Operational resilience of both firms and financial market infrastructures (FMIs) has become an area of increasing regulatory scrutiny over recent months. Given some of the high profile operational outages, most recently the payment outage at Lloyds Banking Group, that is hardly surprising.
Whilst focus has historically been on cyber resilience and resilience of outsource providers, on 5th June 2018 the Prudential Regulation Authority (PRA), Financial Conduct Authority (FCA) and Bank of England issued a joint discussion paper on operational resilience more broadly. The paper introduces the concept of focusing on the impact of disruption on a firm’s services, rather than on individual systems and processes. In some ways, this does not change things, as firms still need to understand how processes, systems and services map together and the impact of a failure of a single process or system on the overall service. But, what it does do is force firms to think about the bigger picture.
In a recent speech Lyndon Nelson, Deputy CEO for the PRA, outlined that firms needed to be able to Withstand, Absorb and Recover from disruption, which he neatly described as being on a WAR footing. And maybe preparing for war is exactly the way to think about operational resilience. In the words of the Chinese military general Sun Tzu, ‘the General who wins a battle makes many calculations’. Or perhaps even more pointedly, ‘plan for what is difficult while it is easy’. In short, plan first. The move towards thinking about service provision does exactly that, and means that operational resilience management becomes less about the ‘how’ or ‘why’ it happens, and instead becomes about planning for the impact.
To this end, the discussion paper introduces the idea of impact tolerances. This doesn’t eliminate the concept of the previously used Recovery Time Objective (RTO), but rather builds on it. Whereas an RTO relates to the targeted duration of time for restoring a specific business process/system after a disruption, an impact tolerance is the tolerance for disruption to a particular business service. Firms therefore need to think through the dependencies of services on processes/systems in order to set impact tolerances and RTOs at the appropriate level. For instance, the impact tolerance for deposit services may be four hours, but the RTO for a system underpinning this service may be two hours, in order to ensure that the impact tolerance can be met.
The discussion paper indicates that there may be extreme scenarios where firms may breach their impact tolerance. The key action for firms now is to identify these scenarios and actively risk accept that in these instances they will breach their impact tolerance. The reliance on cloud service providers is an interesting illustration of this; for a small firm, does it make economic sense to invest in an alternative cloud service provider if the probability of disruption is deemed to be low?
Going forward, board members not only need to be engaged in deciding what the appropriate impact tolerances are, but also in deciding when a breach of those impact tolerances is ‘acceptable’. Discussions on financial versus operational resilience need to be front of house and board members need to understand the trade-offs they are making.