Operational resilience will remain a key risk focus for regulators amidst ongoing business transformation that is increasing firms’ vulnerabilities, including regulatory and operational change management, new technology and data governance strategies (e.g., cloud), expanded use of third parties (e.g., payments processors, data aggregators), enhanced risk management practices (including third party and reputation risks) and integrated risk, operations, and compliance. Regulators are taking an increasingly broad view of operational resilience, expecting firms to not only control for operational risk but also to manage disruptions when they occur with an eye toward preserving the continuity of key business services (inclusive of, but greater than, IT systems and cyber security).

As such, operational resilience integrates core elements of business continuity planning, operational risk (inclusive of third party) and concentration risk analysis. Further, firms must understand: the impact of critical system failures on their key businesses, counterparties, and markets; the systems that support their critical business activities; and the effectiveness of solutions and controls to protect those systems.

In today’s interconnected business environment, firms must also consider that potential threats or disruptions to their operations may be generated from sources outside of financial services, such as cybercrimes, sociopolitical changes, or environmental risks.

 

Technology transformation

—   Operational Resilience provides a useful lens for firms to prioritize investment decisions for modernizing legacy systems and strengthening technology infrastructure

—   Dependencies and interconnectedness between internal and third party technology assets must be mapped, analyzed, and tested to validate the feasibility of stated recovery time objectives and achieve resumption of the end-to-end business service

—   Heightened regulatory attention to competition and anti-trust, especially with regard to digital technology platforms and cloud services, must be considered when selecting/maintaining third-party relationships and/or acquisitions activity

 

Customer interaction

—   Operational Resilience emphasizes the responsibility of financial services companies to maintain customer trust by delivering services consistently and with high quality, even when systemic shocks do occur

—   Internal and external communications plans are needed to provide timely information to, and manage the expectations of, customers, other market participants, and regulators following a disruptive event; communications can help to restore confidence in the company and preserve its reputation

—   Evaluate the firm’s ability to meet evolving customer expectations for the continuity of financial services products and services, including mobile and web-based services that operate 24/7.

 

Payments modernization

—   Customer expectations for payments speed affects the resilience thresholds and tolerances for payments disruptions; disruptions in payment processing have the potential for serious financial harm to consumers and corporate clients

—   Operational Resilience emphasizes the security of payments along the value chain, including during handoffs with third parties.

 

Market expansion

—   When launching new products and services, articulate clear service level agreements and recovery time objectives to verify the firm’s ability to deliver these services when there is an Operational Resilience event

—   A clear understanding of business services and the people, data, systems, and processes on which they depend should enable a company to undertake M&A activity more efficiently and effectively or move more smoothly into new areas of business.

—   A firm’s ability to deliver services globally with high quality across the value chain, must consider third parties and partnerships across all geographies, including geopolitical and ESG risks specific to their locations.

 

Cost efficiencies

—   Balance effective risk management with operational efficiencies by concentrating investment in the assets that bolster Operational Resilience; invest and allocate resources based on the services that are most crucial for the continuity of critical systems and business objectives

—   Understand the financial impact of service disruptions and establish impact tolerances; validate that insurance policies are appropriate from a Resilience perspective

—   Establish penalties for third parties that fail to deliver services and develop exit strategies for each vendor.