Building a sustainable, repeatable process to aid recovery after a successful cyber attack is paramount and banks can do this by prioritizing critical data to better support their essential services.
Being part of the value chain
Whether you’re a small community bank or large global universal bank, other organizations in your value chain are imperative to your operational resilience. CROs must consider how they work with each and every important player in their ecosystem to understand the impact of resilience risks to their organization, and conversely, what risks their institution poses to the wider ecosystem. Here, greater collaboration is crucial in understanding how other businesses are set up and what the expectations are of all participants across the ecosystem.
As banks have been pushed by regulators to focus on the end-to-end continuous delivery of services, they have had to assess whether each third party is critical or not. If the service is critical, so too is the third party that supports it (and even more so, third parties that support multiple critical services). This includes services provided to customers, as well as internal or enterprise-wide functions critical to operations.
There is a clear expectation that banks are already planning for greater scrutiny of third parties from a testing perspective, both in terms of continuity of support and of developing broader, deeper conversations with the most critical vendors. The survey shows that 74% of respondents expect higher standards for monitoring critical third-party service providers. This is going to push banks to elevate their maturity in terms of how much transparency they want with these vendors. Banks must perform other tasks, such as concentration risk analyses and looking at single points of failure, to ensure their operational resilience is robust.
How to achieve operational resilience
Banks learned a lot about the quality of their operational resilience during COVID-19 and have shared these learnings with both their boards and regulators. CROs expect regulators will subsequently use those insights to strengthen regulation – indeed, 93% of bank CROs expect tougher resilience standards ahead, especially in data protection, cybersecurity, and end-to-end testing.
However, there isn’t just a regulatory need to improve operational resilience, there’s a business incentive too. With ongoing threats and disruption, banks cannot treat resilience as a stand-alone issue. Instead, it must be built into the fabric of organizations’ decision-making processes, transformation programs, and digital and technological capabilities immediately. CROs can help to shift how banks think about resilience processes by building the necessary business case to secure more investment in resilience measures.
Being more proactive is a major theme when talking to CROs about what they learned about operational resilience during the COVID-19 crisis. There is widespread recognition that no bank had a business continuity plan good enough for a global pandemic of this magnitude.
The lessons learned are now making their way into how organizations will operate in the future. For example, the more executive management teams are informed about risks, the more understanding they have of the critical information, thereby accelerating their risk acceptance decisions. Additionally, there is a greater recognition that resilience is made up of many components, with each playing a crucial role. The pandemic has helped to break up a traditionally siloed mentality toward resilience, to ensure that each operational capability works in harmony with another.