With the end of quarter three fast approaching and year end on the horizon, buzz words in the Boardroom are changing to adapt with the seasons. Remaining high on agendas are topics such as Operational Resilience- the ability of financial institutions to prevent, respond, adapt, recover and learn from disruptions to their core business services.
This year the GFSC implemented a more robust approach to internal audit. The regime builds on the existing regulation whilst focusing on putting boards and senior management at the heart of their firms’ operational resilience enhancement programmes and the second line of defence.
It is clear that the regulators expect to see increasing evidence of truly operational resilience programmes, particularly around how vulnerabilities together with risks & threats to firms’ resources are managed, with a required focused engagement from senior management and the board. This also includes where any relevant resource is provided by a third party. Meaning that operational resilience and outsourcing should be regular items on senior management’s corporate governance agendas.
Meanwhile, client expectations have also increased with the entry of FinTech challengers, so clients are looking for providers to always be available. As institutions tackle the operational issues that arise from complexity, they change and adapt how they use technology and as such turn to outsourcing to meet consumer needs and grow their business whilst increasing efficiency. Under the regulation, boards are specifically required to approve the core (‘important’) business services together with the impact tolerances that accompany these, identified by senior management.
It is comforting to see the regulation moving toward a risk-based approach by ensuring the operational resilience ties back to the corporate strategy. Whilst risk appetite is the amount of risk an entity is willing to take to achieve its objectives, an impact tolerance is ultimately the maximum amount of harm that can be imposed before becoming intolerable to the firm or its clients. Impact tolerances are based upon severe but plausible events that create an environment exceeding the risk appetite. Perhaps more importantly, impact tolerances can measure vulnerabilities and test key resources such as processes, people, technology, information and facilities that all support a firm’s ‘important’ business.
As with most regulatory programmes a key starting point is an internal audit, in this case a business must map its key resources and their interdependencies, document the identified vulnerabilities, record compliance with the operational resilience requirements and detail planned remediation activity. Much like all other regulatory assessments the assessment report should be reviewed regularly and maintained as a live document until the next one. Boards must then pay attention to the new issues and challenges that will have inevitably emerged from the internal assurance process. When mitigating these issues, boards must consider the regulators expectations of prioritising investment and culture change as this will likely be the first major schedule of operational resilience activities that boards and senior management will oversee so future proofing it is key, not only for the business but for regulatory engagement.
So how are regulators ensuring boards hold sufficient understanding of operational resilience? By insisting on proactive and ‘regular’ reviews of progress against their operational resilience programmes to ensure that important business services, impact tolerances and related documentation remain ‘fit for purpose’.
In order to fulfil this obligation, boards must have access to appropriate management information (MI) which should be consistent, clear, timely and robust. Firms may consider building on existing data and applying a resilience lens although new MI may still need to be developed. It is subsequently critical that the board has the relevant knowledge, skills and experience to read and understand the MI enabling them to constructively challenge senior management where appropriate and make informed decisions with the firms best operational resilience requirements in mind.
Although the regulation focuses on senior management and the board, they are allowing flexibility on how to structure operational resilience governance. This could mean repurposing committees or establishing new ones. A committee structure is something we would always recommend when considering governance and structuring, committees enable increased flexibility, diversity, consistency and efficiency.
Boards need to ensure that there are appropriate and effective risk management systems and strategies in place to manage their third-party providers from the board level down but what does this look like? It is evidenced via a firm’s internal governance documentation such as policies on outsourcing, cyber security, and operational resilience. Establishing tight policies and procedures that are informed by other policies and strategies present within the business is key to addressing the effective management of outsourcing.
Ultimately this is a huge opportunity for businesses to act and maintain momentum from their initial internal audits. Regular MI should be forthcoming in every firm and Company Secretaries can play a key role in supporting senior management and the board to allocate sufficient time and focus to operational resilience discussions and reporting at meetings.
Building the sophistication of a firm’s operational resilience is no small simple task but the benefits of creating a resilient business are worth it.
At Aspida, our Governance, Compliance and Risk Management & Assurance services are built around highly qualified and skilled staff providing multi-jurisdictional support tailored to fit your needs. You’ll find a wide range of services designed to help businesses comply and manage risk in the now, combined with innovative solutions designed to help mitigate and manage future risks (and the unexpected, such as Cyber Risk and global pandemics).
Contact us today to find out more on how Aspida can assist you with understanding and enhancing your business’s operational resilience, from internal audit to occasional compliance and governance health checks, we can support you to give you the assurance and peace of mind, to help you define, mitigate, manage and monitor your risks, whilst you focus on growing your business.