Strengthening operational resilience is a major priority for boards, executives, and regulators. Boards and executives want to avoid major operational disruptions that can severely impact customer and market confidence in their firms, result in significant financial losses, or lead to severe reputational harm. Regulators want to maintain the safety and soundness of financial institutions and of the overall financial system. Boards, executives, and regulators all recognize that the risk of operational disruption is increasing, as geopolitical tensions raise the specter of cyber and physical conflict, complexity and interconnectedness increase, and the pace of change quickens.
In response, many financial institutions globally have appointed a Chief Resilience Officer and designed a framework for operational resilience. They are focused on developing a framework, identifying their important business services (IBS), building out resilience capabilities, establishing impact tolerances, and conducting exercises in line with the principles established by the Basel Committee on Banking Supervision (BCBS) and guidance from regulators, for example, Bank of England, Central Bank of Ireland, the US Federal Reserve System. The European Commission’s new Digital Operational Resilience Act (DORA) and the growing number of jurisdictions with proposals out for enhanced regulatory requirements around operational resilience (for example, Canada, Australia) are only increasing the pressure on firms to implement operational resilience effectively. (Please see the Endnotes section on page 11.)
However, building a successful and sustainable operational resilience program is challenging. Chief Resilience Officers need to contend with competing priorities, organizational siloes, and decades of processes and technology built with resilience as an afterthought.
In light of these challenges, we recommend five practical initiatives that typically have an outsized impact on the successful and sustainable implementation of the operational resilience program:
• Drive front-line engagement
• Learn from crises
• Build an exercise capability
• Develop resilience risk insights
• Create a sustainable foundation
Below is an excerpt from the report.
Build an exercise capability
One of the hardest questions organizations get from regulators, boards, and executives alike is, “How are you demonstrating the ability of the organization to meet its impact tolerances for its important business services?” In some jurisdictions, the answer to this question even has a specific regulatory deadline (for example, 2025 for the UK, 2023 for Ireland). Answering this question provides comfort to regulators, boards, and executives that the level of resilience of an organization’s important business services is sufficient and continuously improving with the evolution of internal and external threats. We consider exercises that simulate real-world disruption scenarios as one of the best ways to answer this question and improve resilience over time. To reap the full benefits, firms need to conduct sufficiently realistic exercises and develop a sustainable capability that avoids treating resilience exercises as a “one-off” event.
Traditionally, organizations have used tabletop exercises, which are not very realistic, as a primary means of identifying resilience capability gaps. Tabletops involve convening a team to discuss how to address potential disruption scenarios without actually practicing what team members would do. Because they rely heavily on “what-if” discussions, tabletop exercises provide limited assurance that the plans and capabilities that organizations have developed will actually work during a disruption. For example, a tabletop might surface issues related to roles and responsibilities, but will likely not identify that workarounds cannot handle sufficient volumes or that the business is unable to identify which transactions were in process at the time of disruption.
Recognizing the limitations of tabletops, firms are moving towards much more realistic full-scale exercises, where they deliver the service using alternative means and rapidly restore the service to normal (for example, moving workloads to other data centers), proving that their plans work in a severe but plausible disruption. However, most firms are not yet there. They are either unwilling — or unable — to conduct full-scale exercises for severe but plausible scenarios (for example, data corruption). They may not have the technical capabilities to confidently transition service delivery to alternative means or backups and worry that they could put their normal operations at risk. They want to avoid causing a real-life operational disruption themselves!
Given the importance of conducting realistic simulations, we recommend a two-pronged approach for these firms. First, conduct full-scale exercises for less severe scenarios, like exercising a natural disaster by running operations for a period out of a backup processing center. Second, start increasing sophistication of exercises for severe but plausible scenarios by integrating functional elements (activities in which participants perform their duties in a simulated operational environment) into tabletops. This forces people to practice aspects of what they would do in a severe but plausible scenario and allows the firm to start moving towards more complex exercises that better assess the ability to withstand a severe disruption, like delivering a service using manual workarounds, data from a data vault, or contingent applications or service providers.
While firms work towards increasing the sophistication of their exercises, it’s important that they build a sustainable exercise capability to be able to repeatedly demonstrate their resilience and drive improvement over time. A sustainable exercise capability calls for a well-defined manual for how to run an exercise, a set of ready-made tools and templates (for example, “inject” tracker, communication/education materials, scorecards), and trained individuals with the skillsets to design and facilitate exercises effectively. The exercise manual offers a standard set of objectives and steps that people can choose from when designing an exercise, providing different options depending on the desired level of sophistication. Developing an exercise manual allows the organization to approach building resilience from the bottom up; to “train the trainer” and empower resilience leads in the front line to design and facilitate service-specific exercises. Lastly, the manual should outline a process for collecting and addressing lessons learned, as an exercise capability requires a well-defined and practiced continuous improvement process.
Sustainability is also about encouraging the right participation in exercises. One approach, we have found, is that consciously using the term “exercise” as opposed to “test” reduces apprehension around being graded and makes people more likely to participate actively. Having clearly defined roles for business, technology, risk, and audit (even as observers) is another way to encourage participation. Finally, integrating a small number of business and technology subject-matter experts into the exercise planning will help make the exercise realistic and interesting for the participants and drive better turnout and outcomes.