By Dr Jimi M V Hinchliffe, Chair, IOR in England & Wales
What for you are the benefits of attending a masterclass like ‘Operational Resilience’?
Operational Resilience is the hottest topic of the moment and a focus of regulators globally, under the Basel Committee on Banking Supervision’s Operational Resilience Group (ORG). Operational Resilience is not going away! This pre-event Masterclass from the Institute of Operational Risk at CeFPro’s New Generation Operational Risk 2020 will provide a tour de force on operational resilience, including a summary of the main regulatory requirements out for consultation, ideas for how to leverage existing tools and frameworks to meet the regulators’ expectations, observed practices, key challenges and more. We’ve assembled a range of experts from our membership, all are experienced operational risk professionals, and most are actively working on Operational Resilience.
What challenges should risk professionals consider across the 3LOD in delivering operational resilience?
Accountability has been a key focus of global regulators’ post-crisis agendas, and this has been delivered through the Senior Managers and Certification Regime (SM&CR) in the UK. Ensuring there is clear accountability across the three lines of defence (most financial firms utilise the three lines of defence framework, albeit it remains controversial amongst some commentators) is a major challenge in delivering operational resilience.
For the FCA in particular, SM&CR is the key mechanism for driving positive cultural change in the industry, to help reduce the frequency of damaging conduct scandals that have plagued the industry for decades. SM&CR and ensuring there is clarity on who is accountable and responsible for what, also has an important role in operational resilience. Operational resilience requires organisations to look horizontally at important business services (and supporting activities and resources) end-to-end, and this necessarily means involving functions and SMEs from right across the organisation (and indeed beyond to third party providers).
Although the first line of defence SMF24 Chief Operations Function is expected to take the overall lead and be accountable for operational resilience, it’s critical that they partner with other functions, most importantly the Operational Risk Management (ORM) team so as to ensure that the operational risk framework is used. Given the recent industry trend for ORM teams to focus only on oversight and challenge, it’s important in the case of operational resilience, that the team engage as trusted partners with the 1LOD functions. Many other functions must also be involved in delivering operational resilience, including front office business functions, technology, HR, facilities, BCM, vendor management and so forth.
Why is discussing good practice approaches a key concern?
Although the FCA and PRA Consultation Papers were only recently published, the DP was published in July 2018, and the UK regulators have been working with the larger firms since 2016. As such, the industry has already done a lot of thinking and work on how to meet the regulators’ expectations.
Sharing of good practices is a critical way to progress and improve standards across the industry. The Masterclass will be an interactive forum of open discussion and debate with plenty of opportunity to question our experts on their experiences with large firms and to hear hints and tips to help avoid the pitfalls and meet regulators’ expectations.
What are the challenges of risk identification and assessment and how can we combat them?
UK regulators have been clear that firms should use their existing frameworks and tools, most importantly their operational risk management framework, to deliver the required operational resilience outcomes. We will explore in the Masterclass how best to use the existing operational risk management tools, including RCSA, and the ways in which the tools and processes may need to evolve to support the new requirements on operational resilience. We will also explore the use of scenario analysis to test whether important business services can remain within the established impact tolerances.
What fundamental changes do you see ahead for operational resilience?
The regulatory focus on operational resilience should elevate ORM to its rightful place of parity (at least!) with financial risks and financial resilience. Operational risks can destroy organisations and have for too long been the poor relation of financial risks. Proactive, proportionate and agile ORM can help organisations become more sustainable, efficient and more resilient to the benefit of all stakeholders including the regulators.
Of course, having robust processes and mechanisms (ORM) to identify vulnerabilities and define actions necessary to become more resilient is only half the challenge. For organisations, many of which are already struggling to maintain profit margins in difficult market conditions and under the weight of increased capital requirement, there may be painful commercial decisions, for instance if they need to build redundant capacity into resources supporting important business services. I expect the regulators’ requirements for increased levels of operational resilience, will further advance the speed and scope of adoption of innovative new technology (e.g. application of AI and machine learning, and RPA) that is already advanced in banking and financial services.