Rethinking Resilience, Part 2
What problems are firms facing with scenario testing ahead of the UK regulatory deadline?
The UK’s financial services operational resilience environment continues to evolve, with regulators taking on a progressive stance to operational resilience requirements as digital transformation of the financial services sector accelerates. The latest update from the Financial Policy Committee is testament to this fact. More information on this can be found in our 4 April, 2024 post here.
A key ingredient to achieving a compliant operational resilience framework is scenario testing. A firm must carry out scenario testing to assess its ability to remain within its impact tolerance for each important business service (IBS) in the event of a severe but plausible disruption of its operations. However, GreySpark observes that scenario testing is proving problematic for in-scope FIs.
The new regulations requires a pivot away from traditional scenario testing methods to more sophisticated, artificial intelligence-centric frameworks so that increasingly complex scenarios can be depicted and measured. Delivering such a framework is an operation within itself, requiring detailed data preparation and management so that scenario testing can be conducted with maximum efficiency and accuracy.
In particular, when it comes to delivering scenario testing frameworks subject to the UK’s operational resilience requirements, GreySpark observes four major problems that are holding back in-scope FIs in their quest to deliver an optimal digital operational resilience testing model. In continuation of our 20 March, 2024 post, where we outlined the first two key operational resilience challenges, we explore the final two of these problems below.
Lack of Operational Resilience Contribution to Business Value
Current business process and system simulations predominantly centre around 'what if' scenarios, lacking a structured approach to suggest improvements systematically, without looking at operational resilience from a worse-case scenario. Within the capital markets sector, the focus has primarily been on assessing the disruptive impact of these 'what if' scenarios on IBSs, resulting in the calculation of potential revenue losses. A ‘what if’ scenario can include major disruptions such as the failure of a critical IT system or a cyber-attack.
However, there is a growing realisation that FIs should shift their operational resilience perspectives from loss mitigation to proactive revenue generation, seeing that operational resilience is making up an increasingly large part of FIs’ operational models. This is otherwise known as ‘return on resilience investment (RORI).’ For example, the ability of an FI to withstand and recover from disruptions can deliver competitive advantage through increased market share, trust and confidence, so banks could take on more of a glass half full approach than a glass half-empty approach toward operational resilience.
This, in turn, creates the need for a digital model that can of identify system enhancements and provide cost illustrations associated with these improvements.
Decentralised Operational Resilience Framework
FIs are generally lacking a formalised and centralised operational resilience framework despite the looming 2025 deadline, presenting significant challenges. This results in fragmented ownership and segregation of critical data, hindering the cohesive management of risks and resilience efforts. The fragmented data typically exists in data silos across various business departments, leading to duplications and confusion. Silos can exist in other forms such as risk, undermining an organisation's ability to be proactive and agile in its business continuity planning.
According to a survey from technology provider Ansarada of its Governance, Risk and Compliance customer base across several industries, including financial services, technology and healthcare, only 34.6% had a dedicated team for overseeing operational resilience. This means that almost two thirds of firms manage operational resilience using various business departments, suggesting an incohesive and decentralised approach toward operational resilience.
This decentralised approach not only escalates financial burdens such as non-compliance and change management, but it can also heighten the vulnerability of important business services to unforeseen disruptions. For example, silos can impede information flow between business departments and clients at critical moments, exacerbating any potential disruption.
In addition, in some cases, silos can reduce efficiency and lead to higher operational costs. According to a report from WBR Insights, around 54% of FI executives acknowledge data silos as a significant barrier to innovation and maintaining a competitive market advantage.
Overall, these points highlight the pressing need for banks to transition from the early development stages of an decentralised framework to a more sophisticated centralised framework, characterised by a structured and collaborative approach to operational resilience management.