×

Operational Resilience in Banking

 

 

Operational Resilience in Banking

Regulatory activities are going through a shift to emphasize risks occurring from the introduction of digital tools and technology in banks and financial institutions. This is transpiring as banks confront rising competitive pressure to switch to digitally-aided business models to rein in costs and be up-to-speed with customer demands in a period of fast innovation cycles. As digitization reorganizes banking operations, new vulnerabilities could trigger greater urgency to achieve operational resilience.

Operational resilience in financial institutions is an area of focus today with even Financial Market Infrastructure (FMI) firms working towards achieving this. Regulators worldwide are also progressively examining a firm’s ability to adjust and recuperate from operational disruptions, echoing the key role the financial services industry has in the larger context of society and the major impacts that could ensue when firms fail to function efficiently.

A joint paper published by the Prudential Regulation Authority (PRA), Bank of England, and the Financial Conduct Authority (FCA) in 2018 indicated a different approach to the supervision and regulation of operational resilience in the UK. This approach highlights the desired outcome of the continuity of key business services, the significance of banks’ responses to and recovery from disruptive events, and the ramifications for individual accountability and governance. Their approach to building resilience suggests the following measures:

  • Establish a top-down integrated view of resilience driven by board members and senior management.
  • Identify processes, systems, data, and people that aid key business services and map these services across entities and functions.
  • Drive in a culture of resilience and use operational resilience to propel investment decisions.
  • Follow rigorous end-to-end testing programs.
  • Specify tolerances from a consumer, financial stability and business perspective.
  • Focus on the ability to recover and respond from a disruptive event.
  • Communicate internally and externally with all those affected by the disruption.
  • Take action to prevent any disruptive event in the future through continuous improvement.

What Does Operational Resilience Mean?

Operational resilience is the ability of businesses, FMIs and the entire banking sector to avert, act, recuperate, and learn from operational disruptions. A resilient business can salvage its vital business services from major unplanned disruptions, thereby safeguarding its customers, shareholders, and the financial system’s integrity.

Operational resilience is much more than just shielding the resilience of systems; it also encompasses strategy, governance, business services, change management, information security, disaster recovery, and most important of all—robust operational risk management. Evading disruption to a specific system that endorses a business service aids operational resilience. But eventually, it is the business service itself that must be resilient.

Why Should Banks Be Operationally Resilient?

The operational resilience of banks is a primary concern for supervisory authorities and is regarded as no less essential than financial resilience. Here are a few reasons why banks need to be operationally resilient:

Fulfill changing regulatory requirements

As a result of the growing interconnectedness and complexity of the financial systems, financial regulators, especially in the UK, have realized the importance of a coordinated approach to operational resilience regulation. The FCA, PRA/BoE have worked on an extensive regulatory framework for operational resilience. Regulators holistically evaluate operational resilience due to market and technology changes that include:

  • The interconnectedness between various functions and operations and third-party providers, increasing service incident risks.
  • Sophisticated cyberattacks that have the potential to disrupt individual banks and entire markets.
  • Reliance on a chosen cluster of providers with the potential to increase concentration risk.
  • Banks are also under commercial pressure as a result of the impact of climate change and have to take appropriate measures to align with the global sustainability agenda. Banking regulators worldwide are now coming up with new rules for climate-risk management.

Operational resilience for banks today is even more important than financial resilience, as a dearth of operational resilience could lead to financial volatility. Regulators, therefore, mandate banks to identify critical businesses and services and prove their resilience.

Prepare for security threats

With rampant recognition of digital tools and increased dependence on third parties, a bank’s exposure to external security attacks and hostile cyber ecosystem has increased the need for it to prepare for and allay security threats. Unlike other sources of risk, mischievous cyberattacks are difficult to identify and fully eliminate.

Eliminate risks and the brunt of outages

If resilience is not prioritized, the core business functions become vulnerable during cyberattacks, insider threats, geo-political events or pandemics. By building resilience, banks get real-time visibility into processes and critical assets, they are better prepared with an enterprise-wide plan and response with a continuous redesign of business processes and services. Firms that prioritize resilience are shifting their mindset away from the conventional and myopic business continuity/disaster recovery model to “resilience by design.”

Operational resilience today has gone beyond the realm of a bank, covering the entire complex banking ecosystem, third-party providers, and partners needed to offer services that fulfill customer needs. With the growth of social media, the public is watchful of any outages. Service disruptions therefore can undermine a bank’s standing with customers, regulators, and stakeholders and impact its bottom line.

A Complete Approach to Achieving Operational Resilience

Industry experts and regulators are advising banks to think more broadly about building resilience. The scope of this concept can make it challenging for boards to build potent oversight practices. A robust technology solution can bring all aspects of an operational resilience framework into a single unified platform. An operational resilience solution should not only help meet operational resilience-related regulatory requirements, but also enable companies to achieve operational resilience by seamlessly embedding risk management practices into compliance, cybersecurity, vendor risk management, and business continuity planning to prepare for potential disruptions. A single, integrated, interconnected data model should unite data, remove friction between functional silos, and serve as a single source of truth for real-time, risk-aware decision-making.

The solution should also support the data contextualization needs of various organizational lines. Stakeholders should assess risks and control effectiveness from multiple perspectives, and drive their individual governance areas, while aggregating risk outcomes to provide a single view of the inherent and residual risk exposure at various levels of the organizational hierarchy. This cohesive approach facilitates a common understanding of enterprise risk exposure while helping users enhance the completeness, accuracy, and integrity of risk data. Members mentioned a few areas of emphasis for boards to help them create useful practices:

Technology: Tech assets must be kept updated and strengthened properly to alleviate cyber threats. Significant change programs may have to be formed to confront any technology debt.  
Reporting: Active reporting of KRIs and KPIs is crucial while making educated decisions on resilience risk.  
Tolerance: Impact tolerances must be examined frequently as customer expectations grow, business tactics evolve, regulations change, and technology improves.  
Testing: Frequent audits and tests including business continuity/disaster recovery testing must be carried out to evaluate resilience levels.  
Third parties: Resilience must be an enduring factor for change programs and third-party contracts. It goes much beyond just the immediate company and extends to all groups that the company interacts with.  
Communication: Active internal and external communication plans must continue. The goal must be to lessen any resilience bottleneck of lower-priority services over time.  
Change programs: Resilience benchmarks have to be met before change programs are approved to continue.  
Cultural change: All employees will need to recognize the resilience framework, how they are tailored into it, and its significance to enterprise continuity. 
Disaster recovery: Plans must cover the influence of operational disruption as well as extend to the banks’ resolvability, with crisis management teams ready to be assembled.  
Ownership: Visibly defined ownership of vital elements within the operational resilience structure is essential so that practices operate as they should, and responsibility is given.

Strengthening Operational Resilience

Preserving and enhancing operational resilience helps organizations build trust with regulators, customers, and the economy. If there is no efficient and thorough resilience management framework in place, banks are unlikely to recognize and understand any developing internal and external resilience challenges. A proper framework must have the following key elements:

  • Conduct regular self-assessments of risks and controls

    Trigger Business Impact Analysis (BIA) surveys to identify critical assets and processes. Map Recovery Time Objective (RTO) and Recovery Point Objective (RPO) dependencies through the product’s business process modeling capabilities and visualize these with the Data Explorer. Plan, schedule, and perform both top-down and bottom-up risk assessments. Route the results for review and approval. Enable simple assessments by rating risk, and advanced assessments using multiple factors and risk scoring to meet variations in risk assessment methodologies across business units, assets, processes regions, and products. Also, assess the overall control environment based on multiple factors. Define the logic for computing inherent and residual risk scores and analyze them through heat maps. Aggregate risk scores by multiple dimensions including organization, objective, product, process, assessable item or risk hierarchy for improved risk visibility.

  • Resilience must be rooted in digital transformation endeavors

    Banks must ensure that all new partnerships or initiatives are properly scrutinized and reviewed for risk and to confirm that controls are in place. As part of vendor due diligence, robust vendor risk assessments must be performed to highlight all issues upfront. As part of the assessment, banks must look at all types of vendor risks- cyber, information security, operational, business continuity, anti-corruption, negative media coverage etc.

  • IT enhancements are risky but are nevertheless essential for long-term resilience

    Banks must restore legacy systems without delay. They may prefer to be more cautious, in an environment where banks often make the headlines for being under IT and cyberattacks. However, this approach could provoke resilience concerns.

  • Enable continuous monitoring with robust issue and action management

    Manage, track, and close issues and actions triggered from risk assessments, control evaluation and business impact analysis. Leverage AI/ML to quickly identify issues based on relation and recommend issue classification. Recommend action plans to modify controls or define new controls as part of the issue remediation process. Monitor the status of the implemented actions at every stage and track them to closure.

    Automatically validate vendor information and identify “red flags” based on globally sourced content around cybersecurity, finance, sustainability, regulations, disaster and hazard, corruption, reputation, sanction lists, Politically Exposed Persons (PEPs), Special Interest Persons (SIPs), state-owned enterprises, and adverse media listings.

  • Timely involvement of the board is essential

    Boards must be notified early about the occurrence of an incident. In almost all investigations it has been seen that communications have failed, and the board was not informed on time.

  • Comprehensive reports management dashboards and risk analysis

    Help risk managers present key risks and convince the board to take necessary actions to avoid major disruption in case of a crisis.

    Accomplishing and preserving enterprise resilience is important for banks if they are to fulfil existing and unresolved regulations, keep pace with customer demands and defend the banks against major internal and external service risks.

Regulatory activities are going through a shift to emphasize risks occurring from the introduction of digital tools and technology in banks and financial institutions. This is transpiring as banks confront rising competitive pressure to switch to digitally-aided business models to rein in costs and be up-to-speed with customer demands in a period of fast innovation cycles. As digitization reorganizes banking operations, new vulnerabilities could trigger greater urgency to achieve operational resilience.

Operational resilience in financial institutions is an area of focus today with even Financial Market Infrastructure (FMI) firms working towards achieving this. Regulators worldwide are also progressively examining a firm’s ability to adjust and recuperate from operational disruptions, echoing the key role the financial services industry has in the larger context of society and the major impacts that could ensue when firms fail to function efficiently.

A joint paper published by the Prudential Regulation Authority (PRA), Bank of England, and the Financial Conduct Authority (FCA) in 2018 indicated a different approach to the supervision and regulation of operational resilience in the UK. This approach highlights the desired outcome of the continuity of key business services, the significance of banks’ responses to and recovery from disruptive events, and the ramifications for individual accountability and governance. Their approach to building resilience suggests the following measures:

  • Establish a top-down integrated view of resilience driven by board members and senior management.
  • Identify processes, systems, data, and people that aid key business services and map these services across entities and functions.
  • Drive in a culture of resilience and use operational resilience to propel investment decisions.
  • Follow rigorous end-to-end testing programs.
  • Specify tolerances from a consumer, financial stability and business perspective.
  • Focus on the ability to recover and respond from a disruptive event.
  • Communicate internally and externally with all those affected by the disruption.
  • Take action to prevent any disruptive event in the future through continuous improvement.

Operational resilience is the ability of businesses, FMIs and the entire banking sector to avert, act, recuperate, and learn from operational disruptions. A resilient business can salvage its vital business services from major unplanned disruptions, thereby safeguarding its customers, shareholders, and the financial system’s integrity.

Operational resilience is much more than just shielding the resilience of systems; it also encompasses strategy, governance, business services, change management, information security, disaster recovery, and most important of all—robust operational risk management. Evading disruption to a specific system that endorses a business service aids operational resilience. But eventually, it is the business service itself that must be resilient.

The operational resilience of banks is a primary concern for supervisory authorities and is regarded as no less essential than financial resilience. Here are a few reasons why banks need to be operationally resilient:

As a result of the growing interconnectedness and complexity of the financial systems, financial regulators, especially in the UK, have realized the importance of a coordinated approach to operational resilience regulation. The FCA, PRA/BoE have worked on an extensive regulatory framework for operational resilience. Regulators holistically evaluate operational resilience due to market and technology changes that include:

  • The interconnectedness between various functions and operations and third-party providers, increasing service incident risks.
  • Sophisticated cyberattacks that have the potential to disrupt individual banks and entire markets.
  • Reliance on a chosen cluster of providers with the potential to increase concentration risk.
  • Banks are also under commercial pressure as a result of the impact of climate change and have to take appropriate measures to align with the global sustainability agenda. Banking regulators worldwide are now coming up with new rules for climate-risk management.

Operational resilience for banks today is even more important than financial resilience, as a dearth of operational resilience could lead to financial volatility. Regulators, therefore, mandate banks to identify critical businesses and services and prove their resilience.

With rampant recognition of digital tools and increased dependence on third parties, a bank’s exposure to external security attacks and hostile cyber ecosystem has increased the need for it to prepare for and allay security threats. Unlike other sources of risk, mischievous cyberattacks are difficult to identify and fully eliminate.

If resilience is not prioritized, the core business functions become vulnerable during cyberattacks, insider threats, geo-political events or pandemics. By building resilience, banks get real-time visibility into processes and critical assets, they are better prepared with an enterprise-wide plan and response with a continuous redesign of business processes and services. Firms that prioritize resilience are shifting their mindset away from the conventional and myopic business continuity/disaster recovery model to “resilience by design.”

Operational resilience today has gone beyond the realm of a bank, covering the entire complex banking ecosystem, third-party providers, and partners needed to offer services that fulfill customer needs. With the growth of social media, the public is watchful of any outages. Service disruptions therefore can undermine a bank’s standing with customers, regulators, and stakeholders and impact its bottom line.

Industry experts and regulators are advising banks to think more broadly about building resilience. The scope of this concept can make it challenging for boards to build potent oversight practices. A robust technology solution can bring all aspects of an operational resilience framework into a single unified platform. An operational resilience solution should not only help meet operational resilience-related regulatory requirements, but also enable companies to achieve operational resilience by seamlessly embedding risk management practices into compliance, cybersecurity, vendor risk management, and business continuity planning to prepare for potential disruptions. A single, integrated, interconnected data model should unite data, remove friction between functional silos, and serve as a single source of truth for real-time, risk-aware decision-making.

The solution should also support the data contextualization needs of various organizational lines. Stakeholders should assess risks and control effectiveness from multiple perspectives, and drive their individual governance areas, while aggregating risk outcomes to provide a single view of the inherent and residual risk exposure at various levels of the organizational hierarchy. This cohesive approach facilitates a common understanding of enterprise risk exposure while helping users enhance the completeness, accuracy, and integrity of risk data. Members mentioned a few areas of emphasis for boards to help them create useful practices:

Technology: Tech assets must be kept updated and strengthened properly to alleviate cyber threats. Significant change programs may have to be formed to confront any technology debt.  
Reporting: Active reporting of KRIs and KPIs is crucial while making educated decisions on resilience risk.  
Tolerance: Impact tolerances must be examined frequently as customer expectations grow, business tactics evolve, regulations change, and technology improves.  
Testing: Frequent audits and tests including business continuity/disaster recovery testing must be carried out to evaluate resilience levels.  
Third parties: Resilience must be an enduring factor for change programs and third-party contracts. It goes much beyond just the immediate company and extends to all groups that the company interacts with.  
Communication: Active internal and external communication plans must continue. The goal must be to lessen any resilience bottleneck of lower-priority services over time.  
Change programs: Resilience benchmarks have to be met before change programs are approved to continue.  
Cultural change: All employees will need to recognize the resilience framework, how they are tailored into it, and its significance to enterprise continuity. 
Disaster recovery: Plans must cover the influence of operational disruption as well as extend to the banks’ resolvability, with crisis management teams ready to be assembled.  
Ownership: Visibly defined ownership of vital elements within the operational resilience structure is essential so that practices operate as they should, and responsibility is given.

Preserving and enhancing operational resilience helps organizations build trust with regulators, customers, and the economy. If there is no efficient and thorough resilience management framework in place, banks are unlikely to recognize and understand any developing internal and external resilience challenges. A proper framework must have the following key elements:

  • Conduct regular self-assessments of risks and controls

    Trigger Business Impact Analysis (BIA) surveys to identify critical assets and processes. Map Recovery Time Objective (RTO) and Recovery Point Objective (RPO) dependencies through the product’s business process modeling capabilities and visualize these with the Data Explorer. Plan, schedule, and perform both top-down and bottom-up risk assessments. Route the results for review and approval. Enable simple assessments by rating risk, and advanced assessments using multiple factors and risk scoring to meet variations in risk assessment methodologies across business units, assets, processes regions, and products. Also, assess the overall control environment based on multiple factors. Define the logic for computing inherent and residual risk scores and analyze them through heat maps. Aggregate risk scores by multiple dimensions including organization, objective, product, process, assessable item or risk hierarchy for improved risk visibility.

  • Resilience must be rooted in digital transformation endeavors

    Banks must ensure that all new partnerships or initiatives are properly scrutinized and reviewed for risk and to confirm that controls are in place. As part of vendor due diligence, robust vendor risk assessments must be performed to highlight all issues upfront. As part of the assessment, banks must look at all types of vendor risks- cyber, information security, operational, business continuity, anti-corruption, negative media coverage etc.

  • IT enhancements are risky but are nevertheless essential for long-term resilience

    Banks must restore legacy systems without delay. They may prefer to be more cautious, in an environment where banks often make the headlines for being under IT and cyberattacks. However, this approach could provoke resilience concerns.

  • Enable continuous monitoring with robust issue and action management

    Manage, track, and close issues and actions triggered from risk assessments, control evaluation and business impact analysis. Leverage AI/ML to quickly identify issues based on relation and recommend issue classification. Recommend action plans to modify controls or define new controls as part of the issue remediation process. Monitor the status of the implemented actions at every stage and track them to closure.

    Automatically validate vendor information and identify “red flags” based on globally sourced content around cybersecurity, finance, sustainability, regulations, disaster and hazard, corruption, reputation, sanction lists, Politically Exposed Persons (PEPs), Special Interest Persons (SIPs), state-owned enterprises, and adverse media listings.

  • Timely involvement of the board is essential

    Boards must be notified early about the occurrence of an incident. In almost all investigations it has been seen that communications have failed, and the board was not informed on time.

  • Comprehensive reports management dashboards and risk analysis

    Help risk managers present key risks and convince the board to take necessary actions to avoid major disruption in case of a crisis.

    Accomplishing and preserving enterprise resilience is important for banks if they are to fulfil existing and unresolved regulations, keep pace with customer demands and defend the banks against major internal and external service risks.

lets-talk-img

Ready to get started?

Speak to our GRC experts Let’s talk