As organisations across financial services progress with their operational resilience programmes, we are seeing a familiar challenge that consistently impacts stakeholders once the first round of Important Business Service (IBS) assessment has taken place. That is, to what extent is the resilience of an Important Business Service impacted by the foundational processes that underpin it?
By their nature, an important business service is composed of identifiable resources such as people, process, data, facilities, third-parties and information systems. This model is required by the newly released regulations, but the picture of how the resources themselves are supported is never quite so clear cut.
The Policy Statements (Operational resilience | Bank of England) require regulated entities to identify their impact tolerances and their ability to operate within those tolerances. Those entities also have to develop remediation plans for consistent operation inside the tolerances within three years of the regulatory release date. So, 31/3/2025 is the drop-dead date for effective operation within tolerance.
So how do you prioritise and address supporting capabilities when determining your overall service resilience?
Specific case studies can be useful in providing examples of where a resource has failed due to the deficiencies of a supporting capability. For example, the 2012 RBS IT availability incident was generated by incomplete and disjointed Change management. The reality is that most organisations will never have assessed the effectiveness of the supporting capabilities before, except possibly through internal or external audit control assessments.
A first step, which is relatively painless, is to create an inventory of supporting capabilities which may impact your important business services. Some examples could include crisis and incident management, IT services, third-party management, change, data governance, facilities, health and safety, physical security and HR.
One approach is to create an algorithm, based on control scores, where the supporting capability (SC) score creates a ceiling or a floor of the effectiveness of the important business service and its overall resilience. In other words, the service’s resilience is limited by the effectiveness of the foundations. The challenge to this approach is that the supporting capability will not have been designed with operational resilience in mind. Also finding previous evidence on which to base an assessment of the SC effectiveness will be difficult and subjective. KPIs, KRIs, KCIs and internal audit reports validating or commenting on the effectiveness of an SC, where they exist, can be useful tools in providing assurance, or lack of assurance, over the SC‘s ability to support the important business services. By reusing existing assessment methods, there is a risk that accountability is reduced. In some cases it is necessary to specifically assess the SC capability in light of newly expanded operational resilience requirements.
At this stage of an Op Res project, a reasonable position to be in would include:
- Initial IBSs having been mapped and assessed;
- The gaps identified; and
- Thoughts about developing a ‘resilient by design’ culture underway.
For more details on how to create culture through a three layered approach, read our blog about security culture.
The guidance and the regulations reference principles such as the financial services organisation itself is best placed to assess the resilience of its services and to make the relevant attestations. Assessments of supporting capabilities are another element of this, but it’s more art than science – don’t get tied up in excessive calculations, models and scores.
If you would like to discuss your operational resilience programme, why not contact us on +44 203 603 4733 or email us at email@example.com.