operational resilience regulatory compliance
Building Your Company’s Operational Resilience Beyond a Compliance Obligation
On March 29, 2021, the FCA, the PRA and the Bank of England published their final rules and guidance on operational resilience. This means firms within the UK financial sector, such as banks, building societies, designated investment firms, insurance firms, e-money and payment services firms will be expected to take steps to ensure their operational resilience. Because the FCA believes operational resilience is non-negotiable for firms operating in financial markets, new rules will apply as soon as March 31, 2022. By this time, firms must have identified their important business services, set impact tolerances for the maximum tolerable disruption, and carried out mapping and testing to a level of sophistication necessary to do so. Furthermore, firms will also be expected to have identified any vulnerabilities in their operational resilience and a plan for their vulnerability remediation.
By no later than 31st March 2025, firms must have performed mapping and testing so that they are able to remain within impact tolerances for each important business service. Additionally, firms must also have made the necessary investments to enable them to operate consistently within their impact tolerances.
Discover what ‘operational resilience’ entails, key requirements of the new operational resilience framework, and how companies ensure compliance.
What is Operational Resilience?
Although operational resilience has been a global hot topic in many industries for a while, the recent disruption caused by the pandemic has only increased awareness of its significance. Not only are companies faced with its critical importance, but regulators have also defined operational resilience equally important as financial resilience for a healthy marketplace.
So, what does it mean to be operationally resilient? How does operational resilience surpass what we used to call ‘business continuity’ or ‘operational risk management’? The FCA defines operational resilience as ‘the ability of firms and FMIs and the financial sector as a whole to prevent, adapt, respond to, recover and learn from operational disruptions.’
Gartner looks at it from a more solution-based perspective defining operational resilience as ‘initiatives that expand business continuity management programs to focus on the impacts, connected risk appetite and tolerance levels for disruption of product or service delivery to internal and external stakeholders (such as employees, customers, citizens and partners). These initiatives coordinate management of risk assessments, risk monitoring and execution of controls that impact workforce, processes, facilities, technology and third parties across the following risk domains used in the business delivery and value realization process: Security (cyber and physical), Safety, Privacy, Continuity of operations, Reliability.’
Whichever definition or framework companies choose to adhere to, it is important to note that in order to be successful, operational resilience needs to encompass all areas of a business and cannot be limited to a few specific functions, such as IT. The goal is to look at operational resilience as a key driver for the entire business, not just an operational matter.
How can BusinessOptix help?
It is critical that you align with a business that is focused on protecting your core business services and meeting the latest FCA requirements. To illustrate how we help our clients, we follow Gartner’s recommended Five-Phase approach to strengthen the resilience of organizations’ current business models.
Phase 1 – Understand core business services
To understand what is really happening in your organization today, there are a number of accelerators and tools that enable the identification of key services and their core supporting processes.
- Use BusinessOptix Process Mining or import from other mining tools
- Import and convert existing and unstructured content
- Crowdsource business knowledge with Rapid Process Discovery
- Model process, customer experience, data and more by hand
- Combine multiple sources into one ‘end-to-end,’ ‘as-is’ business model
Phase 2 – Identify uncertainties
Understanding and documenting the inter-dependency between different layers in the operation i.e., people, process, systems, and infrastructure is essential in demonstrating compliance to FCA requirements. This is the first step in understanding how to eliminate risk to the delivery of customer facing services and resolve bottlenecks, capacity constraints, human error, and failure to execute customer transactions.
- Identify, manage, and prioritize opportunities
- Contextualize and link to target operating models
- Capture metrics and performance related data
- Gather requirements and user stories
Phase 3 – Assess the impact
Our scenario modelling and simulation tools (including risk assessments and ROI calculators) can then be used to visualize and test options for improving the ‘as-is’ state. Using these insights across several tests, compares potential options to support selecting the best strategy moving forward.
- Build a business case for transformation
- Measure current state and consider future state scenarios
- Simulate and analyze scenarios
- Understand risk, compliance and process related meta data for impact analysis and implementation (Carbon Impact for example)
- Compare current state processes to best practice
Phase 4 – Design changes
At this point in the process, the emphasis is to develop tentative strategies rather than estimate their feasibility. Selecting and executing changes will follow in the next phase. CIOs and IT should leverage digital technologies and capabilities to facilitate the designed changes.
Leverage our document generation tools to support front line employees, customers, developers and stakeholders with the information they need to support the rollout and use of your new or updated processes.
- Design optimal future state processes
- Manage change and transformation at a high level with T-Maps
- Collaborate with stakeholders to capture business requirements and user stories
- Manage and deliver through the use of Kanbans
- Document Work Instructions to standardize operations
Phase 5 – Execute changes
The decision on which changes to execute is principally a decision for senior leadership teams. The strategies for changes defined in Phase 4 provide essential input for this decision process. Senior leadership teams should select the strategies they feel most compelling to implement, which is often based on both economic calculations and intuition.
Once live, use dashboards to measure actual vs. expected performance of new processes and to drive continuous improvements.
- Manage governance, risk and compliance with an integrated solution
- Develop dashboards to understand process performance and manage the process library
- Use process mining to support continuous monitoring and re-discovery to support continuous improvement