Operational Resilience: Protecting Your Business

The Bank of England’s recent discussion paper on operational resilience explores a new approach to the topic and provides insights into how the regulator’s view on resilience is evolving. The paper builds upon the 2018 Financial Stability Report to position operational resilience as a significant pillar of the Bank’s approach to maintaining stability in the sector.

The Challenges of Operational Resilience

Many existing approaches to operational resilience are insufficient at protecting an organisation from disruption. The concentration of recovery planning at the critical resource dependency level (e.g. IT and property) can result in a lack of end-to-end planning, leaving blind spots and capability gaps. It is why we can cite numerous examples in the financial sector, and elsewhere, of businesses suffering disruption despite heavy investments in risk management and continuity planning.

The Bank of England’s discussion paper seeks to address this by taking a more strategic view of resilience. The paper encourages firms to:

• Hold a clear understanding of important business services, and the systems and processes that support them (including suppliers).

• Build knowledge of how the failure of an individual system or process could impact the provision of the business service.

• Develop an understanding of possible alternatives for processes and systems should they be disrupted.

• Implement tested plans to continue or resume business services when a disruption occurs, supported by communication plans to provide more timely information.

An Integrated Approach to Operational Resilience

Delivery against what the Bank is proposing will require much closer interaction between risk management and resilience functions, which in itself is an enormously beneficial outcome. A more integrated approach to operational resilience, tying together existing risk and resilience activities under a shared view of your organisation’s tolerance for disruption, is to be welcomed. 

Greater integration will allow you to take a more balanced view of where to invest in prevention versus recovery when managing disruption-related risk. In practice it will mean risk and resilience functions collaborating in order to:

• Build a governance structure that drives accountability for the maintenance of resilience and the management of disruption risk for the most important business services.

• Set tolerance levels for the disruption of these services, building upon existing expressions of risk appetite.

• Testing resilience capabilities and risk controls using plausible failure scenarios against impact tolerance.

• Enhance risk controls, including contingency arrangements, to fill any gaps in your firm’s control environment for disruption-related risk.

It won’t be just customers, regulators, and shareholders that benefit from this new approach to resilience: A more comprehensive approach to resilience that integrates recovery planning with risk management will mean your organisation can build a clearer and more comprehensive view of its risk exposures. Executed correctly, this could be translated into more appropriate insurance cover and more accurate premiums.