QUESTION:  What is Operational Resilience?

The focus of resilience planning has traditionally been about what it means for your firm and the time it takes for recovery. Now the focus is on customer outcomes and an end to end assessment of what needs to happen for customers to get good service.

Regulators are pushing for a strategic assessment and risk weighting on which of your services need to be most resilient and bounce back first.  The ones that are really key, need a much lower tolerance of disruption.

QUESTION: Who is accountable for Resilience?

The executive accountable for resilience is the COO and nominated one of their direct reports to run the project to set up and embed their operational resilience processes. They took the view that it was best to have as many good people involved, who could add value to the process.

Risk, and in particular operational risk, has a key role to play and needs to use their expertise to help design the solution, and assist in both the set up and continual enhancement, rather than purely provide oversight and challenge.

QUESTION: What roles have you created or changed?

The Chief Risk Officer’s role title changed to the Chief Risk & Resilience Officer. The Head of Operational Risk became Head of Operational & Resilience Risk. Under this individual there are now two sub-teams an Operational Risk team and a separate dedicated Resilience Risk team.
A direct report of the COO, the Head of Transformation, has owned the Operational Resilience Program in the first line. They have also increased focus and headcount in vendor risk management.

Within the COO function hires have been made, including key appointments of talent from outside of financial services, in particular telecoms, where operational resilience has been a been a higher priority for longer.

The longer term plan will be for them to have a small resilience risk team within their first line control function and, at that point, they will slim the second line down to a pure oversight function. At the moment they do not have the specialist knowledge in the first line to do this.

QUESTION: What skill sets are in demand?

The Resilience Risk team includes people with knowledge and experience in BCM and disaster recovery, technology risk and change, as well as outsourcing and third party risk. People with the broad resilience risk skill set that will be needed generally do not exist, so people are approaching it from different angles. Few have years of experience in this space.

All of the members of their Resilience Risk function have needed to upskill as more rigour is put around this. Bright and able people that are able to adapt their skill sets will be in demand as well as those coming from more mature industries.

QUESTION: What have you learnt from COVID-19?

Resilience is no longer an academic exercise, there is now an understanding that you need to allocate enough resource to get it right. Historically the focus was much more on financial risk now there is truly an appreciation that strong operational risk is essential to continue to be able to deliver to customers, which is what keeps you in business.

The ability for people to work from home will be a very good fallback for most scenarios. Previously there was a lot of analysis, time spent and investment in recovery sites and split working. Working from home covers most eventualities.

Suppliers are the weak link. COVID-19 has shown that the need to ensure suppliers have effective resilience plans is critical.

COVID-19 may result in some firms reviewing their outsource strategy and bringing things back in-house. Also, with Brexit, current US policies and other factors it may become harder to provide services across borders so firms may start to bring activities back onshore.

INTERVIEW END

Would you like to download the complete Risk Resiliency Whitepaper?

Download the paper now

Leathwaite recently executed a series of interviews with global heads of Risk to understand how organisations across all sectors have been implementing crisis plans.

Since lockdown began, organisations across all sectors have been implementing crisis plans. We were keen to understand what financial services firms globally had put in place over the last year; since regulators, particularly in the UK, began to make stipulations around process mapping, understanding of impact tolerances and running increased scenario testing.

Contact us!

Click on the button below to contact your local Leathwaite office to discuss your executive search or senior leadership requirements: 

Click here to contact Leathwaite