Creating Operational Resilience – A Core Board level responsibility
With the end of quarter three fast approaching and year end on the horizon, buzz words in the Boardroom are changing to adapt with the seasons. Remaining high on agendas are topics such as Operational Resilience – the ability of financial institutions to prevent, respond, adapt, recover and learn from disruptions to their core business services.
Last year the Bank of England (BoE), Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) published a combined new UK regulatory regime focused on the operational resilience of financial institutions. The regime builds on the existing regulation whilst focusing on putting boards and senior management at the heart of their firms’ operational resilience enhancement programs. Whilst not directly applicable to offshore entities (yet) there are many correlating and relevant points to be considered affecting regulated businesses much the same.
The first regulatory deadline of 31st March 2022 saw requirements for firms to approve their self-assessments, describing how they identified core business services, set impact tolerances, mapped their resources and scenario tested to identify vulnerabilities. The next regulatory deadline is 31st March 2025 where institutions will need to have enhanced their capabilities to evidence that they can stay within those impact tolerances. It is clear that the regulators expect to see increasing evidence of truly operational resilience programmes, particularly around how vulnerabilities together with risks & threats to firms’ resources are managed, with a required focused engagement from senior management and the board. This also includes where any relevant resource is provided by a third party. Meaning that operational resilience and outsourcing should be regular items on senior management’s corporate governance agendas.
Of course, Covid 19 highlighted the importance of operational resilience and subsequently regulators have declared that operational resilience is ‘no less important than financial resilience’, due to the ever-increasing operational risks such as cyber security, privacy concerns, data protection, money laundering and market abuse issues all resulting from newly remote or hybrid workforces.
Meanwhile, client expectations have also increased with the entry of FinTech challengers, so clients are looking for providers to always be available. As institutions tackle the operational issues that arise from complexity, they change and adapt how they use technology and as such turn to outsourcing to meet consumer needs and grow their business whilst increasing efficiency. Under the regulation, boards are specifically required to approve the core (‘important’) business services together with the impact tolerances that accompany these, identified by senior management.
It is comforting to see the regulation moving toward a risk-based approach by ensuring the operational resilience ties back to the corporate strategy. Whilst risk appetite is the amount of risk an entity is willing to take to achieve its objectives, an impact tolerance is ultimately the maximum amount of harm that can be imposed before becoming intolerable to the firm or its clients. Impact tolerances are based upon severe but plausible events that create an environment exceeding the risk appetite. Perhaps more importantly, impact tolerances can measure vulnerabilities and test key resources such as processes, people, technology, information and facilities that all support a firm’s ‘important’ business.
As with most regulatory programmes a key starting point is a self-assessment, in this case a business must map its key resources and their interdependencies, document the identified vulnerabilities, record compliance with the operational resilience requirements and detail planned remediation activity. It should be noted that the nature of this mapping should not be seen as an IT issue alone. Much like all other regulatory assessments the assessment should be reviewed regularly and maintained as a live document. Boards must then pay attention to the new issues and challenges that will have inevitably emerged from the self-assessment process. When mitigating these issues, boards must consider the regulators expectations of prioritising investment and culture change as this will likely be the first major schedule of operational resilience activities that boards and senior management will oversee so future proofing it is key, not only for the business but for regulatory engagement.
Regulators are requesting that boards ‘must demonstrate the necessary knowledge, skills and experience of operational resilience and must be capable of maintaining a culture of risk awareness and ethical behaviour for the entire organisation’. So how are regulators ensuring boards hold sufficient understanding of operational resilience? By insisting on ‘proactive’ and ‘regular’ reviews of progress against their operational resilience programmes to ensure that important business services, impact tolerances and related documentation remain ‘fit for purpose’.
In order to fulfil this obligation, boards must have access to appropriate management information (MI) which should be consistent, clear, timely and robust. Firms may consider building on existing data and applying a resilience lens although new MI may still need to be developed. It is subsequently critical that the board has the relevant knowledge, skills and experience to read and understand the MI enabling them to constructively challenge senior management where appropriate and make informed decisions with the firms best operational resilience requirements in mind.
Although the regulation focuses on senior management and the board, they are allowing flexibility on how to structure operational resilience governance. This could mean repurposing committees or establishing new ones. A committee structure is something we would always recommend when considering governance and structuring, committees enable increased flexibility, diversity, consistency and efficiency.
Boards need to ensure that there are appropriate and effective risk management systems and strategies in place to manage their third-party providers from the board level down but what does this look like? It is evidenced via a firm’s internal governance documentation such as policies on outsourcing, cyber security, and operational resilience. Establishing tight policies and procedures that are informed by other policies and strategies present within the business is key to addressing the effective management of outsourcing.
Ultimately this is a huge opportunity for businesses to act and maintain momentum from their initial self-assessments. Regular MI should be forthcoming in every firm and Company Secretaries can play a key role in supporting senior management and the board to allocate sufficient time and focus to operational resilience discussions and reporting at meetings.
Building the sophistication of a firm’s operational resilience is no small simple task but the benefits of creating a resilient business are worth it.
At Aspida, our Governance, Compliance and Risk Management & Assurance services are built around highly qualified and skilled staff providing multi-jurisdictional support tailored to fit your needs. You’ll find a wide range of services designed to help businesses comply and manage risk in the now, combined with innovative solutions designed to help mitigate and manage future risks (and the unexpected, such as Cyber Risk and global pandemics).
Contact us today to find out more on how Aspida can assist you with understanding and enhancing your business’s operational resilience, from internal audit to occasional compliance and governance health checks, we can support you to give you the assurance and peace of mind, to help you define, mitigate, manage and monitor your risks, whilst you focus on growing your business.