Operational Resilience | KPMG | GLOBAL
close
Share with your friends
light bulb over grey background

Operational Resilience

Operational Resilience

The PRA and FCA have issued a joint Discussion Paper to outline their views on the approach to Operational Resilience in the financial services sector covering all Firms and FMI’s. Read our press comment.

Operational Resilience has become a key area of focus for both the PRA and FCA; it features heavily in both business plans and has been added into their respective Supervisory Frameworks earlier this year. This follows the introduction of the Chief Operations Function (i.e. SMF 24) who has a prescribed responsibility for managing and ensuring operational continuity and resilience of the internal operations, systems and technology of the firm.

What is Operational Resilience?

The Bank of England has defined Operational Resilience as “The ability of firms and the financial system as a whole to absorb and adapt to shocks, rather than contribute to them”. This goes beyond traditional operational risk and recovery capabilities, with a focus on preserving the continuity of the provision of “critical economic functions” to both the UK economy and to a firm’s customers and clients.

Operational Resilience should form an integral part of a firm’s overall strategy. All Firms and FMI’s are expected to have plans in place to deliver critical services, no matter what the cause of the disruption. This should extend beyond business continuity and disaster recovery, and should include man-made threats such as physical and cyber-attacks, IT system outages and third-party supplier failure as well as natural hazards such as fire, flood, severe weather and pandemic flu.

Implications for firms

The PRA / FCA recognise that embedding operational resilience within firms is a significant undertaking. To begin this process firms should focus on:
 

Building blocks for enterprise-wide operational resilience

Building blocks for enterprise-wide Operational Resilience

More specifically firms will need to consider the following enhancements which could include:

Operational Resilience – an example customer journey impact

KPMG Reference Operational Resilience Framework

The commercial imperative of Operational Resilience

Beyond the regulatory requirements, there are compelling commercial reasons to embed Operational Resilience:

  • Emerging, complex and inter-connected business models will expose organisations to new and evolving vulnerabilities.
  • Without a firm-wide and systematic approach to operational resilience these vulnerabilities will drive commercial risk and threaten growth.
  • Recent high profile events have demonstrated the consequences of operational failures in a more connected world. 
  • While much attention has focused on consumer banking, the same commercial imperative can be seen across the financial services industry.
  • Firms which are perceived to be operationally resilient are likely to derive both longer term competitive advantage and also mitigate strategic and operating costs infrastructure by taking a more holistic approach.

Key features of the Joint Discussion Paper

The Discussion Paper outlines some key operational resilience considerations for firms:

  1. Board and Senior Management led: Operational Resilience should be driven from the top, owned by the Board and the SMF24; embedding a culture of resilience practices and shaping the firms strategic agenda from a resilience perspective – both future investments and day-to-day operations. 
  2. Business Services lens: Operational Resilience should be assessed, managed and overseen at a front to back business services/ customer journey level and not in traditional function and capability siloes. 
  3. Defined tolerances: Boards should set and monitor clear Operational Resilience tolerance levels for the firm’s critical services augmenting existing and complimentary risk appetite measures. 
  4. A mindset that failure is inevitable: Firm’s current approaches to risk mitigation and avoidance will need to be augmented to include the assumption that business disruption/failures will occur. Furthermore, rigorous testing of critical areas of potential failure and scenario planning including business led incident responses while maintaining key services will be required.

Next Steps

The consultation period for the Discussion Paper is due by 5th October and the PRA/FCA are encouraging constructive and proactive engagement with all firms. In addition further guidance on Operational Resilience frameworks is expected to be published by the PRA/FCA in late summer this year.

Further information

To discuss the implications further, please contact Andrew Husband (mailto:andrew.husband@kpmg.co.uk), Head of Operational Resilience.

Building the UK financial sector’s operational resilience

Connect with us

Related content