Operational Resilience

Only the other day, a senior Operational Risk Practitioner asked me what's the trend in Operational Risk Management today, where should we be focusing our efforts in the next couple of years?

Like so many areas of risk management, Operational Risk developments seemed to have been directed to look introspectively at situational outcomes from the Covid-19 catastrophe.

Proactive Crisis Management System| FACT24

Cutting to the chase, the focal point emanating from the Bank for International Settlements seems to target a renewed attempt for integrating operational risk with other BCP & Crisis functions, and in many respects; BCP Teams could benefit from having oversight across Key Risk Indicator sets operational risk departments farm across their organisation.

The central banking regulator is expecting institutions to identify and then address Strategic Resilience Gaps in their business models so that banks can put a fight up against potential but plausible disruptive shocks, and it's entirely possible the responsibility for this exercise sits with the strategy team.

BCBS Operational Resilience Guidance |Guidance Download LINK

One would have thought that most financial institutions would already be across much of what these guidelines describe but in the short of it, Covid-19 demonstrated that some businesses were quite simply unprepared and while many risk units are patting themselves on the backs with the idea that they survived Covid Shutdowns ... .. . the stark reality of it all paints a different picture of disorganised scrambles to W̶o̶r̶k̶ F̶r̶o̶m̶ H̶o̶m̶e̶ Toss Around to support the homie brigade while nothing really got done.

Let's take a look at these New Principles for Operational Resilience and what that brings?

Resilience Principles

Operational Resilience is an outcome of managing Essential Elements that underpin the endeavor and the BIS have highlighted seven principles they believe need to be in place.

I can hear a lot of risk practitioners going Martin, this is basic stuff; we already have all of these things in place and it's quite likely that financial institutions are doing much of what BIS describe but (there is always a but, darn) BUT; Governance for operational risk or appreciating Departmental Interconnections outside the context of resilience fails to serve resilience.

SEVEN PRINCIPLES

1. Governance

2. Operational Risk Management

3. Business Continuity Planning and Testing

4. Mapping Interconnections and Interdependencies

5. Third-party Dependency Management

6. Incident Management

7. ICT Including Cyber Security

When you read the BIS Operational Resilience Publication, it will become apparent quite quickly that it puts emphasis on resilience not being about recovery or surviving through outages until services are restored but operating a business model that is perpetually in a challenged state.

You truly succeed by embracing outages as a New Normal through prioritized tradeoffs which are necessary to exist — An even better place to operate is where an organisation is able to feed off situational dynamics so that it doesn't just exist but thrives.

KEY FUNCTIONALITY

1. Resolution Planning Framework

2. Principles Based Approach

3. Utilize Existing Governance Structure

4. Board + Senior Management Approval & Oversight

5. Critical Functionality Vulnerability Assessment

6. Interconnections and Interdependency Assessment

7. Third Party Assessment & Coverage Plan

8. Recovery & Adaption Strategies

9. Harmonized Risk Appetite Tolerance Based Recovery

10. Recover and Lessons Learned Tracker

11. Develop Plausible Scenarios

12. Risk Integration with relevant functions

13. Leverage Change Management

14. Ensure Financial & Technical Coverage

In addition to the Seven Principles, The Bank for International settlements identifies fourteen sets of functionality that need to be in place to integrate and harmonize the Seven Principles in a financial institution.

This Key Functionality may be challenging to bring into operation because like the Seven Principles, it derives evolved systematic levels of governance logic that would be deemed by the average risk practitioner as already existing in some regard and thus satisfactory.

The problem of course is contextual perspective needs to be nuanced in a way that it serves 'resilience'; the devil is always in the detail as the saying goes but Let's keep it real for a moment and ask ourselves a question to test the comprehensive reach of this devilish detail.

All this aside, the BIS Resilience Guidelines LINK brings a novel perspective on operational risk management that should be useful if enough resources are applied to the agenda. Indeed, it's a refreshing break from the typical Risk Control Self Assessment (RCSA) efforts that litter risk management systems across the planet and most of us know they add little value.

It's definitely more tactile with the business units than the Simple Measurement Approach (SMA) for operational risk measurement, that was a disaster — In the year coming, we'll dive technically deeper into the Operational Risk Resilience regime, see if we can turnout some useful case studies.