Integration of resilience across non-financial risk disciplines

Michael Di’Orio, SVP Operations, DataMinr was a speaker at our recent Risk Americas Convention.

The views and opinions expressed in this article are those of the thought leader as an individual, and are not attributed to CeFPro or any particular organization.

Why is it important for financial institutions to demonstrate resilience within third party risk?

As technology continues to shift towards the cloud in a post-pandemic era and operations are increasingly outsourced to offshore and near-shore vendors and partners, it is critical for financial institutions to mitigate third-party risk as part of operational resilience.

The threats associated with the expansion of information technology (IT) and operational third-party exposure are only increasing. These risks can involve cybersecurity attacks, geopolitical crises, natural disasters, reputational risk, and more; all of which can significantly disrupt a financial institution’s physical and digital operations–and threaten its bottom line.

How can financial institutions look to develop effective operational resilience frameworks?

First, operational resilience frameworks need to be holistic and enterprise wide. These frameworks cannot be a siloed operation with only a few employees responsible. Operational resilience needs to be ingrained into all decision-making at the company with strong buy-in from managers and executives.

Second, there are industry-recognized frameworks across IT, cybersecurity, and operational risk that should be implemented as the standard. Third, while operational resilience historically focused on disaster recovery and data loss, the financial institution must be able to effectively function regardless of the type of event. Thus, it is important that the institution identifies critical business services/functions with measurable minimum viable service levels.

Lastly, simulations and exercises with cross-functional playbooks are key for operational resilience. Playbooks enable stakeholders to work together across departments and understand where there are gaps and areas for improvement.

Why is a holistic view important when developing business continuity plans?

Threats can come with little to no warning and from countless vectors. Their impacts can span multiple departments and services. Thus, constant vigilance and a holistic view are imperative to mitigate operational risk. For example, with an increase in cyber/physical convergence threats, cybersecurity, IT, business continuity, and physical security departments must collaborate and communicate to ensure key services continue to operate.

Additionally, these teams need to simulate potential crises with playbooks and work together as one unit, rather than as siloed departments. Investments are needed to ensure the organization is up to speed on the ever-shifting threat landscape.

What are some ways FI’s can maintain their ability to recover from incidents?

Simulated exercises and cross-functional playbooks are really key for faster operational recovery. Institutions can’t predict every type of threat as witnessed during the black swan Covid-19 pandemic, however, having operational resilience ingrained throughout the company, starting with the executive team, will foster an atmosphere of collaboration and best practices during a crisis.

Lastly, breaking down silos across departments with an understanding that risks are becoming increasingly converged across cyber, physical, and reputational risk is critical.