Ours is a world of interconnected marketplaces and a global economy. And perhaps one of the biggest challenges of operational risks is that they cannot be completely anticipated. Risk emerging from the interconnectedness of firms and financial market infrastructure can have a dramatic impact on society as they reinforce each other, thereby multiplying their effects. Like the domino effect, one critical mistake could affect the entire industry.
Organizations need to accept that cyber breaches, systems, processes, and third-party service failures along with IT downtime due to unplanned outages, natural hazards, operational mismanagement, and even pandemic flu that impact customers, stakeholders, and the broader economy, are not just likely but are bound to happen.
Effectively managing risk depends on how we integrate people, processes, and technology together within an organization. It’s vital to ensure identification and control of risks that emerge between these interlinks, with a strong multi-layer risk strategy equipped with the latest tools and technologies in the market. With a strong operational resilience program organizations can not only keep the “known unknowns” in check, but also strengthen continuity of business.
Operational incidents not only have a significant financial impact but can also disrupt entire markets and systems. For example, the global average cost of a data breach is $3.92 million. The systemic nature of such incidents is showcased by a New York Fed study which highlighted that if the system of five most active US banks are disrupted, it would result in significant spillover to other banks, affecting 38% of the network on average. These incidents can also have a long tail and have a long-term impact on the shareholder value as well as the operational risk capital requirements.
In a study by McKinsey & Company of more than 350 operational risk incidents at financial institutions in the US and Europe, it was found that the initial declines in the total returns to shareholders, (TRS) were in line with the actual fines of $23 billion (from 350 events). However, over the next 120 days, the TRS of the sample taken declined by a staggering $278 billion, more than 12 times the total actual loss of $23 billion.
Operational resilience goes beyond business continuity and operational risk management and aims at minimizing impact on consumers and the wider economy. Major disruptive events such as the recent COVID-19 pandemic, highlights the lack of preparedness of organizations in ensuring continuity of operations and the importance of building operational resilience in the fabric of the risk program. Factors such as loss of reputation, fines, reduced enterprise value and senior executive casualties have reinforced the need for scrutiny on operational resilience.
To maintain market share, build trust, and embrace innovation, organizations across the globe, especially financial institutions are now beginning to see enterprise resilience as an imperative.
Operational resilience has been a priority for the regulatory community for years. Today the regulatory focus is shifting from how effectively organizations can prevent events from occurring toward how quickly they can recover from them. The FCA, PRA and Bank of England have published their joint Consultation Papers on Operational Resilience, setting requirements and expectations for firms to identify their important business services by considering how disruption to the business services they provide, can have impacts to their consumers, the industry, and the overall economy.
Regulatory authorities expect organizations to understand the firm’s vulnerabilities, invest in protecting those and protecting themselves, their consumers, and the market, in order to preserve the interest of the public and retain continuity of supply of products, even in events of operational disruptions.
The operational resilience program needs to be aligned with the overall strategy of any organization such that it helps drive the investment decisions as well as day to day operations. This requires a systematic and efficient engagement of the board, the front line as well as the extended enterprise. The ultimate goal is to manage the volatility of the impact generated by problems associated with “business-threatening events.” This means, a comprehensive risk program that accommodates operational risk management, business continuity management, and third-party risk management.
Operational resilience is all about the ability of organizations and the sector as a whole to prevent, respond to, recover, and learn from operational disruptions.
Here are five effective steps to build an effective operational resilience program:
As organizations prepare to build their operational resilience program, a primary step is to identify key business service - which, if disrupted, could cause substantial harm to not only the organization, but also the consumers, and business environment. This concept of causing potential harm is core to operational resilience. As the first step, this forms the crux of the program as all subsequent processes are dependent on the right identification of these CEFs.
To understand what your organizational resilience is, map the organizational hierarchy, business objectives, market expectations, and supervisory objectives and align them with your organization’s risk appetite.
The key is to understand business service alignment with the overall business. It’s important to identify the users of each service and therefore, engaging the front line becomes critical to the process. With their insights, organizations can identify the strategic/critical initiatives and the risk exposure level. This helps understand dependent processes, systems, people and related third parties that together impact the business objective.
That’s where the integration of GRC and business objectives really starts to gel. Technology provides the necessary data model to build a relational data framework and align organizational hierarchy, business services, market expectations, strategic and regulatory objectives.
With access and availability of single-view or hierarchy of business processes and the ability to evaluate these against on their impact on strategic and supervisory objectives, organizations can gain tangible insights for arriving at the core/critical functions. Furthermore, insights on risk rating or relevance rating of important services can help identify critical economic functions.
We don’t live in a risk-free world. There are a lot of unknowns that can turn into critical disruptions, whose impact can eventually put the organization at risk. Trying to forecast, preempt, manage, or mitigate these unforeseen disruptions is going to be of paramount importance to the stability of the organization. In addition, organizations are unlikely to have unlimited investments and may not understand where to focus. Trying to set tolerances, will help organizations prioritize operations and investments.
Business services and processes need to be appropriately ranked and approved by the boardroom such as value-based impacts that threaten the firm’s viability, volume-based impacts that cause harm to consumers and market participants, and time-based impacts that cause instability in the financial system.
It’s important to have a logical and rational approach to setting tolerances. By interconnecting all the relevant areas and processes into an integrated environment or an ecosystem will enable realistic scenarios to better understand and analyze the impact tolerance.
While understanding the scope and organizational impact, ensure to corelate it to customer impacts, and partnerships. Analyze the type of risks that can impact the overall industry where the organization is operating and predict how that will affect the overall stability of the economy.
Companies operate in a dynamic environment today. Building a relational data framework to map people, process, systems and third parties required for delivering the business service is an important step in understanding the dependencies. Crucial to building business resilience is to understand the internal and external interconnections and point of view while ensuring that the full picture exists, is current, and that the changes are relevant.
With a single version of the process view organizations can highlight the number one factor they want to be resilient to. In order to understand the roadblocks, it’s important to make sure everything is connected and understood by examining the horizontal and vertical view of the critical capabilities.
Today organizations are increasingly dependent on third party providers and outsources. Unfortunately, they only have limited understanding of the ways they interact with their consumers. Regulatory authorities now expect firms to be risk-based and proportionate, considering the nature, scale and complexity of their operations when meeting their obligations for outsourcing and third parties. Firms who use these providers must take reasonable care to organize and control their affairs responsibly and effectively, with adequate risk management systems.
While looking for points of failure it is important to ensure that they are real and impact the organization, as these can create a better understanding of the organization’s risk-appetite and capabilities. Including past failures caused both within and outside of the organization’s control can help build operational resilience with better visibility across processes.
Bringing together distinct parts of your organization by examining business continuity management, data management, digital risk management, and third-party risk management, can give clarity while understanding the real possibilities to better track inter-disciplinary risk scenarios.
Identifying scenarios for impact tolerance related to people, processes, systems, and third parties, using the relational data framework can help to assess the impact of inter-relationships. Overlaying the scenarios on your business framework can increase understanding of where stakeholders come into play.
Understanding the risk appetite range can create action plans to mitigate risks. Plot the information obtained from risk scenarios, based on vitality of service, measurements of dependence, and microeconomic intelligence. Then define the action plan using data points that cover internal capital adequacy assessment, prioritization of the recovery, governance framework, culture, corporate structure, controls, and regulatory framework to build a strong business contingency plan.
The focus is to validate the risk scenarios against the business objectives of the organization, ensuring that the sc+enarios address business impacts. Scenario based testing using questionnaires, simulations, expert table top exercises and thematic view are useful ways of testing response and recovery capabilities.
The Business Continuity Management and Disaster Recovery teams of the organization should undergo several scenario analyses, exercises, and testing. It’s important to conduct the same amount of testing for building a stronger operationally resilient team. The idea is to bring about the same level of thinking and analysis within the BCM and DR practices. Testing is vital, unfortunately, organizations don’t seem to do enough.
Another approach to obtain real outcomes and understand the weak links in a resilience plan, is to take employees out of their comfort zone and make them work in an unfamiliar situation. This can lead to better understanding of the complexity, business criticality, usage frequency, visible areas, defect prone areas, and other measurable success criteria of your operational resilience plan.
A communication plan forms an integral element in any risk management strategy and is an absolute must-have. Organizations need to identify key internal and external stakeholders and build communication plans during a crisis for both internal and external stakeholders. External customers should have clarity on the alternatives available to them in such an event.
Regulators will require assurances that the impact tolerances set by organizations can be adhered to, even during plausible stress event. Organizations will need to provide evidence for identification of important business services and demonstrate to the regulators that scenario tests on plausible events have been conducted for all critical business services.
Testing is integral to the operational resilience process and organizations need to document and demonstrate their ability to remain within impact tolerances.
Enterprise wide risk management frameworks in many organizations are capable enough to effectively manage operational resilience. Sustaining these plans will require integration of enhanced preventative, responsive, recovery and learning capabilities. Risk data from service mapping and service risk assessment, with internal and external sources such as threat intelligence, incident data and loss events, is a valuable asset in operational resilience. To attain a holistic view of risks, consolidate risk identification through service mapping and stress testing.
Leverage the power of quality and availability of risk and control data from cloud applications and infrastructure. We can see that the use of advanced technologies and analytics, including AI and ML techniques are increasingly being used to large sets of data to allow continuous monitoring of threats and vulnerabilities and enable a more data-driven and fact-based risk assessment.
Build and implement a pervasive approach to operational risk identification, assessment, monitoring, and mitigation with MetricStream’s integrated Risk Management Solutions
Read our whitepaper on “Building a Shareholder Value-Focused Integrated Risk Program” for more information.