by Elena Pykhova
Operational resilience has always been part of the agenda of financial services firms. During the past 18 months of the widespread long-lasting disruption, it has been put to the test, and it is not surprising that regulatory emphasis on maintaining continuity of critical operations has resulted in multiple recent publications. The Basel Committee’s principles for operational resilience1 urge the firms to up their continuity and recovery capabilities. UK regulatory guidance2 goes a step further, setting out a clear plan and roadmap for firms to define business services and their impact tolerances by March 2022 and ensure their ability to operate within set tolerances by 2025. So, how far advanced are financial services firms in complying with the new set of requirements?
A survey conducted by the Best Practice Operational Risk Forum, comprised of risk professionals from over fifty international financial services firms, reflected that 5% of respondents have completed the implementation; 30% had an agreed roadmap; 55% were considering and finalising their plans; while the remaining 10% have not yet started their journey (graph below).
The role of second line Risk department in Operational resilience was clearly defined for 26% of the participants, while 74% reflected that responsibilities between the first and second line were articulated, however would benefit from further clarification. An increasing number of organisations opt for the winning formula of first line chief operating office or similar function leading the efforts jointly with the second line Risk department.
One aspect where it was felt that more progress is needed is the assessment of change initiatives and their potential impact on the resilience of business services. Change management, in particular relating to system enhancements, has been already cited in the cross-sector survey as the number one root cause of technology outages and a threat to Operational resilience.3
Simply put, firms struggle to embrace risk assessment of change initiatives. The sheer breadth of firms’ change agenda often hinders the implementation of a uniform approach. The most common challenges include lack of a holistic definition of change, which leads to the governance framework not covering all types of initiatives as well as decentralised management of change activities, resulting in their inconsistent treatment.
The live poll demonstrated that for 37% of respondents, there was no structured assessment of how the change may impact the resilience of critical operations. Moreover, Risk department is not always at the table when change (be it new products, systems or processes) is agreed, resulting in limited preview of risks and opportunities.
The results emphasise the importance of spending time in developing the scope and methodology for risk assessments of change initiatives. In particular, the approach to implementing IT system changes was deemed to be worthy of revision, by teaming up with technology colleagues to jointly review how the change process can produce better outcomes.
3 Financial Conduct Authority (2018), Cyber and Technology Resilience: Themes from cross-sector survey 2017-18, www.fca.org.uk
The author, Elena Pykhova is a thought leader, influencer and founder of a think tank, Best Practice Operational Risk Forum. She is also an executive trainer and has delivered over one hundred courses at world leading venues, including London Stock Exchange Academy, Cambridge and Oxford Universities. Passionate about Operational Risk, she founded the OpRisk consultancy after 20 years of experience in senior roles at Fortune 500 companies across three continents.