OPERATIONAL RESILIENCE: INDUSTRY BENCHMARKING
MATT PAISLEY | WILL PACKARD | SAMER BAGHDADI | CHRIS RHODES
FILIPE DINIS | Chief Operating Officer, Bank of Canada
Contributor: INDERPAL BAL | Special Assistant to the Chief Operating Officer, Bank of Canada
Parties in the Canadian financial sector share a high degree of interdependence and the threat landscape they face is ever changing. This means that an operational event, such as a cyber attack, affecting one institution can quickly spread to the wider sector.
This article outlines some of the key elements of the Bank of Canada’s role in promoting the operational resiliency of the financial system and the excellent collaboration taking place within the Canadian financial sector to enhance its collective resiliency posture.
The Bank of Canada believes that the broad issues of resilience and vulnerabilities require a broad response, at the core of which is greater collaboration and information sharing. This has led the Bank to establish and lead the Canadian Financial Sector Resiliency Group (CFRG) and the Resilience of Wholesale Payments Systems (RWPS) initiative. Together, these efforts offer a forum for coordinating a national sectoral response to systemic operational incidents. They help the industry benchmark controls and processes, regularly test with crisis simulations, and enhance sector data resiliency to cyber attacks.
The CFRG and RWPS contributions attest to the sector’s commitment to providing Canadians with a safer, more secure, and resilient financial system.
UMAR FARUQUI | Member of Secretariat, Committee on Payments and Market Infrastructures, Bank for International Settlements (BIS)
JENNY HANCOCK | Member of Secretariat, Committee on Payments and Market Infrastructures, Bank for International Settlements (BIS)
COVID-19 has shone a light on how dependent we are on the financial market plumbing. Despite the sudden and extended move to remote working, the plumbing has generally continued to operate as expected. Typically, the expectation is that the plumbing is available at least 99.9 percent of the time, and if there is an incident that it is fixed within two hours. Despite the combination of remote working and heightened market activity, the number and duration of outages was largely unchanged.
In the early stages of the pandemic, increased volumes did lead to minor operational hitches and there were pressures from larger and more frequent margin calls at central counterparties – but generally the infrastructure continued to operate as expected. Nevertheless, COVID did bring to the fore a number of known challenges that require further consideration.
It will be important for the infrastructure and the relevant authorities to use the COVID-19 pandemic as an opportunity to learn and further improve the resilience of the financial market plumbing. If they do, users can go back to assuming that when we turn on the tap, financial assets will flow freely through the (financial market) plumbing as expected.
THADI MURALI | Managing Principal, Capco
REBECCA SMITH | Principal Consultant, Capco
SANDEEP VISHNU | Partner, Capco
An organization’s operational resilience efforts have traditionally focused on business process recovery and minimizing system downtime. This article posits that data, both transactional and contextual, is not only essential for resilience planning and avoiding peril but can also result in substantial investment savings. It presents three risk scenarios – catastrophic event, cybersecurity attack, and pandemic – to highlight the value of data classifications in determining the relevant elements of resilience. The article shows how taking a data-centered approach strengthens an organization’s ability to plan, anticipate, detect, correct, and build a sustainable operational resilience culture.
FLORIAN KLAPPROTH | Professorship of Educational Psychology, Medical School Berlin
Making decisions is critical to the success of any business or field, however, the right decision is often hard to reach and decision-makers frequently do not behave as normative models on decision-making prescribe. Deviations from predictions based on normative decision-making models often occur when decision-makers are under some form of pressure, be it information overload, limited time, or uncertainty.
This article illustrates what decisions are, how they are made, how decision-makers arrive at sound decisions when under pressure, and how they are affected by external pressure.
WILL PACKARD | Managing Principal, and Head of Operational Resilience, Capco
Use of third parties to outsource elements of critical services has become more acceptable among financial services organizations in recent years. And while there are certainly benefits to outsourcing, when it relates to critical services, however, it can introduce challenges around the resilience of the service. It is these challenges that have attracted the attention of regulators within major global financial centers.
In this paper, we will explain how firms should engage with third parties that are involved in the delivery of important or critical business services using a three-phase approach to operational resilience – prepare, manage, and learn. We will look at the practicable steps that firms can adopt to better align third parties with their operational resilience environment as well as meet the regulators’ expectations on how those third parties are managed.
HANNAH MCASLAN | Senior Associate, Norton Rose Fulbright LLP
ALICE ROUTH | Associate, Norton Rose Fulbright LLP
HANNAH MEAKIN | Partner, Norton Rose Fulbright LLP
JAMES RUSSELL | Partner, Norton Rose Fulbright LLP
Operational resilience has always been a key area of focus for the financial market infrastructure, financial institutions, and their regulators. Traditionally, there was an emphasis on a fairly narrow set of risks and on preventing operational disruptions instead of responding and adapting to them. However, more recently, regulatory focus has shifted as financial institutions have become increasingly vulnerable.
Recent papers published by the U.K. regulators are wider in scope, applying to a broader range of financial market participants. Firms are also increasingly expected to place an active emphasis on system resilience in order to enhance the robustness of systems and business processes to futureproof their businesses and reduce the likelihood that an operational risk will occur, but being ready to mitigate the impact when it does, rather than merely reacting to events as and when they happen.
GIANLUCA PESCAROLI | Lecturer in Business Continuity and Organisational Resilience, and Director of the MSc in Risk, Disaster and Resilience, University College London
CHRIS NEEDHAM-BENNETT | Managing Director, Needhams 1834 Ltd.
The complexities of interconnected global risk and the growing uncertainties associated with emerging threats, such as the cascading effects of COVID-19, have challenged the existing approaches to business continuity management. Organizations are now implementing and maintaining “operational resilience”. However, operational resilience is distinguished by a lack of clarity as to how this concept can be translated into validated practices and the essential elements of such practices are sometimes obscured rather than clarified by its aggressive marketing to the practitioners.
This paper develops a short perspective on what the strength and weaknesses of the current approaches to operational resilience are. We believe that while operational resilience as a concept is suitable for both professionals and scholars, it should be used with caution. We further suggest that its optimal application could be in combination with stress testing scenarios, which could be applied for defining common points of failures between distinct threats, to increase the flexibility of adaptation to complex crises. We propose five practical steps for bridging theories on cascading effects and systemic risk into mature practices for “thinking the unthinkable”.
GERHARD WHEELER | Head of Reserves, Universal Defence and Security Solutions
We live in an age of disruption. Our open and highly networked societies are becoming increasingly vulnerable to threats that once often remained local in scope but can now unfold shockingly quickly and cause damage across the globe. The imperative for businesses to become more resilient – better able to survive operational disruptions – is clear, but where should they look for inspiration?
This paper suggests that a good start point is to look at lessons learned by military commanders who run organizations that are specifically designed to respond to crises. Drawing on historical examples from military campaigns, it outlines a battle-tested framework for resilience. Built around the need to anticipate, detect, deter, withstand, respond, and recover from threats, the framework describes resilience tactics that are as applicable to the boardroom as they are on the battlefield.
MICHELLE LEON | Managing Principal, Capco
CARL REPOLI | Managing Principal, Capco
Operational resilience has risen to the top of board agendas due to ever-increasing customer expectations and the ever-expanding threat landscape of digital disruption, cyber attacks, third-party risk, climate change, and geopolitical unrest. Boards and senior management of financial services firms are increasingly focused on reducing the likelihood and impact of disruptions to their business and customers, as well as on continuously delivering services when incidents occur.
Moreover, regulatory scrutiny on resilience has intensified as the U.K. supervisory authorities, the U.S. agencies, and the Basel Committee have issued their expectations for improving the resilience of financial services firms. The current environment means that enterprise resilience is an imperative, not a choice. Organizations must approach operational resilience with a holistic strategy and enhanced competencies so that they can support their customers, protect their reputation, and remain competitive.
This paper defines operational resilience, explains why adopting a resiliency lens is critical, and outlines the regulatory guidance on resilience. It also describes the steps that organizations should take to achieve and sustain operational resilience, including the set up and maintenance of an operational resilience program.
RON MATTHEWS | Professor of Defence Economics, Cranfield University at the UK Defence Academy
IRFAN ANSARI | Lecturer of Defence Finance, Cranfield University at the UK Defence Academy
BRYAN WATTERS | Associate Professor of Defence Leadership and Management, Cranfield University at the UK Defence Academy
The purpose of this paper is to explore the interconnectivity between defense, security, and business, particularly when viewed through the prism of operational resilience. The standard stereotype depicts the military acting as a harbinger of destruction while business represents the motive force of wealth generation. This is too simplistic, however. Militaries fight wars, but they also make an important contribution to addressing the expanding array of non-traditional threats that form part of national security, including wildfires, floods, earthquakes and, of course, pandemics, such as COVID-19.
The military’s physical resources, attitudinal robustness, and rigorous planning regimes represent three of the more important dimensions of military operational resilience. Mutual commercial-military benefits can be gained via a “two-way” street in the adoption of best-practice resilience solutions. There is a recognition that just as military resource managers can learn from business, so equally can business learn from the military. The U.K. case is offered to illustrate the principles, policies, and practices of military operational resilience.
AENGUS HALLINAN | Chief Technology Risk Officer, BNY Mellon
The 2008 global financial crisis served to illustrate the interconnectedness and the global nature of the world’s increasingly complicated financial services sector. While the concept of financial resilience has been front of mind for regulators for decades, the broader concept of operational resilience has gathered momentum and increasing focus over the past 10 years.
The financial system has shown itself to be robust in the face of the COVID-19 pandemic to date, however, the pandemic has also served to further illustrate the broad nature of disruption that can quickly spread across the world. Regulators, boards, and senior executives have shifted their view from resilience being about responsiveness to specific events, such as a cybersecurity incident, to the wider multi-faceted question of operational resilience and preparedness for severe disruption – regardless of cause.
Regulators across the globe are converging on a common definition and it is broader than ever before, with expectations around preparing for, responding and adapting to, and recovering and learning from severe disruption. There is recognition that vulnerability at a single firm, financial utility, or third-party provider can result in substantial negative consequences across the financial system. Boundaries are greyer and wider than ever – and previously considered individual risks are converging faster.
Regulators are focused on ensuring operational resilience is paramount in protecting financial stability as an essential service. While firms need to be prepared, they should also see operational resilience as an opportunity to positively differentiate themselves in the eyes of their clients and other key stakeholders.
MATT PAISLEY | Principal Consultant, Capco
WILL PACKARD | Managing Principal, Capco
SAMER BAGHDADI | Principal Consultant, Capco
CHRIS RHODES | Consultant, Capco
In a series of conversations with financial executives across Canada, we discussed the current state of operational resilience planning and their organizations’ plans for the future. The primary challenges mentioned were a high dependency on third (and fourth) party providers, increased organizational complexity, getting appropriate buy-in and focus across the organization, and regional variations in regulatory requirements.
To address these challenges, and heighten their resilience, organizations are finding and pursuing several opportunities, which include mechanisms for identifying and prioritizing their critical services, as well as leveraging a global workforce to provide distributed capabilities. Organizations also discussed approaches for dealing with differing regulations globally.
In terms of resilience structure, organizations have looked at their governance frameworks and ensuring they are fit for purpose, as well as utilizing stress and scenario testing to assess their capabilities. An effective training program underpins a solid resilience plan, and organizations discussed their approaches here as well.
In a mid- to post-pandemic world, an effective resilience strategy has been, and will continue to be, integral to the success of financial institutions. The current environment provides a compelling reason for firms to bolster their capabilities.
EDUARDO JANY | Colonel (Ret.), United States Marine Corps
Perhaps no other institution has weathered so many life-or-death challenges and Herculean tasks as have military forces in these past two centuries. Although military doctrine and tactics cannot be fully applied to the corporate arena, there are some great historical learnings that can and should be considered, particularly in terms of operational resilience.
This article examines a number of common-sense approaches and considerations for leaders juxtaposed with the famous “Roger’s Rules” of the revered Major Robert Rogers, a U.S. Revolutionary War figure, as they apply to readiness and resilience.
SANJIV TALWAR | Assistant Superintendent, Risk Support Sector, Office of the Superintendent of Financial Institutions (OSFI)
In recent years, and particularly in the immediate response to COVID-19, the ability to spring back from operational disruption has become an organizational and regulatory priority. But building operational resilience can be a significant challenge. Financial institutions are increasingly faced with complex operations, evolving third-party relationships and reliance on new technologies to conduct their business effectively.
This article outlines the foundational elements of building an operationally resilient organization, highlighting the necessary leadership attributes, culture and risk management practices. It makes the case for organizations and regulators to embrace a broadened perspective of resilience. Practicing these elements will help ensure the continuity of critical operations and overall confidence in the system.
MARK SCHOFIELD | Founder and Managing Director, MindAlpha
Accurate and effective decision-making sits at the heart of operational resilience. However, many organizations take it for granted and spend very little effort on trying to understand and improve it. History is littered with unexpected events and outcomes. What defines the winners and losers, when surprises occur, is the ability to process new information, make new judgments, and effectively adapt decisions. However, with an ever-increasing amount of information to process and ever more complexity and uncertainty in the world, the decision processes we have evolved are under siege.
This article breaks down the decision-making process, explains how biases affect our judgments, and looks at how we can correct these. We describe how our decision-making processes change according to circumstances and discuss some of the cognitive factors that cause us to make suboptimal choices. Finally, we present a framework and tools that can help us make better decisions.
YAN GINDIN | Principal Consultant, Capco
MICHAEL MARTINEN | Managing Principal, Capco
Operational resilience has risen to the top of board and senior management agendas due to the ever-expanding threat of business disruptions. These disruptions can be caused by social unrest, cyber attacks, third-party risk, climate change, pandemics, and geopolitical risk.
In response to the recognized need for guidance, various regulatory authorities – such as those of the U.K., the U.S., and the Basel Committee – have issued their expectations for improving the resilience of financial services firms. They have stressed the need to limit the impact of disruptions to business functions and emplace the ability to quickly recover and restore business processes when incidents occur.
At the same time, the ongoing digital transformation, with its triad of artificial intelligence (AI), machine learning, and robotic process automation (RPA), has attained the necessary maturity to begin to be implemented across the financial services industry. Specifically, RPA holds the promise of becoming an indispensable part of operational resilience, given its ability to create autonomous bots that can perform human operator tasks.
This paper outlines the reasons for the adoption of RPA and why it is a necessary component of operational resilience, and explains the challenges inherent with its adoption as well outlining the benefits of adopting it within control-centric functions.
SIMON ASHBY | Professor of Financial Services, Vlerick Business School
This paper reflects on operational resilience in the 21st century world of transboundary crises. Transboundary crises cross borders, including geographic and organizational boundaries and beyond. In so doing, transboundary crises can have surprising, even unique, consequences, atypical in both their nature and severity. In the case of COVID-19, the crisis spread rapidly from the biological world into politics, markets, and operations/supply chains, almost stopping the beating heart of our global economy.
This paper proposes a capability-based framework for thinking about operational resilience in the face of transboundary crises. This framework incorporates formal and informal elements, along with a combination of pre-crisis planning and in-crisis adaptation. The idea is to maintain flexibility, while avoiding unstructured chaos. The case of Texan supermarket chain H-E-B is used to illustrate the framework. Though not from the financial services sector, there is much that financial organizations can learn from its example.
JASON HEALEY | Senior Research Scholar, School of International and Public Affairs, Columbia University, and Non-Resident Senior Fellow, Cyber Statecraft Initiative, Atlantic Council
PATRICIA MOSSER | Senior Research Scholar and Director of the MPA in Economic Policy Management, School of International and Public Affairs, Columbia University
KATHERYN ROSEN | Global Head, Technology and Cybersecurity Supervision, Policy and Partnerships, JPMorgan Chase
ALEXANDER WORTMAN | Senior Consultant, Cyber Security Services Practice, KPMG
Recent events have made clear that both the financial system and the networks of cyberspace are inherently complex, fragile, and interdependent. This paper contributes to the growing literature on cyber risks to the financial system by presenting a high-level analytical framework to guide analysis of how a cyber attack could cause financial instability and how financial system fragilities might be targeted by cyber attackers.
The framework outlines linkages between the two sectors, particularly those which might cause contagion across the financial system. If a firm or market wants to understand systemic cyber risks in the financial sector, then conducting integrated analysis of how the various systems (technology, back office, business, and financial decisions) interact and propagate shocks collectively is key.
The paper is divided into four main sections: cyber risks, financial stability, the “transmission channels” by which cyber risks can induce financial turmoil, and the amplifiers and dampeners that shift the balance of risks. An appendix provides a sample set of questions designed to assist with implementation of the framework for a specific market, financial infrastructure or sector.
STEVE HILL | Managing Director, Global Head of Operational Resilience, Credit Suisse, and Visiting Senior Research Fellow, King’s College, London
SADIE CREESE | Professor of Cybersecurity, Department of Computer Science, University of Oxford
Cyber resilience is a critical and hard to achieve facet of operational resilience. Trends in digital technology use and evolution of the threat ecosystem are amongst the drivers likely to make it increasingly more urgent, and difficult, to deliver.
This article reflects on our current vulnerability, how global politics interplays with organizational risks, and the systemic issues we face. It argues that a renewed effort to enhance cyber resilience, as distinct from increasing data protection, is needed at both governmental and enterprise leadership levels.