Operational Resilience: Where Are We?

In recent years, financial institutions have been severely challenged by cyber-attacks, technology failures and the current pandemic. This has put both clients and the wider financial markets at risk. These disruptions will continue and with that in mind, how to make firms more operationally resilient has become a priority in many regulatory jurisdictions. There are a number of approaches under consideration and whether regulators ultimately respond by providing workable globally-compatible guidance is yet to be determined. Regardless, firms need to act now to better protect their clients, themselves and overall market integrity.

To begin, it is important to understand how traditional operational risk management and operational resilience differ. Operational Risk is defined as “the risk of loss from inadequate or failed internal processes, people and systems or from external events.”[1] Operational Resilience is defined as “the ability of firms and the financial sector as a whole to prevent, adapt, respond to, recover and learn from operational disruptions.”[2] To move forward however, we must go beyond these formal regulatory definitions.

At the highest level, the difference between managing operational risk and being operational resilient is a change in mindset, moving from being focused on the impact on the firm to being focused on the impact on the client. It is not about how to recover the functionality of a particular system if an event happens, it’s about how to ensure you can meet your clients’ needs when that event happens. It puts the client at the centre of what you do.

All firms like to think of themselves as client centric and that meeting their clients’ needs is paramount. Over time however, these needs have become much more specific and granular. Providing bundled banking products is no longer sufficient. Today, clients look at each service separately (e.g. ability to check your balance online, the ability to withdraw cash from an ATM) and they expect the delivery of each of these services to be seamless, 24/7, without delay or interruption. Those who can deliver this, even in times of crisis, will see improved customer loyalty and trust. Not being able to meet your clients’ needs at that level of granularity in times of distress can result in severe reputational damage and often loss of client, both extremely costly to the firm.

At this point, global and domestic regulatory approaches to operational resilience vary. The Basel Committee on Banking Supervision (BCBS) and the UK Regulatory Authorities (UK) are taking a principles-based approach, albeit with varying degrees of prescriptiveness, while the U.S., Australia and Canada are more focused on specific technologies (e.g. cybersecurity).