reflecting the current crisis's nature.
Operational Resilience: Key Components
The diagram below highlights key component of an integrated, enterprise wide operational resilience framework
1. Creating Operational Resilience Framework:
Like most enterprise initiatives, the first and most crucial step is to create an overarching framework for operational resilience, which clearly defines the overall governance structure and lays out the policies and processes for the first, second, and third defense lines. A frequently asked question is – Do we create a new function for operational resilience or embed it in existing OR, BCM function? Though the answer will be particular to each institution, the generally observed trend is to place it under a current OR/BCM process. To do so it is essential to understand the linkages between the existing OR/BCM function and operational resilience, as depicted in the diagram below
Operational resilience requires an institution to take a horizontal view of the organization, and to do so it introduces the term “business service.” A business service’ is a service that a firm provides to an external end-user. It’s important to note that a business service is different from the business process, which is commonly used in the OR/BCM frameworks. A business service delivers the outcome expected by a customer, market participant, or end-user. It is ‘what’ is delivered. This is different from a business process, which is how the service is delivered, and therefore tends to be more granular and internally focused. Further, several business processes may be required to provide the overall outcome expected by a customer. Although not synonymous with business services, the economic functions identified through RRP-related initiatives can help identify these. Institutions should not lose focus on the word “important.” Interestingly during the lockdowns, most regulators prioritized and issued specific instructions to banks on what services should continue to be operational.
3. Set impact tolerances for Important Business Services
Once the business services are clearly defined and rank-ordered to reflect their absolute and relative importance, the next step is to set impact tolerances, which is a customer’s tolerance for disruption to a particular business service. While setting the impact tolerances, the firm should take an “outside-in” customer view rather than an “inside” view considered in the OR/BCM design. The three main impact categories to evaluate the disruption of a business service are:
It is essential to distinguish these impact tolerances from traditional business impact analysis done by the Bank. Separately firm should link these impact tolerances with overall risk appetite and other measures of operational risk.
4. Map Important Business Services to Resources, including Third Parties
COVID 19 has taught some vital lessons where many firms struggled to mobilize resources such as laptops, set up broad band connectivity to support a sudden transition to work from home operating model, or handle the massive surge in customer calls.
Firms need to identify and document the resources necessary to deliver each of its important business services. The resources are people, processes, technology, facilities, information, and third parties. By mapping resources to each important business service, firms can identify vulnerabilities and be assured that an important business service can remain within the impact tolerance it has set. Resources can potentially come from across business areas, entities (intragroup and other outsourcing), and jurisdictions, which gives the need for a centralized identification for these inputs.
It is critical to outline resource vulnerabilities that will prevent important business service delivery and classify the necessary resources needed to deliver a business service. This requires firms to look at alternate delivery mechanisms (‘Plan Bs’), including changes in their operating model, demand build up during normal and peak times and to assess substitutability and replaceability. Additionally, the ability to build a control mechanism to augment resources not owned by the firm in the time of disruption should be considered.
5. Design severe but plausible Scenarios to test vulnerabilities in the delivery of the Important Business Service
A severe but plausible scenario is when the nature, scale, or scope of the event goes beyond pre-defined recovery measures and supporting assumptions. In other words, a scenario where severity is exceptionally high and duration extends beyond the recovery time objectives (RTO) and maximum outage as defined in the BCM measures. The diagram below depicts this to illustrate this point.
6. Self-assessment to test when impact tolerance
Conducting a lesson learned exercise based on a test scenario and business services impacted involves identifying an appropriate range of adverse circumstances varying in nature, severity, and duration relevant to the business and risk profile for which the firm expects to be able to remain within their impact tolerances and which ones they may not. If exceeded a firm should clearly demonstrate its capability to respond and recover within pre-defined impact tolerance levels and stress testing should focus on the response and recovery actions firms would take to continue delivering an important business service.
7. Ensure internal and external communication plans are in place to be followed when an event occurs
It is crucial that as a part of operational resilience, firms highlight the strategy and execution for a prompt and meaningful communication arrangements for internal and external parties, including regulators, consumers, and the media.
Before designing the communication, the firm must gather information about the cause, extent, and impact of operational incidents. It should contain an expression of care and concern, a demonstration of control over the situation, an indication of alternative services and redress arrangements, and a commitment to improving.
Internal communication plans should also include the escalation paths firm would use to manage communications during an incident and identify the appropriate decision-makers.
The overview above clearly articulates the significant effort that is required to build an integrated operational resilience framework. In recent years most Banks have done much foundational work as a part of their operational risk and business continuity management, which provides an excellent foundation and starting point.
Co- Founder | Aptivaa & CogNext
Director | AJ Sheen Consulting Limited and CeFPro Non - Financial Risk Advisory Board Member
Founder | NDS Consulting Ltd
Operational Risk Consultant, Former Regulator and Risk Manger, Chairman of the IOR England & Wales
Don't miss this roundup of our newest and most distinctive insights