Operational resilience: ‘How supporting capabilities are just as crucial as important business services’

As organisations across financial services progress with their operational resilience programmes, we are seeing a familiar challenge that consistently impacts stakeholders once the first round of Important Business Service (IBS) assessment has taken place. That is, to what extent is the resilience of an Important Business Service impacted by the foundational processes that underpin it?

By their nature, an important business service is composed of identifiable resources such as people, process, data, facilities, third-parties and information systems. This model is required by the newly released regulations, but the picture of how the resources themselves are supported is never quite so clear cut.

The Policy Statements (Operational resilience | Bank of England) require regulated entities to identify their impact tolerances and their ability to operate within those tolerances. Those entities also have to develop remediation plans for consistent operation inside the tolerances within three years of the regulatory release date. So, 31/3/2025 is the drop-dead date for effective operation within tolerance.

We have now seen several organisations that have completed their initial IBS assessments and concluded that they are unable to deliver the swift remediation required to achieve impact tolerance within the timelines. Why is that? Because the complexities involved in fixing the gaps are such that the system owners and even resource and IBS owners are insufficiently supported by cross functional capabilities.

So how do you prioritise and address supporting capabilities when determining your overall service resilience?

Specific case studies can be useful in providing examples of where a resource has failed due to the deficiencies of a supporting capability. For example, the 2012 RBS IT availability incident was generated by incomplete and disjointed Change management. The reality is that most organisations will never have assessed the effectiveness of the supporting capabilities before, except possibly through internal or external audit control assessments.

A first step, which is relatively painless, is to create an inventory of supporting capabilities which may impact your important business services.  Some examples could include crisis and incident management, IT services, third-party management, change, data governance, facilities, health and safety, physical security and HR.

One approach is to create an algorithm, based on control scores, where the supporting capability (SC) score creates a ceiling or a floor of the effectiveness of the important business service and its overall resilience. In other words, the service’s resilience is limited by the effectiveness of the foundations. The challenge to this approach is that the supporting capability will not have been designed with operational resilience in mind. Also finding previous evidence on which to base an assessment of the SC effectiveness will be difficult and subjective. KPIs, KRIs, KCIs and internal audit reports validating or commenting on the effectiveness of an SC, where they exist, can be useful tools in providing assurance, or lack of assurance, over the SC‘s ability to support the important business services. By reusing existing assessment methods, there is a risk that accountability is reduced. In some cases it is necessary to specifically assess the SC capability in light of newly expanded operational resilience requirements.

At this stage of an Op Res project, a reasonable position to be in would include:

  • Initial IBSs having been mapped and assessed;
  • The gaps identified; and
  • Thoughts about developing a ‘resilient by design’ culture underway.

For more details on how to create culture through a three layered approach, read our blog about security culture.

The guidance and the regulations reference principles such as the financial services organisation itself is best placed to assess the resilience of its services and to make the relevant attestations. Assessments of supporting capabilities are another element of this, but it’s more art than science – don’t get tied up in excessive calculations, models and scores.

If you would like to discuss your operational resilience programme, why not contact us on +44 203 603 4733 or email us at info@three-two-four.com.

Insight Tags
Sign up for updates!*

Hey there, couldn’t help noticing you’re using Internet Explorer

That’s great and all, and we commend you for pushing through with it. Unfortunately we no longer offer support for IE; it hasn’t received a major update since 2015 and Microsoft are dropping support for it later in the year.

If you’re using Windows 10 and want to stick with a built in browser, please consider switching to Edge. Or, if you really want to enjoy the internet properly we strongly recommend downloading Google Chrome here.