Operational resilience: A case study for Boards
The UK regulators are preparing to require firms to embed an operational resilience framework within BAU operations by 2024. The three-year transition hints at the significant design and implementation work that will need to be completed. This regulatory change, which comes hot on the heels of recent high-profile disruption in financial services and the COVID-19 pandemic, makes operational resilience the perfect case study when it comes to considering effective Board oversight and governance.
Catalyst for change
The UK operational resilience agenda is intended to catalyse change within financial services. Under the proposed rules, firms will need (amongst other things) to undertake an enterprise-wide assessment of their important business services, map the systems and controls involved in delivering those services, set impact tolerances for each service and ensure they can remain within those impact tolerances. Once completed, a firm’s approach and its internal assessments will need to be documented and signed off by the Board.
Getting on Board with the operational resilience agenda
Here we consider how operational resilience plays into firm governance and why it should be top of the Board agenda:
- Accountability: The Board is collectively responsible for articulating a firm’s strategic objectives and approving its risk statement by identifying the level of risk it is willing to take to achieve those objectives. The UK operational resilience regime requires firms to specify how much disruption can be tolerated and in what circumstances (so-called “impact tolerances”). Once set, firms may be liable to regulatory sanction for operating outside these tolerances. It is accordingly a commercial and regulatory imperative for Boards to fully understand and approve the strategic decisions which are taken in relation to these thresholds.
- Delegation: It is not the Board’s job to direct the firm’s response to the new rules. However, it is important to communicate the importance of resilience. The tone from the top should inform a clear mandate and messaging for the executive team. In most large firms, responsibility for overseeing the operational resilience programme will sit with the SMF24 role-holder. In the absence of an SMF24, another accountable executive must be identified. Boards should be ready to engage with that leader and the key methodologies and decisions to be applied within their resilience programme. Given the infrastructure investment that is expected to be required, it would be a (potentially expensive) mistake to leave engagement until too late in the day.
- Culture and oversight: As both a known and evolving risk, resilience should feature high on the agenda for the Board and Board Risk Committee through 2021 and beyond. The Board should receive reports in a way that allows directors to engage with the substance of the firm’s resilience as well as progress to completion of the change programme’s project plan. Regulators are also likely to see the Board’s approach to resilience – and its focus on the customer/client experience – as a culture indicator.
- Management information: Boards must turn their collective minds to considering whether the metrics that are being reported upwards, now and in the future, are sufficient to enable them to understand the resilience of their business. As the regulatory bar rises, it will no longer be sufficient to receive information about the performance, output and cost of the firm’s supply chain. Instead, directors will need to understand what key supply chain cycle times are, how diversified and flexible each part of the chain is and what the potential/actual impacts of disruption will be.
- Lessons learned: The COVID-19 pandemic has proved a frontrunner to the new rules, testing existing business continuity plans and resilience planning. Events of the last 12 months provide firms with an unparalleled opportunity to learn lessons. Reflecting collectively on recent experiences as well as peer failings and market-wide findings (such as these published recently by the FCA) will enable Boards to flex their oversight muscles and demand updates or particular focus of those areas of heightened or particularly acute risk.
- Skills and expertise: Firms should think critically about whether training is required to prepare directors to oversee not only the upcoming change management exercise but also the scenario planning and testing that is part of its resilience approach. As Boards will play a key role in any crisis response and communications strategy, upon the occurrence of a disruption event, directors should be equipped now to respond quickly and informedly to best protect the interests of the firm and its clients.
How we can help
We regularly advise Boards and provide training on good governance in the context of the SMCR and other applicable regimes. Our experience of enforcement investigations into matters such as system failures, transformation projects, cyber-attack and data breaches, including those where the regulators have focused on Board oversight and internal systems and controls, means we are able to act as both a critical adviser and sounding board. Meanwhile, at a programme level, our cross-practice expertise on resilience and significant regulatory change experience will allow us to support your business in shaping a programme of work and strategic decision-making. We can further help you to articulate and justify your resilience approach in a way that will support future regulatory engagement.