Integrated Operational Resilience and TPRM: A Key Theme for 2021

It has been a quiet triumph for institutions and regulators alike, especially in the UK, where the Operational Resilience initiative was launched by the lead regulators – the PRA and FCA – over two years ago. It focuses on ensuring that the UK’s financial services sector is ready and able to withstand a broad array of shocks and continue to function effectively. That over 100,000 UK bank workers could work from home over two weeks in March 2020 is a testament to the value of Operational Resilience.

Regulators are assessing the principles worldwide, including the Basel Committee for Banking Supervision (BCBS), which has published a consultation document on the Principles of Operational Resilience.

Shifting the focus toward TPRM

Much of the early work on Operational Resilience focused on internal business processes and systems. More recently, encouraged by regulators and spurred by COVID-19, the focus has shifted toward applying the same principles to third-party relationships – typically referred to as Third-Party Risk Management (TPRM).

Integrating Operational Resilience and TPRM make complete sense. Institutions have accelerated the use of third-party providers in recent years, covering cloud-based applications, data storage, data management, data analytics, customer service provision, contractor staffing, and much else. In turn, these service providers have also been using their 3rd party providers, creating a chain of 4th and 5th party service providers to the original customer.

An interruption at any stage of this diverse supply chain could materially compromise the service provided by the original business, disrupting its Operational Resilience and impacting market confidence.

These interruptions could be diverse, encompassing the classic flood or fire, through to cyber risks, merger and acquisitions, regulatory infractions, reputational incidents, and much else. Operational Resilience demands visibility of these issues so that they can be managed and mitigated.

Key issues in integrating Operational Resilience and TPRM

There are, however, a couple key issues that will need to be addressed to make such an integration succeed:

Concentration Risk

This is significant in a complex supply chain landscape. The chances of multiple suppliers in the same chain making use of the same utility provider, cloud service provider, transportation system, or even network of Directors is surprisingly high. A single incident could impact multiple parts of a business in numerous ways. Visibility will matter.

Proportionality

Large global corporate institutions will have very different needs of, and relationships with, service providers, compared to a single-site Credit Union, for example. This will drive very different solutions for both, but ideally, there will be standard definitions and measures to help the industry maintain its robustness.

To help address these, in the UK there is a market-lead initiative emerging that will help institutions both large and small.  In due course, it should provide a common set of definitions, measures, and language that will help institutions and their service providers to align services, requirements, and contracts.

This will help enhance the collective Operational Resilience, without necessarily increasing costs. It should provide a best practice framework for many institutions, as well as regulators. This framework will likely be made available in H1 2021.

Institutions recognize the need to scale up their TPRM capabilities to manage a more complex, more resilient environment. Many are also taking the opportunity to review their policies and procedures environment to ensure it is equally scalable and robust. Accuracy, consistency, and efficiency are guiding principles for many businesses as they find the best way to tackle a significant issue for 2021.

Learn more about Mitratech can help you enhance your TPRM.

[bctt tweet=”Institutions recognize the need to scale up their TPRM capabilities to manage a more complex, more resilient environment.” via=”yes”]