People talk a lot about organisational resilience and operational resilience but they don’t always understand it, said Ramesh Pillai, Chairman of IERP’s Board of Governors. “The start point is, what is the imperative for this? Why are we even bothering to talk about operational resilience and operational risk?” he said, acknowledging that it was not an easy topic but pointing out that operational risk drives operational resilience and vice-versa. To effectively manage both, therefore, there was a pressing need to understand what was happening in the business through the scrutiny of processes, controls and architecture.
“There is a need to look at how the existing risk architecture works, and how to utilise all this to meet the operational resilience needs of the organisation without duplication or additional work,” Ramesh said. A big overlap exists when it comes to operational resilience and operational risk, he added, so those concerned with operational resilience needed to understand the issues affecting both elements. Organisational resilience also requires the understanding of different sectors. Service owners need to have a clear understanding of the end-to-end delivery of all parts of their service, while the line needs to be aware of what support exists and how to leverage on this.
“From the operational risk perspective, there needs to be process management and forward-looking action,” he said, explaining that Key Risk Indicators (KRIs) could be used as these were actually a tool for operational risk. However, he cautioned that KRIs tended to be mostly backward-looking. Forward-looking, anticipatory tools are more useful. Additionally, end-to-end delivery of processes need to be aligned to the various impact tolerances, and all this needs to be aligned with operational resilience and decision-making actions so that everything works cohesively and holistically. It is imperative that business owners fully understand the risks and controls embedded in their end-to-end processes.
This can provide an opportunity to assess existing infrastructure and whether methods are delivering the right outcomes for the organisation. Heads of operational risk need to use operational resilience insights to derive further value and benefits for the organisation. But what is the definition of operational risk and operational resilience, and what are the differences between the two? Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events. Operational resilience is defined as the ability to deliver critical operations despite a disruption.
Operational resilience is an outcome that benefits from the effective management of operational risk. “Operational resilience is a broad and ongoing concept,” Ramesh said. “Its goal is to build resilience so that the business can withstand disruption. It’s about being flexible in distressing situations.” The business, therefore, needs to have processes that will be able to withstand distress and disruption. While there is a lot to be shared or utilised from the operational risk perspective, operational risk and operational resilience need to be viewed holistically. Organisations must have a clear idea of what they want to achieve in order to build the necessary processes.
“This increasing emphasis on operational resilience gives organisations the opportunity to look at themselves inwardly with a fresh pair of eyes, and to make sure they understand the various approaches and how to respond to what can go wrong,” he continued. “Becoming resilient requires more than just continuing to perform risk management practices. The key is to understand what can be leveraged from existing frameworks and processes.” Companies which have more operational resilience processes in place may consider the use of existing tools like impact analysis, impact scales and scenario testing templates as these are already within an operational risk management framework.
In the long term, strong links will emerge in the way companies manage risks and the way they manage the operational resilience of their most important services. They may not have all the resources necessary to ensure the operational resilience of all their services, so they will have to determine which to prioritise. Most companies tend to focus on quick progress, and pick the ‘low-hanging fruit’ first, so that they can build various resilience requirements and frameworks, Ramesh added, advising that the most important business services needed to be mapped, instead of investing in activities which would only tick compliance boxes.
Operational risk is often defined as the risk of loss from failed or inadequate internal processes, people and systems, or from external events; it is bad and there is no trade-off for it but one of the outcomes of having strong operational risk is operational resilience. Operational resilience is the ability to deliver critical operations throughout disruption. “The key quality required is that the organisation continues to be flexible through any distressing situation,” he explained. “The aim of operational resilience is to get the company to focus on all critical and correct activities and behaviours. Organisations need to ensure that they have effective management of operational risk because it drives the whole thing.”
When managing operational risk properly, companies will seek to identify internal and external threats as well as potential failures of people, processes and systems on a regular, ongoing basis. Critical operations need to be assessed for vulnerabilities, and the resulting risks must be managed in accordance with the operational resilience approach which the organisation has adopted. He pointed out that companies go through the motions with operational risk but they still get it wrong; they know what to do and how to do it but they still fail to do what is necessary. Regulators were now increasing their focus on operational risk.
Companies therefore need to improve their operational risk management, which can be done by addressing three categories: cohesion of approach to managing operational risk; data quality and data governance; and incentivising risk management. “Regulators have become concerned over how board and senior management lack a clear line of sight into the various operational risk exposures, often due to ineffective risk framework implementation,” Ramesh said. “The lack of alignment in framework elements like scenario analysis may not feed into control investment decisions. There may also be inaccurate or incomplete use of risk profiles at individual business line level and on an aggregate basis across the whole organisation.”
These categories also involve data quality and data governance. “Effective data quality management continues to be a priority because of the explosion of data, the advent of big data and quantum computing,” he said, giving a few examples. Cyberattacks have also increased. He cautioned that regulatory enquiries were pointing to a need for organisations to develop a comprehensive data governance framework and allocate appropriate resources to deliver and oversee it. “This is also part of ESG disclosures,” he said. “The pervasiveness of data and the importance of data security means that companies need to ensure that staff have basic skills to manage data quality.”
This is necessary to derive insights into the business and its related risks. There is a need to find a way to bring operational risk and operational resilience together. Operational risk infrastructure on its own will not enable firms to achieve compliance but it is a starting point for companies to build operational resilience from an existing base. “Operational resilience is an outcome of strong operational risk management,” he said. “The only way to get operational resilience is to have very robust operational risk management. The effectiveness of operational resilience is highly dependent on the efficacy and effectiveness of the existing risk architecture.”
There is a need to get the operational risk infrastructure right first so that it can be relied upon to drive operational resilience. Inconsistent approaches to risk types will make it more difficult for operational resilience to leverage on what exists, without first enhancing and streamlining the risk infrastructure. Operational risk tools, templates and outputs can be leveraged to address different elements. Operational risk testing scenarios may also be used. “To be operationally resilient, you have to understand the processes and roadblocks, and how to make these processes more resilient,” Ramesh advised. “Align risk appetite to impact tolerance, and adjust how you manage risk and risk-taking ability.”
He also suggested having ongoing monitoring and governance for better efficiency and resilience, although ongoing monitoring is not part of the additional rules and guidance in the framework. “But as risk professionals, we expect that companies would have already developed some form of regular monitoring and governance mechanism to enable oversight of the company’s ability to prevent, adapt, respond to, recover and learn from operational disruptions as part of the operational risk management programme,” he said. Firms were now creating specific management information to ensure adequate consideration of resilience in management oversight and decision-making.
There have also been significant updates to regulatory frameworks for outsourcing and third party risk management, due mainly to factors like the emergence of cloud technology. However, companies are still fully accountable for all outsourcing arrangements and responsible for managing all third party arrangements, proportionate to the risk they represent. “Regulators don’t really care how the service is delivered so long as you can demonstrate that the risks are being managed proportionately and that there is adequate and appropriate senior management control and oversight,” he said.
“They will expect companies to have conducted thorough risk assessments to quantify and understand the nature and extent of risks throughout the chain, how the threat actors will exploit the weakest links and how the company will be dealing with this. The expectations are that these risks are fully understood at both the arrangement and aggregate levels, and are being managed just as other risks are managed.”Existing tools and requirements within the operational risk framework can be leveraged on to create a more consistent and effective approach for operational resilience. Operational resilience requires organisations to develop a holistic understanding of the approach, think flexibly, and be able to pivot during times of distress or disruption.
