Embracing operational resilience Embracing operational resilience Embracing operational resilience

A single direction of travel  |  On everyone’s agenda  |  The leaders are leading  |  Resilience at the edge  |  Making it real  | Embrace it

Regulators and stakeholders are focusing in on operational resilience. Here’s why and what you should be doing about it.

Operational resilience has been at the very top of the prudential regulators’ agenda for decades. Initially, the key focus was on assuring financial stability; the Global Financial Crisis demonstrated to regulators that a financial collapse at one firm could threaten the operational resilience of the entire system. And they worked fervently with the industry to help reduce that risk.

Over the past few years, however, their focus has shifted back towards the ‘operational’ side of resilience. Recent events – the pandemic foremost amongst them – have made it clear that ‘once-in-a-lifetime’ events are happening more frequently. And their interconnectedness (consider how a health crisis sparked a mobility crisis which spawned a financial crisis) has become clearer. Regulators are keen to highlight the risks and encourage resilience across the financial services sector. 

Regulators have been making their intentions clear (albeit in rather different ways). The Bank of England has, perhaps, been the most active in promulgating regulation on the topic. The US Fed has also been quite open about their intentions, sharpening their focus on enhancing existing operational risk regulation. In advanced economies such as Australia, Hong Kong (SAR) and Canada, and in a growing number of emerging markets, we are seeing regulators step up their focus on operational resilience.

Given the upswell of regulatory activity in this area, all eyes are now on the Basel Committee in Switzerland. As has been the case with other global regulatory initiatives that require a certain level of global coordination, many within the regulatory community and industry have high hopes that the Committee will provide some level of guidance that will help clarify future expectations for banks, insurers and asset managers.

The challenge for the Basel Committee will be significant. It is clear many regulators have a common intent – to enhance the operational resilience of the financial system. Yet their approaches are currently not consistent. Finding common ground may take some time.

It’s not just the regulators that think shoring up operational resilience is a good idea. So, too, do financial services executives, investors, stakeholders, Boards and customers. They also recognise the interconnectedness of risks and are starting to become increasingly concerned about the concentration of risk.

Consider, for example, the concentration of risk around digital capabilities. Most financial services firms demonstrated great operational resilience in the initial phases of the pandemic by rapidly virtualising their workforces and processes. But now they see the potential concentration of risk around – for example – a cyber-attack or the loss of a core piece of IT infrastructure. Regulatory requirement or not, financial services executives know they have an obligation to protect their organisations from these risks.

The leading financial services firms are not waiting for regulatory direction. They are taking their cues from the clear direction of regulatory travel and an equally clear understanding of their stakeholder expectations. And they are using that insight to vastly enhance and expand their focus on operational resilience.

For one, we have seen many of the leading banks, asset managers and insurers start to take a much more holistic, multi-functional and collaborative approach to resilience. Rather than working in functional siloes (which tends to ignore the interconnectedness of risks), the leaders are bringing together multi-functional groups and supporting them with robust governance while, at the same time, assigning responsibility and accountability to individuals.

The leaders are placing more focus on understanding the impact that any potential disruption could have on their external stakeholders (customers in particular) and understanding what disruption would be intolerable – an impact tolerance.

Simply put, they want to drive 70 miles per hour in a 60 zone; but they first need to understand the risks to themselves (in the form of tickets or accidents) and their neighbors (in the form of complaints and ruined relationships). More often than not, the impact tolerance is directly related to what the neighbors would think rather than the concern of the ticket.

To better understand what the neighbors (in this case, external stakeholders) will think, the leading financial services firms are scraping data from a broad range of inputs – from customer call centers and corporate communications inquiries through to traditional operational data sources such as return on investment and revenue forecasts. And they are using that data to continuously adjust their assumptions and measure their outcomes.

Leading financial services firms recognise they need to make step-step changes in thought and capacity more sophisticated. They need to make them quickly. And they need to implement them with minimum disruption.

Many are now exploring how they might ‘power’ their resilience efforts forward and achieve material advantage by connecting existing tools, technologies and data sets into a cohesive whole in order to bring proven methodologies and acceleration catalysts to their program. Rather than attempting to catalyse change in narrow siloes or distinct processes, the leaders are connecting their technologies and processes to drive more fundamental outcomes. Indeed, we are working with a number of financial services firms to create a ‘powered’ operational resilience program that not only drives the overall resilience program, but also helps build a more connected, competitive and trusted organisation.

The most strategic financial services organisations are seeking to drive even greater change from their programs. They view their efforts towards organisational resilience as a way to drive transformation across the enterprise. If end-to-end processes are being mapped, risks are being identified and accountability for resilience is being delegated, why not use that data and horizontal accountability structure to drive other objectives such as cost efficiency, innovation or customer experience? A handful of leaders see the opportunity for fundamental and sustainable change that goes beyond simply enhancing resilience. 

The specific actions, processes and data required to drive operational resilience are different for each organisation, industry sector and market (thus the challenge for the Basel Committee). Until some form of global guidance is achieved on this topic, financial services leaders need to leverage industry leading practices, existing experience and current guidance.

We believe there are a number of practical principals that leaders will want to follow as they develop and execute their strategies.

• Elevate it. Recognise that organisational resilience is an enterprise-wide objective, not a regulatory one. Go to the real sources of the truth. Take an ‘outside-in’ look at the business to understand what matters most to customers and key stakeholders. Bring together all players – from suppliers, cyber specialists and technology partners through to facilities managers, business continuity specialists and third-party risk leaders – to ensure all aspects and strategies are considered. Those that elevate their program above the regulatory lens will be creating a more resilient and flexible business for the future.
• Keep it simple. Simplification is key to reducing complexity and driving resilience. Indeed, many regulators and bank executives are now keenly focused on driving simplification across products, processes and technologies. Select a manageable number of business services to review and start with existing operational controls, adding new ones where significant gaps are identified. Similarly, take an iterative approach to impact tolerances, monitoring them through actual responses to test whether they are appropriate.
• Do it well the first time. Consider how external technologies, methodologies and data sets might help accelerate your program. Ensure appropriate decision-makers have visibility and transparency into the metrics required to quickly identify faltering initiatives, allowing them to intervene early. Develop a simple, mid-term roadmap that can help guide short-term decisions making.
• Stay flexible. Be prepared to continuously adapt and respond to a changing environment. Focus on ensuring effective decision-making around project prioritisation and an ability to reallocate resources based on changes in the operating environment. Assess the strategic impact of change on the operating model and the potential impact of changes to the workforce model on change initiatives. Consider whether your current workflows and ways of working encourage organisational agility around operational resilience. Continuously review metrics, tolerance thresholds and other assumptions to ensure ongoing alignment of projects and priorities to the overall resilience strategy.
• Make people accountable. At the executive level right down to the operational level, embedding a culture of accountability for operational resilience will be key. Ensure that specific accountability is delegated for unique end-to-end processes and services, particularly those that impact customers. Ensure that accountability extends beyond simply ‘owning’ the process to also include how investment decisions are made, programs are executed, and value is delivered. Drive accountability down through the organisation to ensure clear roles and responsibilities.
• Don’t stop. The risk environment is continuously changing. That means that operational resilience is not a destination, but rather an ongoing marathon with regular twists and turns. Endurance will be critical. Make sure your operational resilience efforts are not viewed as simply another short-term ‘strategic priority’. While achieving regulatory compliance must be the minimum threshold, operational resilience decisions should be anchored in the commercial needs of the business as part of the ongoing and eternal effort to improve efficiency, identify risks and enhance resilience.

Get used to talking about operational resilience. Our view suggests it will remain at the very top of regulator and Board agendas for the foreseeable future. The only real question is whether substantive progress will be catalysed by societal pressure, economic pressure or regulatory requirements.

Our advice is for financial services firms to get well ahead of this one. Those that do will find themselves not only more operationally resilient and better prepared to deal with upcoming regulation, they will also be more connected, competitive and trusted. Those are attributes all financial services executives can embrace.

Brian Hart

Principal, Financial Services Risk, Regulatory and Compliance Network Leader
KPMG US