What does op-res maturity mean in practice – and how can you navigate the pathway to achieve it? In this article, Protecht’s EMEA Director of Customer Success Gary Lynam sums up the most important points of his Risk EMEA presentation earlier this year.
Download this White Paper as a printable PDF
With firms having submitted their IBS playbooks, the final rules of the joint FCA/BoE/PRA op-res policy, PS21/3 (“the policy”) are now in effect. There is a transitional period until 31 March 2025, at which point all firms are required to consistently remain within their impact tolerances. However, firms that do not make reasonable efforts to remain within impact tolerances during this period will be in breach of the new rules. The rules will drive close collaboration between the business and second-line line teams, so it’s imperative that everyone knows how to work toward the common goal.
Key considerations to refine operating model
As we go through the steps required to reach op-res maturity, there are five key considerations to keep in mind:
- Harnessing Insight from IBS: Being operationally resilient is an iterative and evolving process. Impact tolerances and related risks and controls are subject to an ever-changing landscape of threats, so frequent mapping and testing is required to identify emerging IBS vulnerabilities. Organisations might consider a decision tree to validate IBS are current and remain the utmost priority to customer base.
- Create High Impact Engagement Through Visualisation: The policy asks that op-res practices, mapping and scenario testing are reviewed and approved by the board or equivalent management body. All ERM information therefore has to be readily accessible and understood by senior managers – and, given the previous point, reviews and approvals should optimally be based on real-time data and supported by process automation. With such large complex processes in scope, visualisation will be key to ensuring effective engagement with leadership teams.
- Embed Efficiently to Avoid Fatigue: Firms are to regularly submit self-assessment documents during the transitional period. Reviewed and approved by senior management, these documents are to show the organisation’s journey toward op-res maturity. To prevent fatigue, organisations should be considering the digitisation of these processes to enable fluency of movement between entities, management layers and functional teams and ensure lessons learned and continuous improvement opportunities are being executed upon.
- Continuous Improvement Culture: Whilst firms could identify their own IBS and set impact tolerances during the policy implementation period, which ended 31 March 2022, regulators are now benchmarking submissions from across the sector. In doing so, they keep an outside-in mindset: no matter the impact on the firm, any service whose failure would cause “intolerable harm” to consumers or market integrity is considered to be an important business service, and impact tolerances are to be set accordingly.
- Refresh Overall Resilience Methodology: The regulators note that operational resilience is likely to become a competitive advantage. Against the backdrop of societal disruptions such as the pandemic and the conflict in Ukraine, future customers may well choose the most resilient firms. For many, recent changes are likely to trigger a wider review of the entire organisational resilience landscape. This expands the conversation into approach to leadership, organisational culture, market perception and environmental, social and governance (ESG), which, if objectives have become unclear have the potential to have detrimental effect to brand and reputation, and subsequently strategic outcomes.
Growing risk maturity organically
Regulators underline that the very concept of resilience assumes that disruptions are inevitable. Firms need to be able to “continue providing the services most relied upon by consumers and markets (important business services) during severe but plausible scenarios from the perspective that these disruptions have already happened (impact tolerance)”.
What will be required by 31 March 2025, is in effect for firms to have established a self-regulating operational resilience ecosystem that has the ability to:
- Withstand severe but plausible shock events over period of time
- Quickly ascertain any interconnectivity of shocks to the operational resource asset pool
- Retain control whilst applying countermeasures effectively
- Adapt to new normal whilst maintaining service integrity
- Communicate recovery plans, including impact exposure areas, efficiently with Board and Senior Management.
Much like with the science of managing an actual ecosystem, all required knowledge and actions cannot rest with a single expert or team. Everyone and every function tied to an IBS must form an interconnected network with a central repository, where intuitively presented information is organically sourced, disseminated and acted upon, creating a real-time feedback loop that gradually consolidates and strengthens the firm’s operational resilience.
This cycle covers five areas: IBS, Mapping, Impact tolerance, Scenario-testing and Adaptation:
Pathways to sophistication
Below, we’ll show the pathway to sophistication for each part of the cycle, highlighting the current average state of the market and contrasting major weaknesses of legacy approaches with mature, self-serving operational resilience ecosystems.
Important business services
Mapping
Impact tolerances
Scenario-testing
Adaptation
Overall differences between legacy approaches and mature ERM
Reflecting on the above, there are some common themes that separate legacy approaches from a fully digitised mature ERM. Main conceptual differences include:
Perspective
Legacy systems apply an internal lens, focussing on what’s within the firm’s control and what effects impacts will have on the business itself. A mature ERM shifts the mindset to focus on the key metric of the regulator policy: how robustly the firm can defend their IBS impact tolerances from the point of view of consumers and the market – whether disruptions occur within or beyond the firm’s control.
Engagement
With static and siloed documentation, legacy approaches cement the “tick-the-box” attitude to risk management. A mature ERM solution leverages a central repository to enable self-serving by everyone from operations through op-res teams to senior management. It makes it easy for the individual to take ownership of their tasks and for different groups of stakeholders to have valuable conversations. This accountability shift creates an uplift in risk culture across the organisation.
Control
Legacy systems lack the ability to show interdependencies and flow-on effects. A mature ERM ecosystem links all important business services and KRIs with vulnerability ratings, impact tolerances and risk appetite. If for instance, there’s a small change in third party SLA affecting a particular BIS, the potential implications immediately become visible across the platform. An integrated system can provide the holistic insights that senior management need to take full accountability as per the policy.
Visualisation
Legacy systems cannot show customised views relevant to a particular stakeholder, and reporting requires analysis and compilation by specialist teams. A modern ERM features personalised dashboards and quickly generates the right report for the right audience, featuring intuitive visuals and Plain English. Senior management can focus on strategy, and catering to regulator audits is done in a few clicks.
Workload
The degree of manual work required by legacy approaches make keeping current and in control physically untenable. Doing away with bureaucracy, a mature ERM operates on a strict self-serve basis, so that educated decisions can be made quickly and accurately at all times, with the integrity of any decisions being maintained through auditable digitised timestamps.
Agility
Legacy approaches – even integrated systems – cannot complete the cycle without manual input by specialist teams. Mapping, scenario-testing and adaptation therefore become more or less periodical. By contrast, a mature ERM continuously runs the full cycle, so that altered IBS, third party relationships and new risks can be taken into account in real time.
Conclusions
Organisations have invested much time to stand-up operational resilience capability. Many have stood up new functions and resourced according to support ongoing operational effectiveness. On balance, we assess the market as having basic defined operating models that supported initial regulatory submission.
The challenge for organisations is now to demonstrate learnings, continuously improve and seamlessly embed new/refreshed processes in existing frameworks. Management require distilled insight and views to ensure outcomes of operational resilience processes are understood and provide the necessary objective data points to support decision making and investment in IBS, if required. To move to an integrated/sophisticated operating model, a digitised solution should be considered which seamlessly integrates existing traditional ERM framework components with IT, Supplier Management and Business Continuity Management (BCM) functions. In the absence of tooling, organisations will likely struggle to move to the regulatory desired end state.
A final point to bear in mind is that your ERM solution itself is subject to the policy rules, and the responsibility for any failures ultimately rests with you. This makes it vitally important to ensure that both the software and the supplier are fit-for-purpose – and that the supplier can demonstrate that they understand the regulatory environment you face and the transition that your business will need to make.
Next steps for your organisation
Protecht recently launched the Protecht.ERM Operational Resilience module, which
helps you identify and manage potential disruption so you can provide the critical
services your customers and community rely on.
Find out more about operational resilience and how Protecht.ERM can help: