Exploring Best Practices in Operational Resilience, Business Continuity Planning, and Outsourcing

  • 25 Sep 2022

Operational resilience increasing in popularity. Some practitioners, however, don’t know which best practices to follow.

BCI’s own Operational Resilience Report 2022 finds that operational resilience practices have risen sharply in popularity. Now, over three-quarters of organizations report either having or developing an operational resilience program. Numbers are even higher in sectors with aggressive regulators.

The battle is hardly won, though. Often those tasked with maintaining operational resilience don’t know what their programs should do. 

Indeed, the Report notes that over time many operational resilience programs come to resemble organizational resilience programs that follow the ISO 22316 standard. The practices implemented might even be harmful to the operational resilience cause, as the Report argues of using the business impact analysis exercise to define impact tolerances.

Further, adoption in tightly regulated sectors comes with its own issues. In fact, half of all respondents were concerned that meeting regulatory requirements was turning operational resilience into a tick-the-box exercise.

Frameworks to uplevel operational resilience programs

What then can be done, not only to get operational resilience programmes off the ground, but to do so in the right way? Firms might balk at mandates, however, these regulatory requirements are often the best place to suss out best-practice measures.

U.K. financial services regulators have been leading the way, in this respect, as the Report notes, developing a framework to ensure operational resilience among its entities. 

The framework in question seeks to uplevel operational resilience, such that a regulated firm will be able to prevent disruption from occurring to the extent practicable.

How does it go about it? The framework encompasses crucial areas such as operational risk management and business continuity planning, into which this article delves.

Operational risk management, risk appetite, and impact tolerances

Per best-practice operational resilience guidance, firms are encouraged to have effective risk management systems in place to manage threats that are integrated into their organizational structures and decision-making processes.

That means striving to reduce the likelihood that operational incidents will occur; and if incidents do occur, firms are able to limit losses. Of course, to do so, firms will first have to take action to provide important (or critical) business services within impact tolerances even through severe but plausible disruptions.

But what are impact tolerances? It’s a nettlesome idea, finds the Report.

Not a given firm’s appetite for risk, impact tolerances, instead, assume that a particular risk has already crystalized. Firms able to remain within these impact tolerances increase their capability to survive severe but plausible disruptions. Nevertheless, risk appetites are likely to be exceeded in this scenario.

What’s more, impact tolerances are set only in relation to the impact on financial stability, a firm’s safety, its soundness, and (in some cases) the appropriate degree of policyholder protection.

Operational resilience, business continuity planning, and outsourcing

Setting impact tolerances alone won’t ensure operational resilience. Business continuity and contingency planning come into play, as well.

Indeed, many regulators already require contingency and business continuity plans, with the aim of ensuring that in the case of a severe business disruption a firm can operate on an ongoing basis.

But that shouldn’t be the extent of best practice. For instance, firms should also set recovery priorities for operations, prioritizing the delivery of important business services within impact tolerances. There’s also the question of allocating resources and communications planning for business continuity planning focusing on the delivery of important business services and testing business continuity plans and disruption scenarios in relation to impact tolerances.

Best-practice operational resilience policies should also consider outsourcing. As U.K. regulators aver, firms are responsible for obligations even when the function in question has been outsourced to third parties.

That begs the question: how can firms avoid compromising the delivery of important business services within impact tolerances when those services are being delivered wholly or partly by third parties?

What should be undertaken, here, is the maintenance of an explicit, Board-approved policy relating to outsourcing arrangements involving material business activities. That policy would consist of (1) sufficient monitoring processes to manage the outsourcing of material business activities as well as (2) legally binding agreements with third parties.

Finally, firms might also consider, when not required, consulting with regulators prior to entering into agreements to outsource material business activities to service providers as well as notifying regulators after entering into agreements to outsource material business activities.

But that’s not even the half of it. The Report also finds that standing in the way of implementing best-practice operational resilience programs is a lack of know-how and resources. Legacy software, for one, makes it difficult to get best-practice measures off the ground quickly.

What can be done? Digital business continuity and risk management software can help. These pragmatic solutions enable organizations to run every aspect of their resilience operations effortlessly while achieving compliance with mandates and up levelling their own resilience capabilities.

For more on the capabilities that matter, download Noggin’s free Guide to Operational Resilience Best Practices.

Download the guide here.

 

More on