31 March 2022 was the longstop date for firms to conclude their operational resilience implementation phase and draft a plan for the upcoming three years.
And while now firms have tested their ability to recover from potential disruption, this is not the time to sit back. The countdown has already started to the next deadline of 31 March 2025, for firms to prove their ability to operate within impact tolerances.
Once again, rules apply to banks, building societies, PRA-designated firms, insurers, enhanced scope (SMCR) Senior Managers & Certification Regime firms.
Let´s go over it again...
Why should you deeply care about operational resilience?
We have learnt that unexpected, disruptive events can happen in the blink of an eye (Covid-19 pandemic, Ukraine war) and it pays to be prepared to react to whatever impact they might have on your business, strengthening service resilience and protecting account accessibility for your clients.
By now, you should have already:
- Identified your important business services;
- Set the thresholds for the maximum tolerable disruption to business operations;
- Integrated technology to centralise risk information and manage a large and complex data set;
- And carried out mapping and testing of thresholds, collecting data, and evidence on how these could make sense and provide the right answer for your customers.
If you can put a check on these goals, then congrats, you have your operational resilience plan ready!
Staples to bear in mind
Recently at Objectway, we conducted a survey on the matter to help clients gain meaningful insights and in particular what to pay attention to when looking at the next deadline.
First and foremost, technology transformation is an essential element to address to support business continuity, crisis management, disaster recovery and other risk areas.
An approach that includes both technology and people expertise is then paramount to building a strong, agile, response plan. Many had already built an internal team dedicated to Operational Resilience, but it is important to further push this aspect.
Three years from now, firms will be tested again. We believe that this transitional period will give you the possibility to improve your systems and strategies to respond to disruptive challenges.
In particular, to build your cyber resilience framework for cyberattacks and data leaks, which are recognised as the risk areas organisations are most concerned about.
Quoting Churchill, "this is just the end of the beginning!" And in three years times, you will be tested again to assess if you remained within the impact tolerances.
But be careful there, do not lose sight of the overarching aim and become engrossed in the science of analysing data and determining tolerance thresholds.
The gold standard would be to be able to continue operating your services throughout any severe but plausible operational incidents through effective response strategies.
What is next is harder than ever to predict, but firms should not be afraid to take the get ahead in the journey to greater Operational Resilience.
