Patricia Catharino, US Head of Internal Controls and Risk Management, Banco Itau International

Below is an insight into what can be expected from Patricia’s session at Non-Financial & Operational Risk USA 2023.

The views and opinions expressed in this article are those of the thought leader as an individual, and are not attributed to CeFPro or any particular organization.

Why is it important to define criticality when managing disparities across regulatory jurisdictions?

The importance of defining criticality when managing disparities across regulatory jurisdictions cannot be overstated. There are several reasons why defining criticality is crucial in this context.

Firstly, it allows organizations to prioritize risks effectively. By identifying and defining critical systems, processes, or assets, organizations can allocate their resources and efforts in a way that it manages risks most efficiently. This helps determine which areas require more stringent compliance measures and regulatory alignment.

Second, defining criticality helps with compliance management. Different regulatory jurisdictions may have different requirements and expectations. By understanding the criticality of systems or processes, organizations can assess the impact of disparities and develop strategies to evaluate compliance across jurisdictions, reducing regulatory and legal risks. Also, understanding criticality is essential for resilience planning. By focusing on critical systems or processes, organizations can design robust resilience plans that minimize the impact of disruptions or regulatory disparities on core operations.

Defining criticality also enables efficient allocation of resources. By prioritizing critical areas, organizations can direct investments, personnel, and technology in a way that strengthens and safeguards their most vital systems while ensuring regulatory compliance.

How can we enhance collaboration across enterprise architecture? In what ways will this benefit an institutions resilience?

There are several steps organizations can take to enhance collaboration across enterprise architecture, including:

• Cross functional teams should be fostered to encourage collaboration across departments involved in enterprise architecture. This means establishing forums for sharing knowledge and aligning goals to ensure a holistic approach to resilience. This also engages stakeholders at various levels of the organization.
• Shared frameworks, methodologies and standards should be established. Common frameworks allow for a common language and understanding among stakeholders involved in enterprise architecture. This promotes collaboration and ensures consistency in approaches and outcomes.
• Enabling information sharing is crucial. Implementing mechanisms such as centralized repositories or collaborative platforms allows stakeholders to access relevant data and insights necessary for informed decision making. Learning from past experience, constantly testing and assessing and openly discussing risks may increase ownership and commitment.

Enhanced collaboration across enterprise architecture benefits an institution’s resilience in several ways.

• Improved risk identification and management: Collaboration allows for a broader perspective on risks, facilitating the identification of potential vulnerabilities and enabling effective risk mitigation strategies.
• Coordinated response and recovery: Collaboration ensures that all relevant stakeholders are involved in response and recovery efforts, promoting effective coordination, communication, and information sharing during disruptive events.
• Enhanced resource optimization: Collaboration enables organizations to pool resources, expertise, and capabilities, maximizing the efficiency and effectiveness of resilience measures and response activities.
• Continuous improvement: Collaborative efforts foster a culture of learning, adaptation, and innovation, leading to continuous improvement of enterprise architecture and resilience practices over time.

What are the five core pillars of operational resilience and how can we ensure these stay in alignment?

1) Governance: Effective governance ensures that resilience objectives are aligned with organizational goals and strategies. It involves establishing clear accountability, defining roles and responsibilities, and implementing governance structures to oversee resilience efforts.

2) Risk management: Robust risk management practices identify and assess operational risks, establish risk tolerances/appetite, and implement mitigation strategies. This pillar involves risk identification, risk assessment, risk mitigation, and monitoring and reporting mechanisms to ensure risks are managed effectively.

3) Business continuity management: Business continuity management focuses on maintaining essential functions during disruptions. It involves developing business continuity plans, establishing backup and recovery capabilities, conducting regular testing and exercises, and ensuring a clear understanding of roles and responsibilities during disruptions.

4) Incident and crisis management: here the focus is on managing and responding to incidents and crises effectively. It includes establishing incident response plans, communication protocols, and escalation procedures. Regular training, simulations, and proper communication help ensure readiness to address disruptive events promptly and efficiently.

5) Testing and assurance: Testing and assurance activities verify the effectiveness of measures and the alignment of operational resilience with organizational objectives. This includes conducting testing, assessments, audits, and reviews to identify areas for improvement and validate the organization’s operational resilience capabilities.

To ensure these pillars stay in alignment, organizations can action any the below:

• Establish an integrative governance framework for all pillars that fosters clear accountability and responsibility.
• Regularly review and aligning resilience strategies and plans in response to changing business objectives, risk landscape, or regulatory requirements.
• Periodically conduct assessments and tests to validate the efficacy and alignment of resilience measures.
• Promote a culture of resilience where every employee understands their responsibilities and actively contributes to these alignments.

Can you give any examples of how an overarching resilience framework has enabled your institution to remain afloat in the changing risk environment of today?

Having a proper framework and risk culture is key for organizations to maintain and properly manage their risks. As an example, the below steps are part of the framework:

• Identifying emerging risks: The institution can proactively identify and assess new and evolving risks such as cybersecurity threats, regulatory changes, third party risk or disruptions caused by technological advancements.
• Mapping inherent risks and evaluating the process control environment: This provides tools for proper prioritization. With this framework, the institution ensures strategic alignment by matching investments and resource allocation decisions with recognized risks, along with meeting set objectives ensuring informed decision-making and prioritizing critical areas when allocating resources.
• Coordinating response efforts: Having defined protocols for effective communication and rapid response procedures during incidents or crises guaranteeing well-coordinated efforts, and minimizing any negative impacts of disruptive events
• Continuously improving resilience: Through periodic tests, assurance activities and periodic reviews, the framework facilitates continuous improvement towards higher levels of resiliency standards. It also encompasses lessons learned from previous incident exercises, enriching future institutional capabilities
• Monitoring and adaptation according to regulatory and business changes: This allows the institution to remain constant toward varying regulatory requirements and develop new strategies, products and business.

With an overarching resilience framework in place, institutions can seamlessly adjust to changing risk landscapes, strengthen their resilience capacities, and uphold uninterrupted operations amidst emergent risks.