Looming regulatory deadlines
With the introduction of the new operational resilience regulation, many thousands of firms in the UK financial sector are faced with developing a structure to become compliant. By March 2022, firms must have identified their Important Business Services (IBS), set impact tolerances for them, mapped their dependencies, scenario tested the tolerances and carried out a self-assessment. This will be ramped up in 2025, by which time firms must be able to remain within their impact tolerances.
Managing operational resilience
For a major UK insurer, this meant finding a way to implement operational resilience effectively across its UK organisation, which consists of insurance, pension and asset management companies. In 2020, shortly after he took up the newly created role, the Group Head Operational Resilience set up the necessary governance, framework and methodology at group and business unit level to support the execution of operational resilience. With this in place and litmus-tested, he then identified the need for an effective digital tool to manage the OPRES programme.
Configuring the solution
Once procured, the software was deployed and configured. 4C Principal Consultant Ben White worked closely with the team at the company to make sure the software was set up from day one to meet the specific needs of the organisation moving forward. “Any firm can use the out-of-the-box operational resilience software,” says Ben. “However, your needs differ if you are mapping the tolerances of Important Business Services / dependencies cross-company that can have an impact on a 15-million strong customer base, compared to say a much smaller organisation. It’s the same solution, it’s just the way in which it’s configured that matters.”
Removing unnecessary complexity
Important Business Services amount to any separate service that, if disrupted, is likely to cause intolerable levels of harm to consumers or market integrity. Identifying, defining, mapping and testing these and the many dependencies, processes and workflows connected with them is a complex and large-scale undertaking. The company is using Exonaut to manage this – and in doing so remove unnecessary complexity – in a multi-stage programme that will eventually see other business resilience programmes, such as business continuity management, integrated into the system. As well as meeting regulations it is being used to identify new efficiencies and over the long-term, new business opportunities.
“Exonaut is currently capturing all of our IBS data,” explains the Group Head Operational Resilience. “By that I mean the initial mapping of our Important Business Services. This includes what they are, the definitions in static data associated with them – along with the mapping of the associated assets, the impacts of tolerances, the tolerance statements, as well as the scenario tests and the results of them.”
Based on this data, Exonaut can produce an automated self-assessment report (a requirement by 2022) of tolerance levels versus current capabilities, along with potential areas for improvement. The report can be filtered using smart dashboards to highlight key information which can be shared with senior management and the Board – who are ultimately responsible for ensuring the company meet the new regulation.
“Exonaut is a powerful tool that brings a lot of automation to the OPRES programme, but then we also appreciate some of the nuances,” he continues. “For instance, one thing that we like is the way in which it displays all of the dependencies. Just by looking at this, you can often pick out overlaps and duplication – and in that way identify efficiency improvements.”
Golden sources of data
The insurer have identified five supporting pillars within operational resilience – Technology, People, Locations, Data and Suppliers – that they refer to as the ‘golden sources’ of data. Moving forward, these will be uploaded into Exonaut to provide a more holistic picture of our resilience and recovery capabilities and to help us identify and reduce and gaps, risks and weaknesses.
A culture of operational resilience
“Once the golden sources have been implemented, we will be much closer to where we want to be in 2025 when the regulatory transitional period has ended. We’ll have enhanced dashboards and reporting features to better leverage the data for use with our crisis and incident management responses. And perhaps more importantly, operational resilience will be embedded into the business-as-usual,” concludes the Group Head.
Book a Free Demo
Request a live demo, customised to your needs, to see how Exonaut can take your operational resilience to the next level.