The journey towards operational resilience maturity

Today marks the day that the UK regulators’ operational resilience rules and guidance come into force. For many firms, the focus over the last year has been to address the specific requirements around identifying important business services, setting impact tolerances, performing sufficient mapping of resources and testing of impact tolerances to identify vulnerabilities, and drafting their self-assessment document.

But the hard work is to some degree still to come, as remediation of those vulnerabilities will continue into the three year transition period that commences today.

So what does tomorrow look like for firms, when it comes to operational resilience? Firms will need to focus their efforts on the following:

Remediation planning and execution

Where firms have identified operational resilience vulnerabilities through their resource mapping and impact tolerance testing, they will need to assess how or if these vulnerabilities should be addressed. Firms will need to review their existing landscape of change programmes to determine whether these vulnerabilities could be resolved through existing programmes, or whether additional actions are required. Prioritisation will be needed in order to focus investment and spending in the right way. In a world of cost cutting, these decisions will likely involve some tough discussions at senior management and board level.

Maturing the operational resilience framework

Firms will need to review and revisit their important business services, impact tolerances and associated mapping and tolerance testing on a periodic basis, but also when material change occurs. Firms need to define the factors for assessing whether a change is material, as well as the thresholds to determine materiality. For instance, if an increase in client base is a key determining factor, by how much does the client base need to grow for it to be considered a material change? Additionally, who is responsible for monitoring these factors and undertaking any reassessment? Many firms have set up project teams and associated governance committees to address the requirements for 31^st March 2022, but these need to transition to BAU models for managing this on an ongoing basis, outlining key roles and responsibilities.

The key to moving towards BAU is having the ability to monitor operational resilience, and to do that in an efficient way. Existing data from across the firm needs to be pulled together to be able to provide a view of the resilience of an important business service, including Operations, Technology, Risk, Front Office etc. For most firms, that data will sit in different databases, so firms will need to consider what their technology and data strategy will look like. Will that data continue to be housed separately, and if so, what work is needed to enable the data to be pulled together and reported under an “important business service view”? Ensuring consistent taxonomies is a key dependency for this - processes, systems and teams all need to be denoted in the same way across different systems and different datasets. Extracting the data is just the first step though, as firms then need to consider how that data gets aggregated, analysed and reported on, and to which forums.

Embedding operational resilience

Firms will need to leverage existing risk and control frameworks for managing operational resilience. A key challenge for firms will be how to embed operational resilience into these risk and control frameworks. This includes, but is not limited to, the following processes and frameworks:

• Change management: A change in business strategy may impact a firm’s list of important business services, whereas a technological change could impact the resource mapping for one or more important business services. As such, the change management framework needs to consider the operational resilience impacts of change
• New product approval: Introduction of new products, or significant changes to existing products could impact the importance of a business service, for example, by changing the client base. As such, the new product approval process needs to consider the operational resilience impact of a new product or significant change to a product
• Third party risk management: When assessing a third party supplier, consideration needs to be given as to whether that supplier supports the delivery of an important business service. If so, additional approvals may be warranted at the point of deciding to onboard the supplier. Sufficient information needs to be collected, upfront and on an ongoing basis, on the resilience of the third party and their ability to support a firm’s impact tolerance(s). That includes information on supporting 4^th, 5^th, n^th parties. For example, a key consideration for many firms that rely on outsourced providers in Eastern Europe, may be around the proximity to Russia and Ukraine, and the concerns this may pose.
• Business continuity and disaster recovery: Key processes and systems identified as part of business continuity and disaster recovery work need to be aligned to those key processes and systems identified as part of the resource mapping work. Firms need to consider how, in the longer term, they can streamline and mature testing to avoid testing the same scenario for BC/DR purposes and as part of impact tolerance testing, and potentially also as part of liquidity/capital planning. There are different testing purposes, requirements and outputs, so this isn’t straight forward, but may involve a single test that then has various deep dive elements to address these different purposes.

The period ahead looks just as busy, if not busier, for firms dealing with their operational resilience. This work will increasingly draw on stakeholders from across 1^st and 2^nd line, with firms moving away from project resources, towards this activity becoming part of the day-to-day jobs of your teams.

If you'd like to know more about the operational resilience rules and possible implications for your organisation, please contact us.