Operational Resilience

Effective Operational Resilience: Using automation to hit your goals

OpRes is designed to help enhance the robustness of the UK financial services sector to a range of interruptions that could compromise the integrity of the market for its users.

Operational Resilience provides a standardized approach that allows banks, asset managers and insurers, and their regulators, to have a consistent measure of how robust they are, despite having differing requirements and approaches. It’s principles-based, so there is no checkbox to tick. Instead, institutions need to identify what are their critical business processes and decide how long the market can tolerate an interruption. There’s no defined compliance standard to work towards; instead,  UK regulators require institutions to continuously improve their robustness on a range of issues.

For instance: All institutions are expected to have measures in place to define their key business processes, and plans in place to maintain availability, as part of their business continuity management (BCM) plans.

The challenge for many institutions? Integrating a host of existing initiatives and programs into their corporate Operational Resilience framework, which will likely be spread across multiple different systems, with different formats and languages. Another challenge is where informal applications, such as End User Computing (EUC) applications – typically spreadsheets – form key components of core business processes, as these may lack the controls and auditability of other corporate applications.

Automation can be solution for simplifying and consolidating the disparate process associated with OpRes, as well as securing the critical EUC-based processes that can expose institutions to compliance issues.

The ideal tools and approaches

The operational robustness standard of the UK financial sector is considered high, with regulators scrutinizing their activities under the overarching Senior Management and Certification regime (SMCR).

With many of the core processes and requirements of Operational Resilience already in place, the biggest challenge is consolidating and standardizing the information, so an institution can have an accurate and consistent view across the business, despite a plethora of systems, data types, formats and silos. The pressure on costs and resources for an institution of any size means that it’s hard to justify a large technology or business change project investment to implement Operational Resilience.

For many institutions, the ideal solution is to implement a flexible Operational Resilience policy and compliance framework that can be rolled out quickly, with no disruption to the business, and which contain the key elements of change control, transparency, and auditability.

The ideal policy engine should be a flexible template-based application that adapts easily to the differences between functions, while still helping respective teams understand and adhere to the overarching corporate Operational Resilience requirements. This policy engine will help to capture and consolidate key elements of the OpRes requirements, including business process definitions, agreed interruption times, as well as the details of the technology infrastructure that underpins it all. An automated review, approval, and reporting process is also essential.

With the policy process in place, regular automated compliance reviewing and assessment can help an organization quickly and efficiently ensure it meets the requirement of its policy, while identifying areas for improvement as they develop. Again, automated reviewing and reporting reduce the workload of compliance while continuing to maintain the standards required.

A gap that is increasingly recognized as critical is the use of EUCs to deliver core business processes. Operational Resilience effectively mandates the inclusion of these in a systematic enterprise management program, as financial services make extensive use of them in portfolio management, product development, as well as the overall management of the business. As part of OpRes, these EUCs need to be identified, managed, and controlled, in the same way as other business applications or processes.

Operational Resilience questions senior management should ask

1. Governance: what is the organization’s appetite for risk? What KPIs offer a full view of maturity? Who are the accountable persons in 1st and 2nd line defence for operational resilience?
2. Organizational: are the dependencies of business services on these assets fully understood? What are the most critical assets? How does the resilience process shift how operations, technology and vendors are managed?
3. Integration: how are existing definitions of critical business services being leveraged? What is the organization’s impact on customers and the financial system? What are the most critical services and why?
4. Measurement: how is the level of resilience monitored and managed within the organization? When is the organization outside of defined impact tolerances? What are the most critical risks for the organization?
5. Preparedness: how is the organization prepared for operational resilience deployment? How often is the response and recovery process being tested?

Operational Resilience Solutions

Mitratech has the time-tested toolkit needed to ensure OpRes compliance, and to help an enterprise meet other regulatory demands as well.