QUESTION:  What is Operational Resilience?

Operational Resilience is defined by regulators in the UK very broadly as the ability of firms to prevent, respond to and recover from operational incidents. It involves the task of mapping out all business processes across an organisation from front to back and understanding which are critical. It covers a broad range of risk types including technology, operational, reputational, conduct, people and financial.

In the US, Resilience Risk, as defined by their regulators, has a narrower remit, it is much more technology focused and the term Resilience Risk is used interchangeably with cyber resilience.

As a result of regulatory changes, the top non-financial risks for the bank have been identified as third party and resilience risk. Traditional BCM functions do not have the technical capability or status to meet the new requirements around operational resilience.

QUESTION: Who is accountable for Resilience?

The development of the resilience framework was a joint venture between the second line Third Party Risk team and the BCM team and they worked together on drafting the firm’s resilience risk principals last year.

They had to work hard to help the Executive Committee to understand the importance of resilience planning, beyond ticking regulatory boxes, and to get someone at Executive Committee level to take ownership of it. It had been seen as another piece of regulation that the bank needs to adhere to, had been given to people in the first line as a side of desk job, and had not been delivered on.

After a debate over whether it should be owned and driven by the first or second line, the Executive Committee ownership and accountability is now shared between the COO and the CRO. The plan now is for the first and second line to work together to operationalise the resilience risk principals.

QUESTION: What roles have you created or changed?

A senior non-financial risk officer has been appointed second line Head of Resilience Risk. The function will bring together the BCM team as well as technology, cyber and third party risk. There will also be additional hires.

Although BCM plays a part in key resilience risk, it was not a case of adding to the BCM team and improving the team’s capability but creating a totally new function that BCM would be part of. The BCM team was perceived by some as being outdated and already struggling due to a lack of technology understanding.

It was also felt that for the Resilience Risk function to be successful it would need to be led by individuals with very good stakeholder management and influencing skills, as a key part of the role is translating regulatory requirements but also impressing on the first line the additional benefits for the firm.

A Head of Operational Resilience role has been created within the COO’s function. This individual manages a small team and will be focused on implementation, although progress has been slow to date.

QUESTION: What skill sets are in demand?

Both the first line operational resilience function and the second line function will need people with strong technology understanding who are proactive and able to deliver strategic change. They will need to be very strong stakeholder managers and be credible with colleagues in the business, technology and operations, and the second line.

The traditional leaders within BCM will not be the leaders of resilience risk, people with network and systems background will move into leadership roles. There will still be a lot of work for the traditional BCM officer, particularly in light of COVID-19, with planning around how we return to office, but the critical resilience issues that need strategic thinking, planning and problem solving will be technology based.

QUESTION: What have you learnt from COVID-19?

Operational Resilience is no longer theoretical. Pre COVID-19 there was a lot of procrastination but there is now an acceptance of the need for proper resilience planning at executive level.

However, there will be some in the challenging markets we will face for the next few years who will be looking to cut costs across the bank and will ask the question ‘if we made it through the extreme stress scenario of COVID-19 why do we need to invest further in operational resilience’.

One of the key lessons has been that operational resilience is 90% technology and third party resilience. The vast majority of issues that the current crisis and others are likely to throw up are technology based.

Conversations relating to disaster recovery will be elevated and this will lead to increased accuracy. The planning pre COVID-19 was wildly inaccurate. There was an underestimation of desks needed at second sites, poor understanding of which vendors were critical and overestimation of how many staff were truly critical to continue operations. There is likely to be significantly more scrutiny around future planning due to the higher level of sign off.

Disaster recovery solutions will also change. The need for second sites is now questionable given 90% of the workforce can work from home. Also, it has been shown that in a crisis like COVID-19, but also in a crisis caused by a cyber-attack, the strategy of pivoting to servers in another region could be ineffective due to the global nature of the issue.


Would you like to download the complete Risk Resiliency Whitepaper?

Download the paper now

Leathwaite recently executed a series of interviews with global heads of Risk to understand how organisations across all sectors have been implementing crisis plans.

Since lockdown began, organisations across all sectors have been implementing crisis plans. We were keen to understand what financial services firms globally had put in place over the last year; since regulators, particularly in the UK, began to make stipulations around process mapping, understanding of impact tolerances and running increased scenario testing.

Contact us!

Click on the button below to contact your local Leathwaite office to discuss your executive search or senior leadership requirements: 

Click here to contact Leathwaite