Embedding Operational Resilience

In this next instalment of our ‘Prepare, Protect, Prevent’ Operational Resilience (OR) campaign, we explore the impact of implementing the Financial Conduct Authority’s (FCA) OR requirements, shifting our focus to embedding OR practices.  This includes futureproofing the framework so that it seamlessly integrates with the business.

In March 2021, the FCA acknowledged that OR would evolve through an iterative process.  They recognised that material changes to firms’ business may impact Important Business Services (IBS) or impact tolerances previously defined.

The FCA’s Suman Zaiullah took the opportunity at the TISA Operational Resilience Forum in October 2024 to reiterate that OR needs to be a “permanent part of the mindset for how firms deliver their business,” setting the expectation within the industry that firms need to deliver flexible and integrated OR frameworks that truly evidence resilience.

Being Resilient

The FCA have stated that if remediation of vulnerabilities is required beyond March next year, there must be a response and recovery plan documented to manage the risk in the interim.

Operational Resilience means firms can continue to deliver their critical functions when disruption occurs. Key processes, systems, data, people and facilities are protected and there is no longer an acceptance of risk where weaknesses exist.

In becoming increasingly proactive, firms can better prevent foreseeable harm to consumers, other parties and the wider markets. Embedded practicing of continuous and proactive monitoring to identify and mitigate risks, will demonstrate their agility to make changes quickly whilst remaining within tolerance levels.

Evidencing Resilience

We’ve worked with many of our clients to support them embedding resilience, ensuring that they have documented the strong foundations that need to be in place, beyond traditional risk and business continuity practices.

This has involved them being able to evidence each of the following:

Board Reports

When working with our clients to ensure they are adequately evidencing their resilience, the distinction of criticality in their services has been most important.

To prevent IBS’ from reaching a point of crisis with the potential to become disastrous, there must be internal controls across the whole value chain providing the confidence that disruptions can be mitigated, with board reports attesting to the firm’s ability to:

• Maintain continuity of service with sustainable and effective workarounds in place that ensure the business continues to operate within the tolerance levels they have set
• Enable and support all customers, including vulnerable customers, should a disruption occur
• Proactively communicate and engage within the wider business as well as with customers in the event a disruption occurs
• Embed the principles of Operational Resilience across their Governance, Risk and Change Management Frameworks
• Manage the risks third party suppliers present when maintaining resilience, ensuring the levels of due diligence undertaken evidence the suppliers’ ability to maintain service to customers

Aside from the obvious customer impacts, a failure to evidence embedded OR across the whole value chain will result in inadequate OR, which calls into question the dependability and integrity of the financial services industry and the knock-on effect of disruptions through loss of operations that could potentially threaten the organisations overall viability.

Futureproofing

Once resilience has been established, the practice of managing OR needs to be demonstrable through a robust MI framework that evidences how they are responding to and resolving disruptions which threaten their tolerance levels.

OR becomes a regular feature on governance agendas, with discussions focused on how the business is tracking against tolerance levels and if these are still appropriate.  If there are outstanding vulnerabilities, discussions focus on what progress is being made to resolve and remove these.

Lessons learned are being incorporated as implementable actions that result in effective changes that can be measured and reported on.  Firms are clear what they want to report on, how quickly and how often so that they can confidently manage disruptions, conduct effective root cause analysis (RCA) and meet the reporting needs of their board.

Change Management frameworks are updated so that they start with the question, how does this impact the IBS? Whether change is driven by people, global or technological influences, these factors, when viewed through the lens of OR, are the foundation of the business case with assurance functions asking this question first, every time, for every type of change.

Marketability

Through allocating resources in more effective and efficient way, ways of working have improved, positioning firms more positively to win new business, or for mergers, acquisitions and diversification into new areas. Operational Resilience compliance is adding strategic value and delivering Return on Investment that benefits the bottom line, rather than just taking from it.

As we get closer to the implementation deadline, BPO’s and ITO’s are beginning to utilise their OR Frameworks as a marketable feature of their propositions. Synergising OR across the business to enhance trust and loyalty with clients alongside reducing operational risk and the cost of disruption.

Conclusion

There remains the key challenge of managing 3rd party dependencies, ensuring that there are sufficient contractual controls to enable efficient incident and crisis management.  Clear roles and responsibilities must be in place, offering the assurance that effective preventative controls are working, with workarounds enabling the business to continue when encountering significant disruption.

Thus, achieving this level of rigour and control around the OR foundations, resilience becomes embedded within an organisation’s DNA.

Do you need help to evidence your resilience ahead of the 31^st March 2025 deadline? Let us know how we can help you by getting in touch today using [email protected]

Practitioners, Proportionate, Professional. Simplify Consulting. It’s what we do.