Typically, an organisation’s Operational Resilience capability has reported up to the C-Suite through the Chief Operating Officer. Recent moves by both UK and Global regulators appear to be forging a different path.
In reviewing the discussion and consultation papers issued jointly by the PRA/BoE/FCA and more recently by the Basel Committee on Banking Supervision, I can only conclude that the regulators are using the work done to enhance risk appetite frameworks as the structural blueprint for Operational Resilience, tucked under the watchful eye of Operational Risk.
This is evident with Impact Tolerances being almost the sole focus of the proposed regulation, with scope limited to only those processes which could either disrupt core services to both retail & wholesale customers, or threaten the ongoing financial viability of the firm.
This narrow focus achieves two things:
- A single artefact containing a limited suite of metrics, binary adherence to which is relatively easy to monitor by Boards and Supervisors, but harder to unpick at the lower level
- It nudges operational resilience out of the domain of the COO and further into CRO remit, under the wing of Operational Risk
In pursuing this path, I believe there is significant risk of making Operational Resilience into an iceberg. If Regulators, Boards & Auditors focus solely on the impact tolerances to the exclusion of everything else, they risk failing to understand the multifaceted effort required beneath the surface to create and maintain a resilient firm. (See Figure 1)
Genuine resilience requires engagement right across the enterprise, from HR, facilities, Corporate Services, IT, Risk & Compliance to name but a few. It covers a far broader scope of topics and whilst risk identification and mitigation are a core element of the framework, it is only a component and not the whole.
Some will of course argue that adherence to impact tolerances reflects successful achievement in the underlying components. This is certainly true, but unless we have greater awareness, education and transparency, we are likely to see resilience underrepresented and more importantly underfunded, despite the wake-up call that 2020 has delivered!
Equally, the CRO may not be the best equipped member of the C-Suite to fully represent Operational Resilience. With a footprint in information Security, Disaster Recovery and Business Continuity it is a far cry from the more comfortable credit and market risk topics, with many aspects of non-financial risk still only receiving lip service at Board level. CRO’s forced to add this to their already packed portfolios might be rueing the scope of their SMF4 designation.
Risk may be present in everything, but it does not mean you have to put everything in Risk!
In the UK, the closing date for responses has been deferred until 1st October and for the BCBS509 paper issued in August, respondents have until 6th November 2020 to submit information for consideration. This means that there is still time to act and influence the shape of this legislation before it comes into force in 2021.
It is important that you finalise your consultation response, plan your regulatory compliance roadmap, and establish your Operational Resilience framework. This is where the specialist expertise of Danos Consultancy and their partners can support you, and make a real difference.
About The Author: Paul Barker is a certified Operational Resilience Director with over 20 years of leadership experience across Capital Markets, Private Equity, Investment Banking, Asset Management and Treasury sectors.
Specializing in establishing and enhancing robust, risk-based resilience frameworks in highly regulated, fast-paced organisations, his work includes crisis response, continuity planning, risk and threat management, internal controls and cyber & information security.