CBI defines operational resilience as
‘the ability of a firm, and the financial services sector as a whole, to identify and prepare for, respond and adapt to, recover and learn from an operational disruption.
This guidance is centred around four core principles:
- Board accountability and ownership of the operational resilience framework;
- Identification of critical or important business services and all activities, including people, technology and processes to deliver these services;
- Setting of impact tolerances for each of these identified critical or important business services and testing the firm’s ability to stay within these tolerances; and
- Continually enhance the operational resilience of the firm by incorporating learning into the process
Changes from Consultation Paper (CP) 140 to the final guidance
- Operational Risk and Operational Resilience Framework Alignment
The final guidance has been amended to reflect that a firm should develop a documented operational resilience framework that should be “aligned with the Operational Risk and Business Continuity Frameworks” rather than “incorporating the Operational Risk and Business Continuity Frameworks”. This gives firm flexibility to maintain existing frameworks with their related process & reporting but to establish alignment to the operational resilience framework.
- Number of critical or important business services
The final guidance has amended the observation that larger firms are likely to identify a larger number of critical or important business services when compared to smaller firms. The finalised guidance state that the number of critical or important business services should be proportionate to the nature, scale and complexity of the business. This means that the number of important business services is primarily related to the business model and level of products and services operated by the firm rather than the size of the organisation itself.
- Impact tolerances can be both qualitative and quantitative
The definition of impact tolerance has been amended. The final guidance state impact tolerances “determine”, rather than “quantify”, the maximum acceptable level of disruption to a critical or important business service. This gives the flexibility to organisations to choose the tolerance, qualitative or quantitative, that best represents impact tolerance breaches.
- Third-party resilience
Another key change relates to third-party resilience. Where CP140 noted Outsourced Service Partners should have “at least, equivalent” levels of operational resilience as the firm, this has been amended to “a firm should undertake due diligence in respect of its OSPs prior to entering into an outsourcing arrangement, to ensure that third party arrangements have appropriate operational resilience conditions that enable the firm to remain within its impact tolerances” in the final guidance. This is a more practical requirement than trying to establish equivalence between resilience mechanisms across different organisations.
- Role of the Board
A core principle of the Guidance is the enhanced role the board must play in shaping the resilience of the firm. The Guidance explicitly call for the Board to be educated on operational resilience and periodically review operational resilience management information (MI) in addition to a number of discrete formal review and approvals of: the operational resilience framework; criteria for important business services; the identified critical or important business services; impact tolerances; business service maps; scenario testing results; remediation plans results; communications plans; and the self-assessment.
Given the increase in their responsibilities, firms will need to proactively engage with their Board both early on and regularly throughout their operational resilience journey over the coming 18 months. Board approvals should also be factored into the timelines of a firm’s operational resilience programme. Consideration should also be given to the imminent Senior Executive Accountability Regime (SEAR) that will formally define accountabilities including those for operational resilience at the senior executive levels.
- Business service lens
Business services, in the context of operational resilience, are services provided to an external customer or market participant and encompass all key activities comprising this service. This end-to-end service lens will in many cases be a challenge for firms who typically consider processes and underlying resources at an individual level as part of a more siloed approach. Firms must consider this when framing business services and acknowledge that each business service will span multiple functions and teams. In order to gain a full understanding of business services, institutions will require input and support from multiple stakeholders across their organisation including third parties.
- Impact tolerances
Impact tolerance, the maximum acceptable level of disruption to a critical or important business service, is a concept that is new for most institutions. Where existing recovery time objectives (RTOs) focus on the recovery of a process or system often in a rather narrow frame of scenarios, impact tolerances are required to consider harm (customer, firm and market) as the driver for setting impact tolerance metrics. Furthermore, when setting impact tolerances firms must assume that contingencies are not in place. Firms should consider these assumptions and ensure key stakeholders acknowledge and understand them to ensure impact tolerances are set correctly.
- Scenario testing
Firms are expected to have tested their ability to remain within the impact tolerance for each of their critical or important business services. While a firm’s existing testing capabilities can be leveraged for this activity, given the business service lens noted above, these capabilities may not be appropriate.
How can EY help
EY can support you in meeting your operational resilience requirements by tailoring our operational resilience processes and frameworks to meet your specific needs and objectives. Reach out to us to discuss your requirements. Some of the common services which we have provided in the past to clients include:
|Current state assessment
Perform an assessment of your current state maturity and confidence in delivery plans to meet regulatory expectations and timelines.
|Governance & Methodology
Establish governance, ownership, and accountability for resilience, and develop a tailored resilience methodology to guide you through your guideline requirements.
|Important business services pilot
For one or multiple important business services, work through the end-to-end operational resilience journey (mapping, impact tolerances, scenario testing), focusing on knowledge transfer for future import business services and avoiding common implementation pitfalls.
|Enhancing maturity and focus of key capabilities and functions
Support with practical improvements to existing enterprise-wide resilience capabilities and key controls, aligning them to your business services framework.
Prepare and deliver training to Boards to equip them with the necessary information to handle their role in overseeing and owning the resilience of their firm.
|Management Information (MI) and reporting
Define tactical reporting for programme and future-state dashboards to support active management and decision making.
Meet the team
Associate Partner, Risk