Why operational resilience matters more than ever in 2022 for the UK financial services sector

Despite what appears to be an acceleration away from the worst of the pandemic, businesses continue to face disruptive forces on multiple fronts – rapid digitalisation, increased cyber threats, record inflation, and, of course, the seismic economic shocks felt from the humanitarian crisis in Ukraine - operational resilience is being tested like rarely before.

In order to strengthen, a business must first be clear about what is at stake for the organisation, its customers, and the market. In other words, what constitute the most important business services that directly impact these areas, and therefore what are the critical business risks?

The impact on customers is key. In financial services, operational resilience is explicitly framed by regulators in terms of protecting the organisation itself, safeguarding the customer and the market. Regulatory scrutiny has increased in this sector – evident from operational resilience papers from the PRA, FCA and the Bank of England – and, whilst incidents and disruptions are inevitable, how firms respond effectively is pivotal.

The FCA’s Operational Resilience requirements this year could prove a silver lining for organisations. While they will require considerable investment, they should be viewed as a catalyst for positive change. Financial institutions can strike a competitive advantage in establishing greater operational resilience – building an organisational make-up that can withstand, absorb and quickly recover from disruption in the most time-critical scenarios, where institutional talent is deployed in the most effective manner and where it matters most.

As we have discussed in an earlier post, by the end of March, payments and e-money institutions must be ready to comply with the FCA’s operational resilience regime, which requires them to identify their most important business services, any vulnerabilities in their operational resilience, and map and test impact tolerances. This leads to important actions for firms to consider:

• Effective scoping. Crucial business services are those with a direct impact on a firm’s customers. Organisations can fall into the trap of including internal enabler functions, but they must establish those business services that have impacts beyond their commercial interests alone.
• Setting impact tolerances. A paradigm shift for many firms, who have previously focused explicitly on risk appetite. Even an organisation with zero appetite to risk must still be effectively prepared for disruption that may directly impact its customers and the market. As such, it must strengthen its ability to withstand, absorb and recover from these impacts, rather than just recover.  
• Applying proportionality. For example, firms with outsourcing arrangements often include a long “chain” of linked suppliers, and including all that have a material impact upon the organisation’s impact tolerances is key.

Operational resilience is not a process or a function, and Business Continuity, therefore, cannot simply be rebadged as such. It is a clearly defined outcome and a set of principles to apply in an ongoing, enterprise-wide approach to aid the understanding and management of the critical business risks from the past, those of today, and the new and emerging risks on the horizon.

Most regulators today recognise the impossibility of eliminating risk entirely. What they expect to see are measures that enable the organisation, its customers, and the sector in which it operates to withstand the impact when failures happen. Operational resilience is therefore about ensuring that when an outage, cyber-attack, supply chain failure or other risk event does occur, that the business can demonstrate its actions helped to absorb the shock, rather than contribute to it.

7 steps to building greater operational resilience:

• Define and map your critical business services. Consideration of customer impact is key, and other services that reach beyond commercial value alone.
• Map and test your impact tolerances for each of your critical business services.
• Understand that operational resilience is an outcome, that requires an integrated response across the organisation, bringing together multiple functions.
• Create the right risk culture. Ensure your people understand how their actions could introduce risk into the organisation (e.g., through a data breach) and ensure everybody shares responsibility for managing risk.
• Develop an ongoing regulatory dialogue. Ensure you are clearly communicating to regulators the actions you taking to effectively control and manage risks.
• Plan and prepare. Operational resilience is not a tick-box exercise. It goes beyond risk management. It is about taking steps to make the organisation more operationally effective and deliver better commercial and customer outcomes.
• Adapt and evolve. Scan the horizon for new and emerging risks, and ensure you have the operational resilience architecture in place to effectively learn from sudden and expected risks (as acutely tested during the rapid switch to remote working in the initial stages of the pandemic).