As part of our ‘embedding resilience’ series, we look at the key concepts and questions that firms need to address when establishing a robust governance and reporting framework to underpin their understanding and oversight of operational resilience.
Traditionally, discussion of resilience at senior management and Board level within a financial services organisation has focused heavily on the understanding and management of financial resilience. Less prominence has generally been afforded to the oversight of operational resilience – until, of course, something has gone wrong, either as a result of an internal operational failure or a broader systemic event. The disciplines of Business Continuity Management and Disaster Recovery have largely been confined to lower level technical committees or decision forums, certainly with less visibility and oversight from the very top of the house when compared to financial resource management.
At the heart of the idea of re-framing resilience is the acknowledgment that operational resilience must be a routine Board-level concern. This is underpinned by the mandates of different regulatory authorities (not least the PRA and FCA in the UK in their recent Policy Statements) but independently of this, is an outcome that larger institutions have been pursuing over the last couple of years.
To achieve this, organisations must grapple with several complex but critical questions:
1. GOVERNANCE HIERARCHY
Defining an optimal governance hierarchy in support of operational resilience is complicated by the different approaches of individual regulators in identifying accountability and ownership within an organisation. In the UK, the SMF24 (where one exists) is clearly identified as the accountable executive responsible for operational resilience – grounding ownership of resilience as a discipline in the 1st line. Conversely, we see certain Asian regulators placing accountability on the CRO, thus putting the emphasis on 2nd line processes and governance forums. However, even outside of Asia we have seen firms leading the execution of their resilience work out of the 2nd line.
In our view, maintaining the boundaries of the three lines model is as important for resilience as it is for the inherent risks that impact resilience (i.e. cyber, tech, third party, etc). We strongly believe that resilience processes should be owned and managed within the 1st line. Beyond the explicit mandate for the COO in the UK regulatory regime, the PRA / FCA concept of defining Important Business Services (IBS) naturally lends itself to the identification of a business owner for each of those services, further embedding risk ownership. In the process, this can create some useful tension between business and resource owners as they seek to reconcile different priorities and strategic agendas in remediating vulnerabilities.
With 1st line responsible for the identification of vulnerabilities and their proposed remediation through existing operations decision forums, 2nd line, as owners of the resilience framework, is then able to fulfil its mandate of oversight and challenge. We would expect this to focus on the qualification of vulnerabilities and the effect of proposed remediation or control enhancements. Inherent within this is the expectation that 2nd line will play a critical role in ensuring that the boundaries of scenario tests and outcomes are appropriately understood and conveyed.
The result of this delineation is a typical governance structure as illustrated below. It’s worth noting that leveraging existing forums will always provide the most efficient means of governance but inevitably agendas and schedules are already crammed full of important topics, particularly at the most senior levels of an organisation. What’s clear however, is that resilience isn’t just a ‘for noting’ item on any agenda – it requires evidence of robust debate and decision-making. Where firms cannot accommodate appropriate time within existing forums, they must look to establish new ones.
Remediation activities and investment proposals originate through 1st line decision-making, with the net outcome reviewed and challenged as appropriate by 2nd line forums.
2. VULNERABILITY PRIORITISATION
The approach to ensuring appropriate prioritisation and escalation of vulnerabilities will be informed by materiality criteria and thresholds that are specific to each firm and each governance forum, but it will rely on the process that firms employ to qualify vulnerabilities.
The starting point for identifying vulnerabilities is generally a set of leading and lagging resilience indicators that provide some insight into potential vulnerabilities, either in the ability to prevent or identify disruption or to respond and recover from it. But it’s important to understand the limitations of these indicators, particularly in respect of the requirements of the UK regulatory regime, under which a firm must assume that disruption will occur.
It is challenging to link a set of resilience indicators to the impact of disruption in a meaningful way. As such, our view is that indicators may be useful for low level monitoring but have limited value for senior governance forums. More significantly, indicators can be used to inform scenario testing plans by highlighting potential resource or service vulnerabilities that a firm may want to stress through a scenario. Ultimately, it is the outcomes of scenario-testing that will provide the most meaningful and relevant understanding of vulnerabilities and their relative significance to the delivery of an IBS.
As such, relaying the outcomes and implications of scenario tests through the governance hierarchy becomes central to effective decision-making. But scenario-testing in itself contains a substantial assumptive element and as such, merely presenting outcomes is insufficient. Senior management and the Board will need to understand the boundaries of the assumptions made to assess the impact of a vulnerability (often across multiple IBS) in order to validate any proposed priority remediation investment.
From a UK perspective, scenario testing is not an exercise intended to precisely replicate the conditions of a future event. Its purpose is to help firms understand the way in which a vulnerability might impact the customer, market or indeed the firm’s viability. Firms will therefore need to think carefully about how they provide senior management and the Board with the appropriate context to any scenario testing outcomes so as to appropriately inform decisions.
3. MANAGEMENT INFORMATION
Finally, comes the question of what Management Information (MI) is necessary to drive resilience decision-making at the highest levels of the governance hierarchy. While specific resilience indicators will be reported in lower-level governance forums, senior management and the Board will a strategic perspective of any vulnerabilities that have a material impact on the firm’s service provision.
To that end, top-level MI should be set out to focus on the material vulnerabilities that have been qualified through scenario analysis and in the context of the Impact Tolerance of IBS. Information attached to these vulnerabilities will need to include the identified impact of the specific vulnerability across the IBS inventory of the firm (expressed, in the UK, in relation to the Impact Tolerance of the impacted IBS) and – as outlined above – the boundaries of the assumptions related to that impact.
But firms also need to be prepared to furnish their executive committees and Boards with a forward looking view of the firm’s resilience. This goes beyond the impact of any proposed vulnerability remediation and should address any broader strategic or tactical change in the operational environment in a way that enables firms to really live by the maxim of ‘resilient by design’.
This forward-looking assessment needs to draw on the same fundamentals as the current-state analysis and should be triggered by whatever guardrails a firm has in place to flag a proposed change to the IBS resource map. Fundamentally, the analysis of the change and its impact needs to demonstrate the same understanding of impact on the vulnerability profile of the IBS inventory and related Impact Tolerances. This will ensure that senior management and the Board then fall into a consistent understanding of the factors driving vulnerability and how those factors play out across their IBS.
Ultimately, the ‘reframing’ of resilience must come from the top of any organisation and setting the agenda for the way in which it is governed is fundamental to that. This is easier said than done. The quality of the information fed upwards through the governance hierarchy will be fundamental in driving the necessary discussion and decision-making and in ensuring resilience is a fundamental success factor in the performance of the organisation.
If you would like to discuss this, or broader operational risk and resilience in more detail, please contact OpResilience@baringa.com