Operational resilience (OR) has become a hot topic since the COVID-19 pandemic and regulators such as the PRA and FCA have recently published their expectations for OR. Regulated firms are expected to prevent disruption to the extent practicable and adapt and respond in the event of an incident. As a result of the new rules they must identify important business services, set impact tolerances and carry out mapping and testing to identify vulnerabilities.
OR is not just an issue for regulated businesses; FCA/PRA guidance can be followed by all businesses and all organisations need to be operationally resilient.
In our Post Pandemic webinar, Shoosmiths’ Partners Susie Wakefield and Sam Tyfield considered key aspects of OR with Robin Hamilton (Director, Aldbury International) and Monique Alder (COO, Volante Global).
What does Operational Resilience mean?
- From a practical perspective it means being able to continue business as usual (BAU) whilst responding to an incident.
- The ability of a firm to withstand, absorb and recover from external, as well as internal, shocks.
- Dealing with the unexpected and responding effectively, ideally with a client-first approach that has minimal disruptive impact.
Why do organisations need to have Operational Resilience firmly on their To Do list?
- From a regulator’s perspective businesses need to be able to withstand external shocks. This means focusing on external factors outside of your control that can cause major disruption and stress testing the vulnerabilities. What are the key services? What happens when suppliers go down? What is a priority to the business?
- Increasingly unexpected events are happening and those businesses that do not adapt will not survive. In order for a firm to respond to external threats, the executive and staff must be agile.
What do organisations to do to achieve Organisational Resilience?
- There is no one size fits all OR strategy.
- OR is about analysing the brittle areas in the business and any potential points of failure. Regulators want firms to break down their business into groups to identify and consider how these interact and their capacity to absorb a loss.
- The challenge is to satisfy a regulator that a particular concern can be dealt with in an appropriate manner. This is complex and will be unique to each business.
How can organisations identify the next problem?
- Businesses should identify the point at which disruption means they fail their clients, trace this back through the organisation, analyse weaknesses and focus on applying mitigating solutions.
- Be proactive in moving away from a tick box exercise.
- Focus on the client perspective or the client facing role in line with regulations.
- Build a robust, multi-layered risk management strategy.
What has the Coronavirus pandemic taught us?
- Do not be complacent. Resilient businesses will be critical, interrogate the lessons learned and involve the client. The next crisis might require organisations to respond much more quickly than the pandemic did.
- Stretch further and be ambitious. Find opportunities in the face of disaster.
- Playbooks are not enough. Build a culture of resilience throughout the business, exercise skills of creativity and responsiveness and take responsibility, especially whilst working remotely.
What is the role of the insurance industry in developing Operational Resilience?
- The insurance industry needs to consider its own OR, but also has a part to play in helping firms achieve OR.
- Insurance is key to risk management and can help to provide a multi-layered response to key risks. The market is uniquely placed to help clients design the different layers of risk mitigation.
- Insurers are also designing new products and adapting established ones, working with insureds to minimise risks upfront; as well as looking forward to how best the industry can collaborate with government to create new vehicles to better protect against systemic risks on the scale of the pandemic.
If you had one word for board members to have in mind to achieve Operational Resilience what would that be?
- Realism – be realistic about where business vulnerabilities are.
- Complacency – avoid a complacent mind-set, challenge yourself rigorously. OR is not a tick-box exercise.
- BAU – OR is the new BAU.
Are there any practical tips for how best to move organisations in the right direction quickly?
- Go through a COVID-19 lessons learnt exercise and ask what impact it had on the smooth running of the business, from the client perspective specifically.
- Look at more fast-paced disaster scenarios and ask how the business would cope from staff all the way to the C-suite.
If you weren’t able to watch the webinar live, you can catch up on the recording below.