Operational resilience has always been a focal area for financial institutions, large organizations, regulators, and supervisors. The emphasis has been on preventing an operational disruption rather than on recovery. Amplified geopolitical tensions, accelerated digitalization and the increased dependency on vendors have increased the focus of regulators including the FCA and PRA to make organizations better prepared to face any disruptions. In addition to existing standards like Basel, Solvency II, APRA, etc., in the European Union, draft legislation Digital Operational Resilience Act (DORA) has been published, in Germany, the IDW PS 340 n.F. has been revised, in the US, federal bank regulatory agencies have released a paper outlining sound practices for large banks to help them enhance operational resilience, and in the APAC region, financial authorities are seeking to strengthen their resilience practices.
MetricStream brings all aspects of the operational resilience framework on to a single unified platform by seamlessly embedding risk management practices into compliance, cybersecurity, vendor risk management, and business continuity planning to prepare for and prevent potential disruptions.GET MORE DETAILS
Operational Risk Management
Business Continuity Management
Third-party Risk Management
IT and Cyber Risk Management
Another aspect is the qualitative and quantitative risk assessment increasing the visibility of risk and the end to end accountability of the risk owner in the first line of defense. The basis is to build up a trust partnership with the first line of defense, maturing skills and levels of the staff. The impact is to have a stronger risk culture because in risk mitigation it is important to be prepared.
Head of Risk Prevention and Compliance Department, CISO
Banque centrale du Luxembourg
The standardization and driving through common platform and common reporting was probably the biggest transformation across the organization.
Head of Operational Risk
We are happy to say our compliance to incident reporting and tracking in the new software is now at 96%, previously in the first edition, it was 4%. Our action tracking today is at 89% and previously it was I think 17%.
Senior Vice President Safety & Standards
Before we had manual duplicated workflows but now it's automated and efficient. Before we had siloed GRC data- compliance has one set of data, risk has one, audit has one, BCP has one. Now it's a single GRC data repository with clear ownership of each data elements and strong data governance. Before risk was seen as the work of the risk function now risk is everyone's business.
Assistant General Manager - Group Operational Risk and Controls
First Citizens Bank Trinidad and Tobago
Our first line is no longer coming to us to fill requests on an ad hoc basis. We are not having to drop everything to pull reports out of MetricStream for them. They can go straight into the Tableau server, pull the report they need and they are good to go.
Assistant Vice President, Risk Officer
Hancock Whitney Bank
Embarking on a GRC program was really about delivering value and making sure we are not spending resources unnecessarily. We also wanted to enable the different lines of defense to deliver on their individual accountability.
Risk Management COO & Head of Operational Risk
We have now started to see commonality between different organization unit's risk assessment. We are starting to see maturities in how we are identifying issues in that process. We also have action plans for the next quarter and so forth.
Head of Operational Risk
REQUEST A DEMO
Avoid business disruption and recover faster from operational events with comprehensive risk visibility, business impact analysis, and crisis management.
67% improvement in risk reporting visibility and efficiency for the executive management and board.
90% compression in compliance management timelines
80% reduction in the time taken to create and review a business impact analysis
80% decrease in third-party onboarding time
Gartner Magic Quadrant
MetricStream Recognized as a Leader in the 2020 Gartner Magic Quadrant for IT Risk Management
MetricStream enables organizations to mitigate compliance risks with enhanced intelligent regulatory content libraries, delivered on its integrated risk platform
Frequently Asked Questions
Operational resilience can be defined as an initiative that focuses on building the resilience of all business activities beyond business continuity management programs. This includes connected risk appetite and tolerance levels for disruption of product or service to internal and external stakeholders like employees and customers. The essence of operational resilience is that the organization and economy are prepared to respond better to a crisis or disruption rather than just reacting. In short, the aim is to stay operational, no matter what.
Recent events and operational failures have forced regulators across the globe to ask organizations to implement operational resilience frameworks. This requires companies to identify critical business services, set impact tolerances, consider vulnerabilities, develop appropriate mitigation actions, and then define a consistent approach to prevent, adapt, and respond to the failure.
The concept of operational resilience is not new. However, the recent health crisis, geopolitical tensions, complex extended ecosystem, rapid digitization, major cyberattacks, and environmental and social issues have brought back the focus on operational resilience.
While the regulatory focus on operational resilience is still new there are some countries starting to uphold standards with regulation. The PRA operational resilience framework in the United Kingdom, IDW PS 340 n.F. in Germany, the Digital Operational Resilience Act (DORA) in the European Union, and Technology Risk Management (TRM) guidelines by the Monetary Authority of Singapore (MAS) in Singapore have been released. In the United States, a joint paper by the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency (OCC), has been published to guide large and complex firms to address unforeseen challenges to their operational resilience. Some of the above are applicable to large and enterprise organizations across all sectors while some are specifically applicable to banking and financial services firms.
Since the start of the COVID-19 pandemic there have been more regulatory measures. For instance, the digital operational resilience in the proposed Product Security and Telecommunications Infrastructure Bill in the UK will apply to individuals and businesses across the UK, and not just businesses in certain sectors.
Build your operational resilience journey and ensure your organization is well prepared to respond to future disruption by:
- Identifying and understanding the critical processes, systems, people, and third parties
- Protecting and managing risks related to them and assessing their impact on the business
- Defining and setting impact tolerances against critical risks
- Developing business continuity plans and monitoring them
- Providing actionable insights through reports and analysis
- Developing communication for key stakeholders
The right technology can help your operational resilience strategy by providing a single solution to meet regulatory requirements along with the tools to embed risk management practices into compliance, cybersecurity, vendor risk management, and business continuity plans to prepare for potential disruptions. Technology can support you by:
- Ensuring that all aspects of an operational resilience framework are easily accessible to view in a single, connected platform simplifying the tracking and managing of the risk
- Enabling data harmonization across teams, business units, and functions
- Providing automation capabilities for risk assessments, control testing, continuous control monitoring, third-party due diligence, etc.
- Ensuring a common federated taxonomy in a central risk library
- Generating powerful reporting and analytics capabilities enabling organizations to create rich analysis and derive deep insights for driving business decisions
For over 20 years MetricStream has been a leader in Governance, Risk, and Compliance (GRC), supporting businesses to take a proactive risk-based approach to compliance, cyber, and third-party risk management and enabling them to manage, co-ordinate, and track multiple GRC risks across business siloes.
MetricStream brings all aspects of the operational resilience framework into a single unified system. This allows organizations to view and track regulation across different regulatory frameworks such as PRA, IDW PS 340 n.F, and DORA. The solution seamlessly embeds risk management practices into compliance, cybersecurity, vendor risk management, and business continuity planning to prepare for and prevent potential disruptions. Through sharing best practices and key learnings with organizations, MetricStream further supports their future growth and helps build resilience strategies.
Operational resilience has always been a focal area for financial institutions, regulators, and supervisors. The emphasis has been on preventing an operational disruption rather than on recovery. The recent pandemic, digitalization, and increased dependency on vendors have forced organizations, and regulators around the world including FCA and PRA to relook at operational resilience. Operational Resilience is defined as the ability of financial services companies to prevent, adapt, respond to, recover and learn from operational disruptions. MetricStream brings all aspects of the operational resilience framework on to a single unified platform by seamlessly embedding risk management practices into compliance, cybersecurity, vendor risk management and business continuity planning to prepare for and prevent potential disruptions.