Why Expertise Is a Top Consideration When Considering a GRC Partner
GRC is an ever-evolving practice; place value in a vendor with extensive knowledge of the GRC landscape, one…
For any financial services company, big or small, failure is not an option. Financial services play a critical, foundational role in almost every sector of the economy, and robust customer service is expected through technology failures, market disruption, systemic risk events, natural disasters, and even pandemics.
Companies that can deliver robust services through unexpected disruptions are considered operationally resilient. The critical importance of operational resilience in financial services is evidenced by the flurry of guidance from global financial regulators detailing expectations and mandating best practices on how providers and supporting infrastructure can improve their operational resilience.
Operational resilience, as defined by the Federal Reserve Board (FRB), is the ability to deliver operations, including critical operations and core business lines, through disruption from any hazard. Last October, the FRB, in partnership with the Office of the Comptroller of the Currency, and the Federal Deposit Insurance Corporation, issued an interagency paper on Sound Practices to Strengthen Operational Resilience. This guidance, specifically written for banks and savings and loan companies with at least $100 billion in assets, can be adapted and applied to financial services companies of any size.
In short, operational resilience is built through “effective operational risk management combined with sufficient financial and operational resources to prepare, adapt, withstand, and recover from disruptions.” More than business continuity, which is focused on uninterrupted operations, operational resilience considers how to best adapt a firm’s operations to deliver services through any disruption.
1. Establish Effective Governance
Effective governance at the board and senior management level is critical to strengthening operational resilience. A strong risk management culture—the foundation of operational resilience—can only happen when there is top-down, organizational commitment. Board and executive responsibilities lay the groundwork and accountability for an operationally resilient mindset and commitment to supporting practices throughout the organization.
2. Identify Critical Assets
Disruption, by its nature, is unpredictable. Operational resilience is not about identifying and measuring risks and uncertainty, as the impact of evolving technology and market changes can rarely be predicted. It is instead a framework for protecting the core business.
The identification of critical assets and functions and core business lines should be done with the intention of protecting those assets and operations regardless of the source of disruption. Whether impacted by an unexpected technology failure, pandemic, cybersecurity incident, or any other cause, an operationally resilient firm will have the policies, procedures, and practices in place to guide them through any disruption.
To do this in a systematic way, the board must determine and approve the risk appetite and risk tolerance for operational disruption, both at the enterprise level and for critical operations and core business lines. These explicit board parameters for the firm’s acceptable level of risk from operational disruption can guide effective decision-making, appropriate investment in resilient systems and controls, and a consistent firm-wide approach to operational risk management.
3. Consider Key Dependencies and Interconnections
After identifying the core business lines and critical assets and functions, consider the key personnel, technology, processes, data, and physical infrastructure facilities required to protect them. Understanding those inputs and mapping out the dependency and interconnection of those assets on other internal functions, external parameters, or third parties will support a robust plan for business continuity and operational resilience.
Managing third-party risk is critical for operational resilience given the growing dependence on third parties to maintain specific functions and services of core business lines. This risk must also be accounted for within the approved risk tolerance.
An understanding of the entire picture is necessary for recovery planning and the buildout of appropriate redundancies and alternate availability of essential resources, personnel, technology capability, and, if necessary, physical infrastructure. Recovery planning should also be consistent with existing risk management practices to ensure that there are no gaps in providing service or meeting regulatory requirements.
4. Proactively Review and Audit Plans
Operational resilience is a dynamic process requiring periodic review, testing, and auditing. As systems and processes evolve, so should your plans. Regularly employing an internal or external audit function to assess the design and effectiveness of operational resilience efforts will help to keep your plans relevant, identify shortcomings due to process or policy changes, and support a firm-wide culture of risk management and operational resilience.
As new infrastructure and technology is adopted, your plans should be revisited and tested. Any digital transformation efforts should include planning for and adoption of policies to address digital risk, such as disruption due to an internal failure, cybersecurity incident, or processing error.
Consistent testing of your operational resilience plans, including dependencies and interconnections, will prepare your firm to pivot and adapt quickly through a disruption.
5. Form a Collaborative Approach to Operational Risk Management
An operational risk management function is responsible for determining and managing exposure related to internal processes, people, and systems as well as external threats and third parties. However, they cannot do this in a silo. Effective operational risk management requires a collaborative approach between senior management, business units, the operational risk management function or designees, and the internal or external audit function.
A cross-functional approach supports effective identification, mitigation, and resolution of operational risk, including technology and third-party risk, within the risk appetite and risk tolerance defined by the board while collaboration ensures a consistent, firm-wide approach and commitment to operational resilience.
How LogicGate Can Help
See how LogicGate is helping other companies in the financial services sector achieve their goals, establish efficient processes, and strengthen their operational resilience by reading what they have to say on G2.
