- As regulators focus on Operational Resilience firms need to realign their risk frameworks
- Without this alignment, firms risk overlaps and gaps in their controls
- Third parties play a key role in aligning controls and service metrics for your board
- Fines or excessive cost benchmarks are in store for those that get it wrong
- The prize is efficient operational resilience that allows the board to sleep at night.
The complex new operational resilience imperatives
Post pandemic, no concept in financial service regulation is likely as pervasive as operational risk. It is a key pain point for most firms and covers a wide range of controls that must be created and enforced.
By its very nature it is complex and increasingly difficult to model; a complexity that is only deepened by regulator focus on operational risk and indeed operational resilience, a closely linked but separate topic.
How do we untangle these highly related but still disparate concepts? Without a doubt, the answer is that we do so carefully, acknowledging that there are different ways of viewing the same issue for the regulator, the firm and vendors.
Operational resilience vs. Operational Risk
Operational resilience is the concept of an end state, in which the activities of a firm, scoped however necessary, are safe from the turbulence of unpredictable events. It is a goal to be achieved, through careful policy, monitoring, training and risk management.
It is the key goal of many financial regulations, such as within the FCA Handbook and BCBS. Some regulations focus on a specific area of operational resilience, take the Digital Operational Resilience Act (DORA) from the European Securities and Markets Authority (ESMA), which further complicates the understanding of what operational resilience means to the sector. However, even if there is a specific focus for the resilience, the concept remains the same: the end goal of the firm’s activities enduring through adverse events.
How does operational risk then play a role? Operational risks are the threats to operational resilience, the areas that must be managed, and in which controls must be placed to ensure operational resilience. A firm’s operational resilience policies should be formed around the management of operational risks.
The various areas that are covered by operational risk are explored by a variety of regulators, but a key standard is the Bank for International Settlements (BIS) Operational Risk framework. This takes the very broad Basel definition of operational risk as “risk of loss resulting from inadequate or failed internal processes, people and systems or from external events” and breaks this down into component parts. There are two ways of looking at this: the principles for the management of operational risk and the method of calculating the various elements of operational risk.
The principles for the management of operational risk according to the BIS, which has informed other regulation around the globe, including in the UK and EU, are in three key areas:
- Governance. Requires senior accountability, defined functions in the board of directors and senior management for the control of operational risk.
- Risk management environment. The risk management environment involves the monitoring, controls and continuity practices of the business activities
- Disclosure. The allowance of the public stakeholders to assess the operational risk approach.
While the above lens gives us a view of the theoretical management of operational risk, it does not model a tangible view of the areas. This is essential for the management and calculation of operational risk.
The BIS also provides this view of operational risk within the document Advanced Measurement Approaches (OPE30), detailing the categories, event types and examples. This framework forms the basis for many operational risk regulations globally. The key areas defined in this are fraud, both internal and external; employment practices and workplace safety; clients products and business practices, damage to physical assets; business disruption and system failures; execution, delivery and process management.
JWG’s operational/ resilience framework
From this starting point, institutions around the world can begin to model the complex sphere of operational resilience. JWG has approached this modelling by identifying key regulatory regimes and legislative initiatives related to operational risk and resilience from various regulators around the globe, mapping deltas between jurisdictions, teasing out the similar controls, the management and impact on various types of risk, timeframes and conceptual dependencies, mapped hierarchically into our 5,000+ concept model of financial regulation.
By understanding how operational risk and operational resilience interact with each other, and the wider net of concepts, gives an understanding of overlaps and gaps in controls and frameworks. This understanding diminishes the risk of fines and excessive cost benchmarks, the risk in store for those who get this wrong. Getting it right, however, yields the prize of efficient operational resilience that allows you to sleep at night.
Not only does a firm need to consider what these various operational risks are, and of what activities they are formed, but a firm must also consider its framework around the management of that risk. From both an operational risk and operational resilience standpoint, a firm must examine its risk approach, identification, assessment, mitigation, monitoring and response. The operational risk lens should explore the requirements for the management of the risk in these various areas, whilst with the operational resilience lens, the firm should be leveraging industry insights.
Sound operational risk management practices lead to operational resilience, a state in which an institution can still deliver critical operations through disruptions. Operational risk manages various other types of risk including technology risks, third party risks, data risks and continuity risks.
Now more than ever, firms should have a clear idea of how these various elements interplay, to reduce the risk of compliance failures and the duplication of effort from overlapping controls.
Not understanding the linkages between these obligations will lead to increased costs, operational inefficiencies and large fines. However, with collaborative standard setting, there is plenty of scope for the right controls to be harmonised across the supply chain.
Want to get involved in the discussions? Join us at the 6th JWG conference, virtual and on-demand from the 16th to the 17th of November 2021.