Following our recent webinar ‘Delivering Operational Resilience through Digital Innovation’, we pick out some of the main points from our presenters Lee Webb, Group Head Operational Resilience at Aviva, and Ben White, 4C Principal Consultant.
What is operational resilience?
Ben: It’s a new set of resilience requirements and regulations issued by the Bank of England through the Prudential Regulation Authority for all regulated firms in the UK financial sector. Firms must be compliant by Q1 2025. Read more about it here.
Lee: From a regulatory perspective, operational resilience is about the ability to prevent adapt respond, recover, and importantly, learn from operational disruptions.
What does operational resilience involve?
Ben: All firms are expected to identify Important Business Services (IBS) and the associated dependencies that could cause harm if disrupted, not only to the organisation but to customers and the market as a whole. It is an extensive program that requires dedicated workflows, processes, reporting tools and communication plans among other things.
Lee: As a financial firm we must identify our IBSs, map them and the associated processes and assets in order to carry out scenario testing to confirm impact tolerances and produce self-assessments. Obviously, our risk appetite plays an important role in this, but it’s not necessarily the defining factor of what our maximum tolerance is to protect our customers. We need to look at what happens when not one but potentially multiple disruptions occur simultaneously, such as a pandemic, a natural disaster, and a major cyber attack. Can our tolerance levels absorb or do we need to review and adjust ?
What impact will it have on firms in the final sector?
Ben: From an organisational perspective, we’re going to see a change in approach compared to the traditional resilience business areas, such as Business Continuity Management, where information is traditionally filtered up to the Board. Due to the regulatory requirement of operational resilience, Boards and senior management will be much more involved.
From a business perspective, operational resilience will open up new opportunities for those companies that can look past the regulatory aspect of it. If done effectively, operational resilience can lower operational risks and the costs associated with disruptions, improve operational efficiencies and support customer growth.
Lee: With regards to the organisation, I believe operational resilience is going to lead to a cultural shift in firms. It needs to be embedded into the broader organisation via education, awareness and leadership from the front, as a part of supporting the Senior Management Functions – who are responsible for operational resilience – in the implementation of the regulation.
Business-wise, I expect us to be able to realise new commercial and financial opportunities in the future as we get a clearer image of our interdependencies. Efficiency gains will be implemented as overlaps and duplications become apparent. The data we are recording now, as we map our IBSs and their independencies, is going to prove crucial in providing key insights to our resilience capabilities as we move forward, giving us a better understanding of where resources should be allocated.
How does Exonaut support firms implementing operational resilience programmes?
Ben: There are many ways, but to summarise; it provides a secure central collection point for an organisation’s operational resilience programme. By digitalising the operational resilience in Exonaut, data can be cut and sliced in any way and shared across the organisation according to predetermined permissions. Regulatory reports can be generated at the touch of a button, complexities are removed from testing and exercises, and capability improvements and remediation actions can be deployed and tracked as part of a continuous lessons learned approach to improvement. Read more about Exonaut’s capabilities.
Lee: With operational resilience, there is a need for consistency across the organisation based on good quality data, and the right digital tool can provide that. We chose Exonaut because we wanted a flexible tool that can be configured to meet our requirements as opposed to something that needs development – which often ends up causing delays and is more costly. Since implementation it has been capturing all our initial IBS mapping data – i.e. what they are, the definitions in static data associated with them – along with the associated assets, the impacts of tolerances, the tolerance statements, the tests, and the results of tests.
Lee: As we move into the next phase of our programme, Exonaut will be integrated into a wider ecosystem that includes procurement and HR planning tools, among other things. Eventually we want to connect all five pillars – technology, people, locations, data and suppliers, what we refer to as the ‘golden sources’. This will, eventually, allow more sophisticated mapping and provide a more holistic approach to our resilience and recovery capabilities. We will also look to introduce enhanced dashboards and reporting features to leverage our data to assist with crisis/incident response.
Ben: We are moving from the ‘what if it happens?’ scenarios of Business Continuity Management, to ‘when it happens’ with operational resilience. In that respect, testing and exercises become even more important in order to analyse tolerances and build capabilities against mapped associations. Having a digital tool that can support this organisation-wide, while generating automated regulatory audit reports, will be invaluable for any organisation that wants to run an efficient operational resilience programme.
Lee: I believe that a stepwise implementation of operational resilience is the best approach. The regulation is new, everybody is learning – using your data to help you make the best decisions will pay dividends in the end. Also, look to your peers. We are members of the Operational Resilience Collaboration Group and the Insurance Sector Operational Resilience Group. We value the sharing of knowledge and experience these forum provide to ensure we continue to head in the right direction.