What is Operational Resilience and why is it so important?
The UK’s Operational Resilience (OpRes) framework is designed to ensure that the UK’s financial services sector is resilient to a range of issues that could impact the service they provide to the UK economy. Examples include cyber attacks, a technology outage, or a significant economic interruption.
The events of 2020-2021 are proof of the need for business resilience. OpRes builds on many frameworks that banks will typically use, but the challenge is being able to integrate them into a cohesive whole, while also ensuring that any informal but critical business processes are also fully integrated.
Effective Operational Resilience: Using automation to hit your goals
OpRes is designed to help enhance the robustness of the UK financial services sector to a range of interruptions that could compromise the integrity of the market for its users.
Operational Resilience provides a standardized approach that allows banks, asset managers and insurers, and their regulators, to have a consistent measure of how robust they are, despite having differing requirements and approaches. It’s principles-based, so there is no checkbox to tick. Instead, institutions need to identify what are their critical business processes and decide how long the market can tolerate an interruption. There’s no defined compliance standard to work towards; instead, UK regulators require institutions to continuously improve their robustness on a range of issues.
For instance: All institutions are expected to have measures in place to define their key business processes, and plans in place to maintain availability, as part of their business continuity management (BCM) plans.
The challenge for many institutions? Integrating a host of existing initiatives and programs into their corporate Operational Resilience framework, which will likely be spread across multiple different systems, with different formats and languages. Another challenge is where informal applications, such as End User Computing (EUC) applications – typically spreadsheets – form key components of core business processes, as these may lack the controls and auditability of other corporate applications.
Automation can be solution for simplifying and consolidating the disparate process associated with OpRes, as well as securing the critical EUC-based processes that can expose institutions to compliance issues.
The ideal tools and approaches
The operational robustness standard of the UK financial sector is considered high, with regulators scrutinizing their activities under the overarching Senior Management and Certification regime (SMCR).
With many of the core processes and requirements of Operational Resilience already in place, the biggest challenge is consolidating and standardizing the information, so an institution can have an accurate and consistent view across the business, despite a plethora of systems, data types, formats and silos. The pressure on costs and resources for an institution of any size means that it’s hard to justify a large technology or business change project investment to implement Operational Resilience.
For many institutions, the ideal solution is to implement a flexible Operational Resilience policy and compliance framework that can be rolled out quickly, with no disruption to the business, and which contain the key elements of change control, transparency, and auditability.
The ideal policy engine should be a flexible template-based application that adapts easily to the differences between functions, while still helping respective teams understand and adhere to the overarching corporate Operational Resilience requirements. This policy engine will help to capture and consolidate key elements of the OpRes requirements, including business process definitions, agreed interruption times, as well as the details of the technology infrastructure that underpins it all. An automated review, approval, and reporting process is also essential.
With the policy process in place, regular automated compliance reviewing and assessment can help an organization quickly and efficiently ensure it meets the requirement of its policy, while identifying areas for improvement as they develop. Again, automated reviewing and reporting reduce the workload of compliance while continuing to maintain the standards required.
A gap that is increasingly recognized as critical is the use of EUCs to deliver core business processes. Operational Resilience effectively mandates the inclusion of these in a systematic enterprise management program, as financial services make extensive use of them in portfolio management, product development, as well as the overall management of the business. As part of OpRes, these EUCs need to be identified, managed, and controlled, in the same way as other business applications or processes.
Operational Resilience questions senior management should ask
- Governance: what is the organization’s appetite for risk? What KPIs offer a full view of maturity? Who are the accountable persons in 1st and 2nd line defence for operational resilience?
- Organizational: are the dependencies of business services on these assets fully understood? What are the most critical assets? How does the resilience process shift how operations, technology and vendors are managed?
- Integration: how are existing definitions of critical business services being leveraged? What is the organization’s impact on customers and the financial system? What are the most critical services and why?
- Measurement: how is the level of resilience monitored and managed within the organization? When is the organization outside of defined impact tolerances? What are the most critical risks for the organization?
- Preparedness: how is the organization prepared for operational resilience deployment? How often is the response and recovery process being tested?
Operational Resilience Solutions
Mitratech has the time-tested toolkit needed to ensure OpRes compliance, and to help an enterprise meet other regulatory demands as well.
A policy management solution like Mitratech’s PolicyHub saves time and improves efficiency, supporting effective policy management by automating and streamlining the processes involved, and removing the complexities and errors involved. So you can build an ethical and defensible compliance program.
EUC/Shadow IT Management
An automated tool like ClusterSeven lets you proactively discover, monitor, review, and audit changes made to End User Application spreadsheets and other “Shadow IT” data assets hidden across your enterprise. Gain a centralized view of enterprise-wide critical spreadsheet use, assess and prioritize critical spreadsheets, and provide transparency for management and auditors about your most important files.
Compliance & Obligations Management
A compliance and obligations management solution, like Mitratech’s CMO offering, uses a simple, intuitive interface to let employees and auditors be proactive in incident and audit management, including Volcker Rule obligations, controls, investigations, and non-conformance reporting. Easily report incidents, understand your obligations, and continuously improve your compliance performance.
Enterprise Content Management
An ECM solution like DataStore is designed from the ground up for financial services users, providing complete control over the capture, indexing, archiving, retrieval, accessibility, delivery and retention of every item of business-critical information in an organization, via a secure central repository.