Building an Operational Resilience Framework

November 3, 2022

In recent years, regulators have made operational resilience a focus point. Notable regulatory movements include;

The lead by the UK in developing the concept of operational resilience. The joint PRA and FCA policy statements and rules with regard to operational resilience
European Commission proposed legislation in Digital Operational Resilience, DORA
The Basel committee on banking supervision ‘Principles for Operational Resilience'
Central Bank of Ireland Issuance of Cross Industry Guidance Papers on ‘Outsourcing' and ‘Operational Resilience’

Risk Management v Operational Resilience

Traditional risk management focuses on minimising risk to a firm, via controls that reduce the impact and probability of a risk event happening. Operational resilience focuses on building a firm’s capabilities to deal with risk events should materialise. We are seeing operational resilience straddling five key pillars;

Regulatory Resilience.
Ensuring that the organisation is in full compliance with regulatory requirements and can identify and adapt to changing regulatory expectations. We see this as particularly important for companies that are passporting or distributing their product across multiple jurisdictions. It is important that the CCO is comfortable that all those filings, obligations and submissions are met.
Service Providers.
Identify critical business service providers, or those partners that could harm the firm or negatively impact its financial stability. The firm should identify an impact tolerance for service provider, beyond which it poses a risk to the firm. In an environment whereby firms are heavily reliant on partners this is a vital area. We are seeing firms are moving beyond periodic DD reviews of their partners (TPAs, Outsourcers, Vendors) to scoring and tiering of those partners.
IT and Cyber Resilience.
A firm must ensure that both their own technology and their providers technology is suitable and secure. Continual assessment is key, in that firms should build on existing processes and systems. The new cybersecurity rules from the European Commission, known as "DORA"; continues to be a topical conversation for service providers in Europe as the clock ticks down to an anticipated 2024 compliance deadline.
Financial Resilience.
Ensuring you have adequate operating capital, that your assets are sufficiently liquid and that you’re managing your finances prudently.
People Resilience.
Ensuring your governance, accountability and culture are building morale and empowering success within your organisation, and that your communication plans, between employees and all stakeholders, are robust enough to handle unexpected disruptions.

Regulators Are Expecting To Show Evidence

Operational resilience is a key focus for regulators around the world. Despite individual guidance, there is commonality in relation to their operational resilience requirements. We see continued attention paid to mapping third-party interdependencies to operational resilience risks. The key difference between risk management and operational resilience is in considering the different outcomes and being ready for them rather than in trying to make an exact prediction. Management must prepare ongoing crisis management strategies in order to be able to adapt and increase the speed of recovery. This elevates the importance of business continuity planning that is interconnected to Enterprise Risk, Vendor Management and ICT.

Steps toward building the Operational Resilience Model:

Review existing governance frameworks and committee structure include responsibilities with respect to operational resilience
Implementation of a suitable Operational Resilience Framework should be a holistic, cross-departmental exercise
Identify what services within their business are critical or important
Identify impact tolerances & quantify the maximum level of disturbance that can be withstood
Map the processes to each critical business service, taking into consideration the key staff or technology that is needed to deliver
Continually evolve the ICT and cyber resilience strategies to reflect new working models
Evolve business continuity management

Technology And Operational Resilience

GRC technology will allow a firm to view the operational resilience framework in real-time. This technology should have the ability to interconnect the Resilience Framework to the underlying five pillars, showing their control/assurance performance and also more crucially, BCP scenario stress-testng. The technology should facilitate the identification of emerging risks quickly, whether they be incident driven or as a result of changes in the macro environment. GRC technology will help companies manage operational risk however it must be coupled with engagement from the board and senior executives in establishing the overall operational resilience objectives and strategy, and monitoring the execution of that strategy.

Back

Recent/Related Articles

Governance, Risk, and Compliance Trends Guide for 2024

April 03, 2024

ViClarity’s annual Governance, Risk & Compliance (GRC) Trends report is here to help organisations and GRC leaders to remain focused on the key trends that are impacting many industries as we progress further into 2024.

Embedding ESG risk into the ERM framework - ViClarity

June 22, 2023

The article focuses on three topical areas, which include embedding of ESG risk into the organisational ERM framework, ESG Reporting and disclosure obligations and integrating scenario-analysis into the risk framework.