Operational Resilience - Looking both ways before you cross the "Resilience Road"

Operational resilience is good practice whether you are regulated by the new FCA PRA Bank of England Operational Resilience Regulations in UK financial services or not. That is because the perspective of operational resilience is different to traditional business continuity management. This new operational resilience external lens looking inwards will help everyone altruistically. In addition, other jurisdictions are already following suit in the US the Fed, in Europe the ECB and around the World, many regulators are working on Operational Resilience. Indeed, considering globalisation and digital resilience we are all connected through customer databases, financial markets and common suppliers of products and services.  Not least of these are Internet services providers, Cloud providers, outsourcers and off-shorers which connect the customer by a supplier through the market to our firms.  As we have seen from Covid19, we were all affected by the same peril. But there are many risks that will only affect one firm in isolation.  Business continuity is and continues to be our internal protection however, as we have seen historically, one firm, or one peril can send a ripple effect across the pond or in domino terms start a chain reaction. This is where and why the operational resilience lens has a different perspective.

So my analogy of the two different perspectives is crossing the road. It should be no surprise that, ”Looking right” in the UK for approaching traffic when crossing the road does not provide full protection. As we teach our children, looking right is critical but not the whole story. We look right, look left and look right again.

If we see a vehicle approaching from the right we stop (stop look listen think). This is the business continuity perspective. The lens is on protecting ourselves. We can add some metrics on how long we can tolerate not crossing the road in business impact analysis but, quite rightly we focus on our firm (Blue).

This schematic shows looking right (our firm), through the business continuity lens. (Source BCI GPG;2018 BCM Lifecycle)

Operational resilience is a different perspective on the same road crossing, only we are looking in the other direction. We look left to see if any vehicles are approaching from the other direction. In my road safety analogy, this time we are looking through the lens of the customer, where the perils we face could cause customer harm. That is the customer driving in the other direction (Red). This schematic show looking left, through the operational resilience lens in the opposite direction from the customers viewpoint.

Not just the external view from the customer perspective (they are driving from the left) but also from the market perspective where there are inter-dependencies on instruments and institutions that many rely upon. There are also other road users; sister firms and competitors some on motorcycles, some in sports cars and some on donkeys. There are transport vendors providing busses and taxis for markets that convey a number of passengers along the same route. There are HGV commercial vehicles vans and lorries full of products and services. This schematic shows all the traffic on the road, that is the customer, the markets and the suppliers.

In order to cross the road safely, which is to meet our business objectives, we have to look right, look left and look right again. Looking right is where business continuity (Blue) protects us as a firm, but we now need to comply with operational resilience regulations (Red) which are broader and from a different perspective. The good news is there is much common ground (Green) which can be leveraged between the two perspectives.

In the UK for regulated entities there are some deadlines to be aware of;

31 March 2022 - Design of framework completed and assessed. First annual cycle of Important Business Services established and operating.

31 March 2025 - Full compliance as a dynamic and iterative process of continual improvement year on year.

The three key points on your ”Roadmap to Operational Resilience” are;

·       Change of perspective FROM internal corporate focus protecting commercials, assets and reputation in business continuity management TO external perspective looking through the lens of customer harm, systemic effect on markets and supply chain reliability.

·       Proactive risk treatment is equal to reactive response.

·       Stress testing through scenario-based simulations in a rehearsal against severe but plausible threats.

So what? We could potentially gridlock the entire road network if we stepped off the pavement and caused an accident in either direction. Imagine an accident that would cause a traffic jam and a tailback affecting everyone on the route! 

How can you prepare for your journey?

1.     Create a roadmap to resilience. 

2.     Assure your operational resilience design is fit for purpose, in that is is complete and achievable by 31 March 2022. That will prevent any omissions or duplications and provide confidence you are on the right road.

3.     Get “Roadside Assistance” should you break down en-route you need back-up.

My nine step roadmap for achieving Operational Resilience.

Please observe the rules of the road. Stop, look, listen, think.

Andy D Tomkinson FBCI

Associate Director, Operational Resilience, Business Risk Services

Grant Thornton UK LLP

D +44 (0)20 7728 3426

M +44 (0)7957 392616

T +44 (0)20 7383 5100

E [email protected]