I have witnessed an operational resilience team convene without its chairman, a divisional head shouting for a service to be recovered immediately and a COO stamp their feet.
Consequently, I read with keen interest the discussion paper published by the FCA, BoE and PRA on operational resilience.
The approaches I’ve seen to operational resilience range from the full ‘belts and braces’ to the minimum effort, and everything in-between. Those who do the minimum do so because operational resilience is not perceived as a priority. Conversely, those who do the full ‘belts and braces’ do so because the business has experienced a catastrophic disruption that impacted the continuity of vital services. Unfortunately, this is often the only way resiliency professionals get the required resources. The loss of a data centre or an incident in the City can all be catalysts to put operational resilience front and centre. When a senior manager asks – how can we make sure this never happens again – meaningful and serious conversations follow.
I use ‘vital services’ deliberately as it reflects the wording of the regulators. Often, identifying an organisation’s vital services results in everything being labelled as vital. If everything is vital, then nothing is vital. I have seen banks try to restore all of their services after a severe disruption, which simply creates another disaster. The paper provides some suggestions as to what constitutes a vital service, such as whether a service disruption would harm consumers and market participants, or threaten the smooth operation of financial markets.
In the recent past, it was perhaps easier to think that a disruption would always affect ‘them’ rather than ‘us’. It was something for multinationals to allocate resources to, but others can ignore. However, times have changed, as has the threat landscape. It is widely acknowledged that nearly every business will be impacted by a disruption at some point. And if this disruption affects the performance of vital services – TSB Bank and Visa Europe take note – then sufficient resiliency measures must be put in place. Therefore, it is not a question of if but when.
The discussion paper reflects this thinking: the supervisory authorities expect financial services to assume they will suffer an operational disruption and to have plans in place. Plans that reflect ‘plausible scenarios’ (the supervisory authorities’ words, not mine) for testing operational resilience have been recommended.
What hammered home the point for me was the role and involvement that is envisaged of Boards and senior management in promoting operational resilience: they are accountable for operational resilience, thus reinforcing the impetus of putting it front and centre on the agenda. In not doing so, are they happy playing roulette with their organisations future?
After all, you prepare for the worst when you take out comprehensive home insurance, why not have a wide-ranging operational resiliency programme too?