As financial services firms prepare to comply with Central Bank guidance on operational resilience by December 2023, there will be challenges ahead, writes Linda Gibson
The Cross Industry Guidance on Operational Resilience issued recently by the Central Bank of Ireland (CBI) highlighted just how important operational resilience has become to the financial services regulator—increasingly comparable to financial resilience, both in terms of regulatory resources and the supervisory scrutiny firms can expect to face.
While the past two years have been challenging for businesses in Ireland, their resilience journey is only just getting started. The objective of the Central Bank’s guidance is to communicate to the industry how to prepare for, respond to, recover, and learn from an operational disruption that affects the delivery of critical or important business services.
The guidance aims to enhance operational resilience and recognise the interconnections and interdependencies within the financial system that result from the complex environment in which firms operate. Responsibility is now being placed on the board and senior management to approve:
- the operational resilience framework;
- the critical or important business services;
- impact tolerances, business service maps, scenario testing to ascertain the firm’s ability to remain within impact tolerances; and
- communications plans.
The CBI’s approach is that every firm, regardless of size or activity, will need to meet its expectations. While proportionality is a key factor, every firm will likely have at least one critical or important business service. Firms will now be working towards compliance with the CBI’s guidance on operational resilience by the December 2023 deadline.
If firms needed a reminder of the importance of operational resilience, they need look no further than the recent disciplinary measures taken by the CBI against firms that failed to ensure continuity of service in the event of a significant IT disruption and for outsourcing-related control failings.
Embedding hybrid working into resilience models
COVID-19 has brought operational resilience to the forefront of the boardroom agenda after firms around the world grappled with significant day-to-day disruption and a shift in the status quo.
Where previously it was seen as more of a planning exercise, this rapid change helped focus many leadership teams on the need to meet the regulator’s expectations.
Across our organisation, we revisited many of our controls during the pandemic to ensure that potential risks arising from remote working were considered (print capabilities were disabled centrally, for example). Maintaining most of these controls enabled us to accommodate an environment where employees work flexibly, both within and outside of the office.
Promoting the shift towards resilience
While a paradigm shift in mindset and culture may be unnecessary, there is value in consistently conveying that resilience is about understanding what is most important and planning to get that done, even in dire circumstances.
It is important to engrain an enterprise-wide culture and mindset. If you have a consciously engaged and resilient workforce, resilience planning and decision-making will be more effective.
In addition to building resiliency by design, to prevent and minimise most disruptions, firms should strive to maintain strong contingency plans for “all hazards” such that, when disruption is unavoidable, they are able to recover and resume the delivery of services as quickly as possible.
Future fix
The events of the past two years have brought to light the reality of supply chain risk and business continuity challenges associated with third-party vendors. This significant and persistent threat forced businesses to undertake consequence assessments of supplier disruptions on operational, strategic and financial functions. These are all key elements of operational resilience.
Firms now have an opportunity to "future fix"; to create more resilient operating models and build for competitive advantage. They must recognise that the purpose of the new regime is not to demonstrate how resilient they are, but for them to proactively assess where they may have resilience gaps and look to address these gaps as soon as is ‘reasonably practical’, and no later than December 2023.
The challenge across the industry is to relay to employees. The next year will be a busy time, and firms need to act early to address vulnerabilities where they exist, instil the operational resilience mindset throughout the organisation, and adjust their operating models to support resilience where it is necessary.
Linda Gibson is the Head of Regulatory Change at Pershing EMEA