On the move for an Operational Resilience Framework
Currently, for many organizations, operational resilience is at the top of the agenda of the Board and senior management. The COVID-19 pandemic clearly showed how vulnerable societies and organizations can be to unexpected and unforeseen events.
The pandemic is just one example of an event that can disrupt critical operations and businesses, leading to fragile and eventually collapsing businesses. Cybercrime threats, climate change events, technological changes and geopolitical developments are just a few other examples of potential sources of disruption. Regulators have realized that a range of potential disruptive events is unpreventable and explore possibilities of guiding financial institutions to improve their operational resilience. Zanders, in cooperation with GloComNet, supports organizations to achieve this.
Operational resilience is defined as “the ability of an organization to deliver critical operations through disruption. This ability enables an organization to identify and protect itself from threats and potential failures, respond and adapt to, as well as recover and learn from disruptive events in order to minimize their impact on the delivery of critical operations through disruption.”*
Recently, the topic has gained attention of regulators in the financial sector. Disruptive events like the ‘Great Financial Crisis’ of 2008, the increased attention on climate change, money laundering practices and fraud and the unprecedented threats of the pandemic have put this sector to the test often.
For quite some time, the focus of regulatory supervision in the financial sector has been on the ability to absorb financial shocks, creating a more prudent financial system. Most of these regulations are built on statistics and historical data and therefore based on events that have happened before. Regulation that prepares banks for uncertain rather than risky events, however, lacks.
Therefore, in March 2021, the Bank of England published the discussion paper ‘Building operational resilience: Impact tolerances for important business services’. The new regulation will become effective as from 31 March 2022 for UK banks and investment firms. Also in March 2021, the Basel Committee on Banking Supervision (BCBS) published ‘Principles for Operational Resilience’. This paper outlines regulations that will become applicable to banks as a harbinger of new regulations in the European Union.
The BCBS acknowledges that certain potentially disrupting events, such as pandemics, cannot be avoided. However, they assert that “it is possible to improve the resilience of a bank’s operations to such events.” This is established by aligning a bank’s tolerance for the potential impact of such disruptions with its efforts to improve its operational resilience. Key in this process are seven principles related to:
- Operational risk management
- Business continuity planning and testing
- Mapping interconnections and interdependencies
- Third-party dependency management
- Incident management
- ICT including cyber security
Operational resilience vs operational risk
Operational resilience should not be confused with operational risk. Operational risk focusses on non-financial risks that arise naturally when an organization carries out its regular operations and considers losses resulting from disrupted operations. Operational resilience is introduced in addition to traditional operational risk management because quantitative methods have their limits in complex activities and under uncertainty. Potential situations always arise in which you are surprised and have to take new decisions or actions.
Operational resilience uplifts operational risk in multiple dimensions. Firstly, operational resilience not only acknowledges risky, but also uncertain events. Additionally, where operational risk remains a rather passive way to look at potentially disruptive events, operational resilience defines approaches to manage them, inducing a shift from a passive to an active approach. Lastly, operational resilience is about more than just enhancing the resilience of the organization. It also covers governance, strategy, information security, business continuity, disaster recovery and the organizational culture. Operational risk can therefore be seen as a subset of operational resilience.
The BCBS deems that banks must implement effective operational resilience solutions and business continuity plans. Additionally, banks should explore and manage their internal and external interdependencies, improve their incident response, develop recovery plans, and document lessons learned to limit the impact of potential disruptions.
Together with Prof. Lex Hoogduin (see box below), Zanders developed the Operational Resilience Framework, in short the OR Framework. The objective of the OR Framework is to support organizations to safeguard undisrupted business operations. The framework builds on extensive economic theory and is based on the Framework for Acting under Uncertainty and Complexity (FAUC). The FAUC compromises comprehensive economic theory and practices from executives in the financial sector.
The roadmap to the OR Framework consists of a five-phase continuous feedback loop. Each phase provides guidance for an organization to become more resilient.
Phase 1: Mapping operations
The first phase concentrates on the mapping of critical business operations. Mapping separate operations allows for identifying events that potentially disrupt specific operations in a structured manner. As each organization and its operations are unique, so are the potential sources of disruptions.
Phase 2: Building secure operations
The second phase focuses on building secure operations. For each critical business operation, potential disruptions and sources of disruptions are identified by imagining ‘What can go wrong?’ and ‘Why do things go wrong?’, and by constructing a list of such disruptive events and their source. Listing the vulnerabilities for critical operations allows the organization to undertake measures to eliminate, avoid, protect against, anticipate to and/or mitigate the impact of potential disruptions. To be able to anticipate such events, it needs to be determined ‘When it exactly goes wrong’. By setting threshold values that, when breached, trigger action, this allows for strong and collective incident responses and learning from those incidents.
Phase 3: Being alert
This phase relates to monitoring and detecting disruptive events. Key in this phase is early detection, warning and notification to stakeholders and swift actions. This allows for early measures and enables adaptations to a new situation, leading to a more resilient organization that is able to create and seize opportunities.
Phase 4: Being robust
The next phase entails responding to and recovering from disruptions when they occur. Flexibility in adapting to the situation is key in this respect. Financial buffers, recovery plans, rulebooks and scripts, fire drills and war games allow the organization to be prepared for when a disruptive event takes place.
Phase 5: Learning
The fifth phase concentrates on learning, and concerns reviewing of past disruptions. Effective incident responses require that previously encountered disruptions and measures taken, are clearly communicated and documented. The main focus in this step is on a ‘continuous feedback process’ to discover and learn about vulnerabilities of the organization, and to become more resilient.
A just culture
An important condition for a successful implementation of the OR Framework is true, honest, and timely reporting of disruptions that occur within the organization. This requires that there is incentive and trust to continuously explore and detect disruptions, and to communicate them. As such, the organization can timely act upon disruptive events. Therefore, a ‘Just Culture’ is a crucial condition for the successful implementation of the OR Framework in all its applications.
A Just Culture is defined as a set of evolving rules, norms, ethics, and behavior that allows individuals as well as organizations to sustainably learn and benefit from human interaction. In a Just Culture it is imperative that people have personal responsibility by having ‘skin in the game’. A Just Culture is encouraged through leading by example from the top: ‘Show me, do not tell’.
Risk, Uncertainty and Complexity
To understand the OR Framework, we differentiate between risk, which is the main focus of traditional risk management, and uncertainty, which requires supplementing coping with uncertainty. Risky events are calculable and probability theory and quantitative modelling tools are applicable. Uncertain events are not calculable, and other methodologies should be applied to be able to say something about future events.
Additionally, the OR Framework is based on the notion that the world is complex and fundamentally uncertain. Developments such as population growth, technological innovations and increasing interconnectedness of people and systems will inevitably result in more surprises. Coping with uncertainty is largely coping with potential surprises.
The consequence is that operational resiliency in the financial sector against uncertain events demands for methods supplementary to traditional risk management. The key question is: If we face an uncertain, rather than risky, world full of potential surprises, how can we deal with that?
The implementation of the OR Framework is done for critical operations of the organization independently. Zanders provides the roadmap through each step of the framework by assessing and filling potential (regulatory) gaps, by organizing workshops and trainings, and by providing customized policy documentation and advisory. This allows for uncovering potential (sources of) disruptions for critical business operations and developing customized disruption materiality insights, stored in the so-called Disruption Materiality Matrix. This way, in each step of the OR Framework cycle, the organization increases its resiliency. Zanders offers guidance on the implementation of software that supports the usage of the OR Framework. Additionally, GloComNet can assist in developing and nurturing a Just Culture within the organization. To investigate the fit of the framework and to get more comfortable with the process, an investigative demo workshop can be organized to challenge the resilience of one of the critical business operations of your organization.
*) Basel Committee on Banking Supervision, Principles for Operational Resilience, March 2021.
The world is complex and the future uncertain. What does that mean for the existing models on which we base our expectations? For Lex Hoogduin, professor of Complexity and Uncertainty in Financial Markets and Financial Institutions at State University Groningen, former chairman of LCH and former executive director at the Dutch central bank, it was a reason to set up the Global Complexity Network (GloComNet), an open platform focusing on how to deal effectively with ‘complexity and uncertainty’. Together with Zanders, GloComNet developed the Framework for Acting under Uncertainty and Complexity (FAUC), which helps organizations to deal with complexity and uncertainty effectively.