Over the last few years the sector has seen more cyber attacks and firms are increasingly reliant on technology and automation. To respond, financial sector regulators are bringing their focus on operational resilience up to that of financial resilience. This new regime is currently in consultation and will look at firms’ ability to withstand and recover from disruption.

Today’s business continuity plans are typically siloed by function. Risk management focusses on identifying potential threats, and reducing their likelihood and impact. Both of these are important, but the new operational resilience requirements are likely to be more demanding:

• Assume key disruptions will happen
• Minimise recovery time from an end-to-end business service perspective, including third parties involved in that service
• Set impact tolerance parameters; Boards will be expected to take the lead on operational governance

Successful implementation of this new regime will require firms to set a clear operational resilience vision and strategy, and will need clarity of planning and reporting. Achieving regulatory compliance in the future will be obligatory, but firms should exploit the business advantages that a strong operational resilience can bring.

Most firms work in a complex ecosystem with reinsurers, primary carriers, capital providers, third party administrators and technology providers, branches and offshore subsidiaries, brokers and distribution partners. As with conduct regulation, regulated entities will be responsible for their end to end operational resilience, no matter who performs the activity. This will require more joining up through the value chain on aspects such as:

• Clear and cohesive board reporting on operational resilience across the various disciplines
• Common regime of business services, processes and impact tolerances 
• Increased reliance on others’ operational resilience, with clear and agreed failover plans when a disruption event occurs
• Potentially increased use of cloud processing and storage to underpin the robustness and resilience of interfaces between organisations

Getting this right for your firm may mean considering a different operating model approach, including consolidating third party activities with fewer, more resilient partners or reconsidering which activities you can reliably outsource. operational resilience brings with it the impetus to eliminate those problem areas in your value chain and strengthen your firm for the longer term.

The banking sector is ahead of insurance in preparing for this new regime and there are already some key learnings insurance firms can benefit from. Although a standard approach to the topic is still emerging, we are seeing some common implementation challenges. It is crucial to define a good business service architecture, and using a pilot approach by business service helps to refine the development of a holistic operational resilience regime. The ultimate goal is to ensure that a resilient approach to operations becomes part of your organisational (DNA).

Each firm is different and will have a unique starting point. To ensure a powerful implementation, and to get prepared for the start of this new regime, the first key step is to perform a high level framework assessment. This will look at your current business continuity, recovery and risk regimes and compare those to the principles of the operational resilience regulation. From here, you will have a much clearer perspective on which elements of your organisation and operating model you will need to learn more about the next steps you can take, get in touch with us.

Lulu O’Leary, Partner, Insurance Operations, KPMG in the UK

David Miller, Partner, Insurance Risk and Regulation, KPMG in the UK