Strengthening Operational Resilience Capabilities

Introduction

In today’s rapidly shifting risk landscape, resilience has become a critical priority for organisations worldwide. The interconnected nature of modern risks—ranging from cyber threats to global pandemics like Covid-19—has underscored the necessity for robust resilience and business continuity programs. These programs are essential not only for managing and mitigating disruptions but also, and perhaps even more importantly, for ensuring swift recovery. As organisations navigate this complex terrain, regulatory frameworks, particularly in the EU and UK, play a pivotal role in guiding and shaping resilience strategies. Strengthening resilience capabilities is not just about surviving the next crisis but about building a foundation for sustained stability and growth in an unpredictable world.

Operational Resilience

Operational resilience encompasses initiatives that go beyond traditional business continuity management. Unlike conventional approaches, operational resilience considers an organisation’s risk appetite and tolerance levels, ensuring that disruptions—whether minor or catastrophic—are managed in a way that minimises harm to internal and external stakeholders.

The scope of operational resilience spans multiple domains critical to business operations. Security, both cyber and physical, ensures that systems and facilities are safeguarded against breaches or attacks. Safety measures protect the well-being of employees and customers. Privacy safeguards sensitive data from unauthorised access. Continuity of operations ensures that essential services remain available during disruptions, while reliability guarantees consistent service delivery. For example, during a cyberattack, operational resilience would enable a company to maintain customer services while containing and resolving the threat.

Why is it Important to Strengthen Operational Resilience?

Strengthening operational resilience is crucial for safeguarding the stability of organisations, particularly within the financial sector. In the UK and the EU, the ability to absorb shocks and maintain critical operations during disruptions is not just a regulatory requirement but a necessity in protecting consumers, firms and financial markets. Without robust operational resilience, disruptions can escalate, leading to significant financial losses, damage to reputation, and erosion of consumer trust.

The Covid-19 pandemic highlighted the vulnerabilities of organisations unprepared for large-scale disruptions. Firms that lacked strong operational resilience faced severe challenges, such as halted operations, compromised data security, and the inability to deliver essential services. Conversely, those that had invested in operational resilience were able to quickly adapt, maintaining continuity in their services despite the unprecedented global upheaval. For example, banks with resilient IT systems managed to continue offering digital services even when physical branches were closed, ensuring customers could access their funds and financial products without interruption. This experience underscores the necessity for ongoing investment in operational resilience, as it enables organisations to navigate crises effectively, protecting both their operations and the broader economy.

What challenges have you faced in implementing or improving operational resilience in your organization? Do you think the pandemic has permanently shifted the approach to resilience planning?

Regulation and Harmonisation

Regulatory frameworks in both the UK and EU play a pivotal role in shaping operational resilience strategies for financial institutions. In the UK, regulations such as those set by the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) mandate that firms must maintain robust operational resilience. These guidelines require institutions to identify critical business services, set impact tolerances, and ensure they can continue to deliver essential services during disruptions.

In the EU, the Digital Operational Resilience Act (DORA) provides a comprehensive framework specifically for financial institutions. DORA sets out stringent requirements for ICT risk management, incident reporting, digital operational resilience testing and the monitoring of ICT third-party risks. It aims to ensure that financial entities can withstand, respond to and recover from operational disruptions, particularly in the digital domain.

Harmonisation of these standards is crucial, as the European Supervisory Authorities (ESAs) work to ensure that DORA is implemented consistently across the EU, reducing fragmentation and ensuring a unified approach to operational resilience. However, whilst both the regulations and a process of harmonisation are critical, they are not sufficient on their own. True operational resilience requires ongoing investment, proactive risk management, and a culture of continuous improvement within organisations, beyond mere regulatory compliance.

Access the full article via this link

For more articles, please visit our website | The Compliance Digest

Buying into GRC Principles

In the current regulatory landscape, organisations operating within the EU and UK face increasing pressure to implement robust governance, risk management and compliance (GRC) frameworks. Regulatory bodies have enacted stringent laws such as the EU’s General Data Protection Regulation (GDPR) and the UK Bribery Act, aimed at promoting transparency, ethical behaviour and responsible risk management. Compliance with these regulations is not only a legal obligation but also critical for establishing a strong ethical foundation within organisations. Failure to implement GRC principles can result in severe penalties, legal consequences, and lasting reputational damage, undermining the organisation’s long-term viability.

The Challenge of Buy-in

However, achieving universal buy-in for GRC implementation poses significant challenges. Non-cooperation from employees who may view GRC processes as burdensome or unnecessary can hinder adoption across the organisation. In some cases, active sabotage may occur, where individuals deliberately bypass GRC procedures, due to a lack of belief in their individual importance or a perception that their actions will not have any effect on the wider organisation. Ethical dilemmas, coupled with a lack of internal integrity, can further weaken GRC efforts. Without a culture that values ethics and compliance, the organisation risks exposing itself to regulatory breaches, operational inefficiencies and reputational harm, making GRC adherence both essential and challenging.

How does your organisation ensure employee buy-in for GRC initiatives? Have you encountered any resistance or challenges in achieving consistent adoption?

Poor Understanding and Inconsistency |?Achieving universal buy-in for the implementation of GRC principles presents several significant challenges for organisations. One primary barrier is the lack of understanding and poor training. In many cases, employees are not adequately trained on GRC principles, leading to inconsistent application across departments and roles. Training programs may fail to effectively communicate how GRC impacts day-to-day responsibilities, resulting in confusion or disengagement. Unsuccessful GRC implementation may evidence unclear or irrelevant ‘one-size-fits-all training’, and no sense for employees of the practical importance of GRC in daily operations.

Poor Communication?|?Another challenge is poor internal communication of GRC information and principles. Organisations often struggle with communication gaps that leave employees disconnected from GRC objectives. When leadership fails to consistently and clearly articulate the importance of GRC, employees may perceive it as a bureaucratic exercise, rather than a crucial aspect of their work. Siloed information and inconsistent messaging can result in a lack of alignment between different departments, with some individuals unclear about how GRC relates to their specific roles.

Regional Differences?|?For international organisations, the implementation of GRC is further complicated by cultural differences across regions. Variations in ethics, risk tolerance and governance expectations make it difficult to adopt a one-size-fits-all approach to GRC. In some cultures, local business practices may clash with global GRC standards, leading to resistance or incomplete implementation. Organisations must find ways to navigate these cultural differences. This balancing act is critical to achieving universal GRC adoption across multinational operations.

Resolving the Challenges

Successfully embedding GRC principles throughout an organisation requires practical strategies that address the unique challenges of buy-in from all team members. The following approaches offer solutions to key barriers such as lack of understanding, poor communication, and cultural diversity.

Access the full article via this link

For more articles, please visit our website | The Compliance Digest

Upcoming

Events & Conferences

17 October 2024 | Understanding the Global ESG Landscape and Its Implications for Companies

22 October 2024 | Data, AI and the Future of Financial Services Summit 2024

24-25 October 2024 | 15th China International Anti-Corruption Compliance Summit 2024

30 October 2024 | From Assessment to Action: Securing Buy-In, Assessing a Program & More

04-06 November 2024 | Marcus Evans Announces the 9th Annual GRC AFRICA 2024 Conference

To stay updated on the latest happenings and upcoming events, explore our Events & Conferences section | Discover dynamic forums designed to foster networking opportunities and knowledge-sharing within your specific community or field.