After completing this reading, you should be able to: Distinguish among the... Read More
Limited Time Offer: Save 10% on all 2022 Premium Study Packages with promo code: BLOG10
After completing this reading, you should be able to:
Rico Brandenburg et al. defines operational resilience as “the ability of an organization to continue providing business services in the event of adverse operational events by anticipating, preventing, recovering from, and adapting to such events.”
The following are the elements of an operational resilience framework:
Model A: Direct reporting line to the Chief Executive Officer (CEO):
This is the most appropriate choice when the firm is considering the strategic importance of its operational resilience. If the focus is on the products and services, and there is a need to ensure that operational resilience becomes an essential part of the firm’s strategy, then this will be the appropriate governance decision for the firm.
Model B: Direct reporting line to the Chief Operations Officer (COO):
Operational resilience is directly tied to an organization’s operations management. The COO knows best how the firm’s systems, processes, and people interact in the right way to offer the products and services to the clients. If the operational resilience function is positioned in this, then the right knowledge on how the firm works is readily available for use.
Model C: Direct reporting line to the Chief Risk Officer (CRO):
Operational resilience is all about the readiness of the firm to face disruptions caused by changes in the business environment. Thus, it is intimately interconnected with the risk management function. Connections exist naturally between any risk management framework and the operational resilience frameworks. Therefore, if the firm’s focus is more on managing risks, this would be the best option.
Organizations that establish an effective operational resilience program realize the following benefits of better resilience:
Many organizations are moving towards operational resilience. The following are five primary drivers behind this trend:
Operational resilience is more than just cyber resilience and IT infrastructure. It is an impact on the organization’s Profit and Loss account. Companies tend to focus only on the IT aspect of resilience, disregarding an equally important component; the processes and people that are essential in the delivery of the final product or service.
Operational resilience should entail all the areas of a business to achieve success. Failing to include all the processes and people would result in a fragmented approach that is limited to one or just a few specific functions. This is not sufficient to support the final goal of having resilience covering a complete value chain.
Investment in resilience can positively contribute to a firm’s Profit and Loss account. It improves customers’ trust by ensuring it is always operational even in times of difficulties posed by environmental changes. The positive change in the profit and loss account can be attributed to the following:
Resilience is evidently playing an essential part in improving the financial performance of firms. Financial service institutions are not the only ones relying on old and siloed systems that result in limited resilience capabilities. Many firms are facing big or small resilience problems.
Know your clients: The first step in building resilience is to identify the products and services that are essential to the clients. However, before that can be judged, there is a more important question to ask: who are the clients of the organization and what do they need?
Identify the products and services that are essential to the clients: Once the key products and services have been identified, the focus should be on the value chain that created them. The key processes leading to that output is identified. All the products in complex organizations are as a result of several processes and interactions. The key processes are the ones that impact the success of output or the organization. They ensure the competitiveness of a firm.
Identify the major processes and staff linked to the core business and identify dependencies either existing or in the design phase: After identifying the key products and services, the focus now is on creating them. But first, there is a need to identify the key processes leading to their output.
Identify digital dependencies: As a result of the reverse-engineering, the list of IT systems and dependencies that are part of the value chain of the products and services is obtained. Questions asked to include:
The number of questions in this regard are quite varied and cover every step that a product passes through before it is delivered to a client.
Map third-party dependencies: Processes in the value chain of key products and services have already been identified in the second step. Now, after identifying the digital dependencies, it is essential to know the critical third parties. It is also important to understand all the interdependencies with other processes. This point should be investigated t in detail to ensure that all the third parties involved in all internal functions providing services are also identified.
Define possible threat scenarios: In this stage, there is a need to identify which services and products need to be maintained in stress conditions and, more importantly, the key processes/staff/IT systems/third parties that deliver or help deliver those products and services. An important question in this stage would be, what can go wrong with the identified value chain components? It is necessary to identify potential risk scenarios that impact the entire value chain, rather than single, isolated events.
Map risks to the value chain: At this stage, all the risks should be linked to the value chain of the essential products and services. All the interdependencies of the threats and risks to the value chain should be considered when defining mitigation measures. In order to implement proper mitigation techniques, it is essential to identify all of the risks and threats before their occurrence.
Learn from the past: There is a need to ensure that the lessons learned in previous crisis management are used to define better strategies and measures for the key processes and infrastructure. Once the firm is hit by a stress event that they didn’t anticipate, the event should be added to threats and risks to be anticipated in the future. Measures to come out of this event should also be put in place for future use.
Monitor your risk exposure: All big organizations should have key risk indicators in place. The organization’s risk exposure remains relatively low when it comes to risk management. In the context of operational resilience, however, the organization should always ensure that the processes and systems in the value chain for their key products and services are always working. Indications showing failure of provision of services in an efficient and continuous manner that is not captured in the firm’s key risk indicators is a signal that there is a need to reconsider the indicators. Questions that arise are whether the indicators are measuring the right parameters, whether the correct thresholds are applied. The key risk indicators should reflect the exposure and weaknesses of resilience capabilities, which include both proactive and reactive measures. The firm should strive to understand and quantify the exposure of the critical processes as well as effectively monitoring.
A firm needs to put in place the following pillars to achieve operational resilience. They also define the level of maturity of a firm’s operational resilience.
The following statements are true about the operational resilience approach, EXCEPT:
A. There is more emphasis on ensuring trust among the crisis management team for effective response.
B. Resilience is not an explicit consideration in risk appetite statements and metrics.
C. The approach does not focus on individual business units.
D. The roles, responsibilities, and accountability of the board and senior managers are clearly defined.
The correct answer is: B).
In the operational resilience approach, resilience is incorporated into risk appetite statements and metrics across operational risk types.
A is incorrect: Ensuring preparedness of the firm calls for a need to ensure trust in the crisis management team for effective response.
C is incorrect: Focus is not on individual business units but rather on key business processes.
D is incorrect: The roles, responsibilities, and accountability of the board and senior managers are clearly defined, unlike in the BC and DR approach where roles are limited to post-event response.
After completing this reading, you should be able to: Distinguish among the... Read More
In this chapter, we begin by discussing what Basel II.5 is all about.... Read More
After completing this reading, you should be able to: Define and describe operational... Read More