You’re well on your way in implementing an operational resilience program; you have identified your important business services, defined impact tolerances, and completed your mapping.
You’re well on your way in implementing an operational resilience program; you have identified your important business services, defined impact tolerances, and completed your mapping. You’ve designed scenarios, tested your ability to meet your resilience, and enabled reporting. But how do you conduct a good self-assessment?
In this blog we cover:
- The requirement to complete a self-assessment
- What to include in the self-assessment
- Who needs to endorse the self-assessment
The requirement to complete a self-assessment
An operational resilience self-assessment is a regulatory concept driven from the Financial Conduct Authority and Prudential Regulation Authority in the UK. While we explore it here in that context, it can be adapted to other organizations to demonstrate your approach to operational resilience. Let’s explore the key requirements of the self-assessment under the FCA regime.
Firms must keep an up-to-date self-assessment which includes a written record of:
- The important business services identified and justification for their identification
- The impact tolerances and the justification for those levels
- The firms approach to mapping, including how it has used the mapping to identify resources, identify vulnerabilities, and supports its scenario testing
- The testing plan and the justification for that plan
- Details of the scenarios that have been tested, and justification for the assumptions made when designing the scenarios
- Lessons learned exercises conducted
- Identified vulnerabilities, including actions taken or planned, and justification for their completion time
- Its communication strategy, and how it will reduce harm caused by disruptions
- The methodologies used to undertake the above activities
One regular theme above is justification. It’s not enough to just list the important business services and their impact tolerances; you need to explain. We recommend that this information is captured at the time those assessments are made or updated.
The good news is that if you’ve been applying what you’ve learned in previous blogs in this series, you are well on your way to having the information required to populate your self-assessment. If you’ve enabled your operational resilience capability with technology, you may be able to automate the creation of parts of your self-assessment.
What to include in the self-assessment
While the minimum requirements are outlined above, there is no table of contents or specified format. Firms can take a proportionate approach to developing their self-assessment.
The self-assessment should look holistically at your overall program. Remember that the self-assessment should be prepared for an external audience; it must be provided to the regulator upon request, or you may wish to provide it in some circumstances to third parties.
While there are details you can pull directly from the ongoing performance of your operational resilience program we’ve covered previously (such as lists of important business services, their impact tolerances and justifications), here are some elements you may want to include in your self-assessment beyond extracting information from your program.
After collating all other information, you may wish to prepare an executive summary that provides an overall assessment of the operational resilience program. It may include commentary on any planned activities to improve the level of sophistication in the operational resilience program. It might also include contextual information about your organization, how it is structured, a summary of the services you provide and why they are important to the community.
Consider outlining who is accountable for operational resilience in your organization, including who has oversight and who is responsible for day-to-day implementation. This should demonstrate the capability to look at business services across your organization, and that end-to-end value chains are covered by your program.
Policies and procedures
One of the self-assessment requirements is to include the methodologies and justifications for your operational resilience activities. Including your current operational resilience frameworks, policies, procedures and related documents supports this requirement. You may want to include other related policies or provide a summary of how these policies interrelate. Some examples might include operational risk, third party or vendor management, and information security.
Planned changes to your operational resilience program
If there are major changes planned or anticipated for your operational resilience program, these should be documented in your self-assessment. Particularly where vulnerabilities, risks or deficiencies to the operational resilience program itself have been identified, this provides insight and assurance on how those may be addressed. This may include:
- Planned changed to governance structures
- Business model changes that may affect the way important business services are delivered
- Increasing the resources applied to the mapping interdependencies of important business services or the testing of scenarios
- Material changes to methodologies, such as the way scenarios are conducted
- Improvements to education or training on operational resilience across the firm
Engagement with third parties
If not already covered in other documents, you may want to specify your working relationships with third parties as they relate to your operational resilience program. This might include:
- How vendors or other critical third parties are consulted during mapping and vulnerability assessments
- How vendors or other critical third parties are engaged or involved in scenario testing
- Engagement with customer forums or advocacy groups when assessing impacts and setting impact tolerance
- Engagement with other market participants to inform aggregate effects of disruption, and collaboration efforts on designing scenarios
Summary of program performance and improvement
In the previous blog, we reviewed some example dashboards and reports that provide insight into the performance of the operational resilience program. These reports can provide a visual summary that supports the more detailed information.
You might also compare these results against the previous self-assessment, which can highlight changes to the performance of the program.
Who needs to endorse the self-assessment, and how frequently?
The self-assessment needs to be reviewed and approved by the governing body of the firm.
There is no defined frequency for a self-assessment. We anticipate that when their operational resilience capability is established, most firms will perform their self-assessment on at least an annual basis. The requirement is for the self-assessment to be ‘kept up to date’, so major changes should prompt a review. Your firm may otherwise prefer to perform them more frequently, particularly while on a journey to sophistication.
As the self-assessment requires approval from the governing body, the frequency should be aligned with their commitment to reviewing the self-assessment for endorsement. Each self-assessment needs to be retained for six years and made available to the regulator on request.
Putting it all together
Before sending it to the governing body for approval, you need to cross your t’s and dot your i’s. You might want to develop a checklist of the items that need to be included in the self-assessment, but you should also take a step back and consider what the regulator really cares about, and where they might have questions.
- Do we have an operational resilience program in place that articulates our methodologies and approach?
- Have we clearly articulated our own gap analysis?
- Are we on the road to sophistication in our activities? Does our self-assessment support that?
- Do we have a clear plan in place and justification for that plan and timelines?
An authentic assessment with a plan for progress is much more plausible than an operational resilience program that looks squeaky clean – something that would certainly be investigated if you subsequently couldn’t meet your impact tolerances due to disruption.
About this series
In this series, we’ve covered the key end to end processes related to operational resilience, including reporting and self-assessment. Wherever you are in your operational resilience journey, we hope this how-to series has been useful.
- What is operational resilience?
- What are your important business services?
- Designing your impact tolerances
- Mapping your important business services
- Design and running of a scenario
- Identifying vulnerabilities and actions
- What reporting do management want to see?
- Designing a good self-assessment process [this blog]
Next steps for your organization
Protecht recently launched the Protecht.ERM Operational Resilience module, which
helps you identify and manage potential disruption so you can provide the critical
services your customers and community rely on.
Find out more about operational resilience and how Protecht.ERM can help:
- Watch our operational resilience webinar
- Download our operational resilience eBook
- Find out more about our Operational Resilience module
Note on regulation and terminology
While this series primarily discusses regulated entities, the guidance can apply to any organisation seeking to improve their operational resilience by looking through an external stakeholder lens, whether they operate in financial services, critical infrastructure, healthcare or indeed any other industry.
We use the term ‘important business services’, which aligns with the UK’s Financial Conduct Authority/Prudential Regulation Authority terminology but can and should be adapted to different regions and sectors. There are no formal definitions yet available in the US.
We use the term ‘customer’ in this blog, which can include direct consumers, business to business relationships, patients in health care settings, or recipients of government services. The defining factor is that they are external recipients of the services you provide.