Operational Resilience is the hottest topic on the block right now! Boris has ‘Got Brexit Done’, and Boards have moved to the next big challenge which is to deliver the new regulatory requirements on operational resilience. It’s vital that firms avoid the mistakes of conduct ‘risk’, where grandiose new conduct risk frameworks were established, leading to inefficiency, duplication and needless complexity. Operational resilience is not a new risk. It is an outcome, and the Operational Risk Management (ORM) framework and tools should be used to deliver it.
Operational resilience has a genuinely global regulatory focus, thanks to the Basel Committee on Banking Supervision’s Operational Resilience Group (ORG), set up back in 2018. As has often been the case, the UK regulators have led the way on regulatory reform, first with a joint FCA/ PRA DP ‘Building the UK financial sector’s operational resilience’ in 2018, and more recently by CPs in December 2019 from both PRA and FCA – an unfortunate downside of our fragmented regulatory structure is that we have 2 CPs covering essentially the same ground except for their focus: FCA on consumers and markets, and PRA on firm safety and soundness and financial stability. Responses to the CPs are due by 3 April, and FCA/ PRA expect to publish the final rules in the 2H 2020, which will take effect in the 2H 2021 – albeit firms may have up to 3 years to fully comply. Basel is expected to follow later this year with something similar in concept to the UK approach.
I wrote previously (https://www.linkedin.com/pulse/renaissance-operational-risk-management-hinchliffe-mcsi-fior/) that the regulatory focus on operational resilience will lead to a renaissance in ORM. The explosion in conferences, webinars, training events and briefing notes from every consultancy firm in the multiverse on operational resilience certainly seems to confirm this! I believe the regulatory focus on operational resilience brings enormous opportunities for ORM as a discipline and profession to finally deliver enormous value to firms.
Delivering Operational Resilience – a recipe for value and efficiency.
Back in 2018, some consultants started peddling operational resilience as a brand new risk type and offered to build, in return for lots of money, beautiful new ornate operational resilience frameworks to be staffed by armies of new Operational Resilience Managers. Thankfully, the regulators have made clear that this is absolutely not what they want! We should be thankful that regulators have clarified their expectations before the ‘operational resilience risk’ horse has bolted. We all remember the disaster of conduct ‘risk’ and the rabbit holes that many organisations went down by treating conduct as a separate, ‘new’ risk type with a separate ‘conduct risk framework’, committees and conduct managers with hifalutin titles.
As stated above, despite what some consultants may say, operational resilience is an outcome (not a new risk type) and the ORM framework should be used -with appropriate tweaks and enhancements- to deliver operational resilience. In addition, other existing frameworks, for the various operational risk types, should be fully utilised in an integrated approach to operational resilience including business continuity, crisis management, vendor management and so forth. However, important to note that regulatory expectations on operational resilience are much broader than mere business continuity – to use PRA’s Lyndon Nelson’s WAR acronym, the Withstand and Absord are at least if not more important than the Recover. Operational resilience is about proactive prevention more than reactive recovery.
Accountability has been a key focus of global regulators’ post-crisis agendas, and this has been delivered through the Senior Managers and Certification Regime (SM&CR) in the UK. For the FCA in particular, SM&CR is the key mechanism for driving positive cultural change in the industry, to help reduce the frequency of damaging conduct scandals that have plagued the industry for decades. SM&CR and ensuring there is clarity on who is accountable and responsible for what, also has an important role in operational resilience. Operational resilience requires organisations to look horizontally at important business services (and supporting activities and resources) end-to-end, and this necessarily means involving functions and SMEs from right across the organisation (and indeed beyond to third party providers). Although the first line of defence SMF24 Chief Operations Function is expected to take the overall lead and be accountable for operational resilience, it’s critical that they partner with other functions, most importantly the ORM team so as to ensure that the operational risk framework is used. Given the recent industry trend for ORM teams to focus only on oversight and challenge, it’s important in the case of operational resilience, that the team engage as trusted partners with the 1LOD functions.
Although regulators have an ‘outcome based approach’ to operational resilience, it is not a free-for-all and regulators have defined a methodology for achieving their desired outcomes. It’s vital that the additional elements introduced by the regulators for operational resilience e.g. the processes for identifying important business services, for mapping resources to the important business services, scenario analysis and setting of impact tolerances for important business services, are considered in a way that is proportionate to the nature, scale and complexity of the organisation. For instance, it is not proportionate to identify every activity supporting a business service. There is a principle in philosophy called Occam’s Razor, which states a preference for simpler solutions (i.e. if two rival theories have the same explanatory power, we should prefer the simpler one e.g. with fewer assumptions). It seems in risk management there is a tendency to utilise a reverse version of Occam’s Razor (an ‘Occam’s Inflater’ if you will) with a preference for risk frameworks that are more complex than they need to be. For delivering operational resilience, we should apply a similar principle to Occam’s Razor, preferring the simplest approach for achieving the desired resilience outcome.
This means, for example, doing the mapping of resources to important business services at the appropriate level of granularity, it means utilising existing systems rather than building or buying news ones, it means creating linkages between existing data items and new ones, without the need for manual work-arounds, it also means utilising existing governance structures, committees, policies and procedures, and employing a common language across the risk framework. Utilising appropriate technology is going to be key and the additional demands of operational resilience will be the final nail in the coffin for firms still trying to do operational risk management on spreadsheets! GRC vendors are all working hard to develop their products to support operational resilience and you should engage with your provider to ensure they get it right and don’t reinvent the wheel! The focus on operational resilience will also highlight opportunities to make better use of AI and robotic process automation, indeed, the need to improve resilience of important business services may well necessitate automation as otherwise the costs will be prohibitive.
The regulatory focus on operational resilience should elevate ORM to its rightful place of parity (at least!) with financial risks and financial resilience. Operational risks can destroy organisations and have for too long been the poor relation of financial risks. Proactive, proportionate and agile ORM can help organisations become more sustainable, efficient and more resilient to the benefit of all stakeholders including the regulators.
NJ Risk has partnered with David Goodyear of NDS Consulting to support firms on operational resilience. Get in touch with us to discuss how we can help navigate the pitfalls and challenges of delivering against the regulatory expectations on operational resilience.