Addressing the regulatory challenge of operational resilience
- 1 December 2020
Are you an ORX Member? Log in here to read the full report (check if your firm is a member)
Operational resilience has been on the regulatory agenda over the last few years, and it's becoming even more of a hot topic right now with the focus shifting to ensuring that institutions can respond to and manage the impact of disruptive events.
The Basel Committee on Banking Supervision (BCBS) consultation paper on its principles for operational resilience has ignited the debate at a global level. On top of this, the ongoing coronavirus (Covid-19) pandemic has also tested the industry’s ability to manage during disruption, meaning that operational resilience is a topic of focus in boardrooms.
Throughout 2020, we've been working with a group of operational risk professionals from our member firms on operational resilience and how the financial industry is responding. Recently, we ran a study with this group which helped us identify six key operational resilience challenges facing firms today, and what to do about them.
6 ways to address the challenges of operational resilience
1. Define the relationship between operational risk management and operational resilience
Although it is widely agreed that operational resilience is an outcome of effective operational risk management, our study showed that many are still treating operational resilience as a separate component of operational risk management. Understanding where and how operational resilience fits into organisational models, from roles and responsibilities through to governance and reporting, is crucial. You need to ensure that a silo structure is avoided and that, whatever approach is taken, synergy between the two is achieved.
2 Clear definitions and terminology will support the industry and allow collaboration
As more definitions are released the differences between them are starting to create confusion and disparity in how operational resilience is approached. For example, UK regulators are promoting a view of creating resilient end-to-end (important) business services, while in contrast, the BCBS references “critical operations”. Although reaching industry and regulator-wide consensus on definitions will be difficult to achieve, it would be valuable.
3. Decide whether to rank criticality of business services and how
Our research and discussions with members highlighted that the way in which important business services are defined, identified and/or managed varies across the industry. Some organisations are calculating, weighting, ranking and prioritising certain activities, while others are taking the view that once defined as important/critical work to achieve resilience is a must. The industry as a whole would benefit from further discussions and collaboration in this area.
4. Use existing operational risk management practices to embed resilience
Our working group agreed that leveraging existing operational risk management practices is crucial to the effective embedding of operational resilience. However, our discussions showed that this is not always straightforward in practice. Two key areas of challenge were scenario development and testing and adapting existing risk and control self-assessments to include an operational resilience perspective.
5. Get the correct level of granularity when defining important business services
For firms falling under UK regulation, being able to set and test impact tolerances will be the determining factor when defining the level of granularity at which important business services are defined. The majority of firms are considering ‘the point of harm’ as part of the process; however, the methodology used varies greatly with no single view of important business services which could be adopted. Instead, our study showed that a blend of approaches would be beneficial.
6. Consider what is important to the firm, the customer, and regulatory and market requirements
The challenge of balancing what is important to the firm and what is important to the customer and the wider market can lead to confusion and discord. For example, UK regulation is highly geared towards ensuring the impact of disruption to the end customer is mitigated. Firms need to make strategic operational resilience decisions and set priorities while protecting their organisation and the wider market
Next steps for ORX & our members
Over the coming months, as the industry prepares to embed operational resilience within their wider risk management frameworks, we will continue to work with our members. We look forward to continuing to support our members and the wider industry by facilitating further working group activities, additional research and ultimately growing our global operational resilience community.
Being involved in our work on resilience is one of the many benefits of ORX Membership. ORX Membership also gives you access to operational risk research, loss data, events and more.