Integrating with existing frameworks
1. Business continuity
Of all existing activity, business continuity management (BCM) is the one that is most closely related to operational resilience. At most firms, BCM historically has been a bottom-up exercise whilst operational resilience is very much top down. This mismatch has understandably caused challenges to what are otherwise similar activities.
The key is aligning prioritisation between the elements that support IBS and the BCM system of record. One key difference is that typically, BCM focuses on a limited range of scenarios, physical and recoverable within recovery time objectives (RTO), rather than the more extensive, severe but plausible, list of potential events. This impacts the re-usability of testing results and firms look to increase the scope of BCM testing to cover the full range of scenarios. This is more straightforward than it appears since generally the range of recovery actions being tested will be more limited than the number of potential scenarios to consider.
2. Non-financial risk (NFR)
While operational resilience and NFR have much in common, the different location (1LoD vs. 2LoD) and the focus on recovery as opposed to prevention makes the distinction. The key input that NFR provides for operational resilience is horizon scanning for disruptive risks and events and creating the subset of the material risk inventory that covers these. This becomes the benchmark for the vulnerability assessment, creating severe but plausible scenarios for testing and lessons learned reviews of events happening to other organisations. We would anticipate that operational resilience will appear within risk control self-assessments (RCSAs), both for businesses and the central team generating challenge from NFR.
3. Third-party risk management
There is significant overlap driven by the need to ensure that material third parties can continue to deliver the contracted services if disrupted. This is evident given how closely linked the regulation around third parties and operational resilience are, such as the EU’s digital operational resilience act (DORA)³ and the Prudential Regulation Authority (PRA) supervisory statement (SS2/21)⁴. The key resilience considerations for vendors are around resilience capability, control and concentration and apply equally to internal and external third parties. Prioritisation should be reviewed to ensure that it is aligned, along with a regular vendor questionnaire. Depending on the level of outsourcing, consideration should be given to integrating third parties into testing to provide a higher degree of confidence in recovery actions.
One area of importance is the level of information provided by vendors on how they deliver their services and resilience capabilities; both at the contract stage and on an ongoing basis. The PRA Critical Suppliers Discussion paper (DP3/22)⁵ and the EU DORA point to greater disclosure going forward, but this will take time with firms struggling to get the necessary information in the short-term.
Thought also needs to be given to the impact of planned changes of critical suppliers to ensure that resilience is not impacted.
4. New business and IT change
Change management (or lack of) is the single biggest cause of IT disruption according to an FCA report⁶, titled ‘Cyber and Technology Resilience: Themes from cross-sector survey 2017-18’. New business and changes to the way that services are delivered should be captured and trigger a review of their impact on the resilience profile of the firm where relevant. Thought needs to be given to how activity is triggered, as well as filtering to ensure that the activity that is reviewed has an impact on resilience without being overwhelmed by the volume of changes. Firms should consider how the governance of strategic change occurs and seek to embed resilience considerations into this lifecycle.
5. Cybersecurity and IT disaster recovery (ITDR)
Typically, cybersecurity and ITDR fall outside BCM, often having limited interaction. Given their critical impact on almost every financial service provided, they need to be incorporated into the mapping, vulnerability assessment and testing phases. The elements of delivery processes for IBS need to be correctly prioritised in recovery plans. To do this, they also need to be tagged correctly in technology registers, such as the firm’s configuration management database (CMDB). This will allow enhanced testing both in terms of scope, nature of test and frequency.
6. Recovery and resolution planning (RRP)
With regulators mandating firms’ plans to recover from financial distress and also be able to wind down in a controlled fashion by focussing on critical operations, there is a certain degree of overlap between operational resilience and resolution element of RRP. The key difference is the longer time horizon of RRP, coupled with the nature of client harm that is covered in the UK operational resilience regulation. The principal area to align is around the granularity, mapping and taxonomy of services and indications on the list of critical operations as to which ones are IBS. The principal benefit lies in potentially coordinating the testing for maximum efficiency and to avoid duplication.