The Bank of England has published a Statement of Policy on Operational Resilience, which becomes effective on March 2022. How prepared is the financial sector for this new regulation?
As a whole, based on conversations I have had within the industry, conformance in its entirety will be challenging especially for firms not currently mandated by the FCA & PRA Operational Resilience policy.
I find that when a new regulation or policy is mandated on a firm, the discussions with senior leaders and the board change. One of the first questions I am normally asked is “do we have to do this”, if the answer is “yes”, we should not stop there otherwise it may be treated as a project or a tick box exercise when in fact, we should look at presenting the regulation or policy as an enhancement to ensure we remain true to our values and commitment to the customer, culturally we need to be engaged and this should start at the top level, we then improve our ability to achieve buy-in across the rest of the organisation.
I will state that, FMI’s who already have robust Business Continuity frameworks in place, are at an advantage as practitioners like myself, have a top-down and bottom-up view of the organisation through our business impact analysis (BIA) process. The level of knowledge and information gained throughout this process is a key component in identifying important business services, their dependencies and potential impact tolerances.
Operational Resilience will require ongoing monitoring to ensure threats faced by organisations are not passed onto their customers due to lack of investment, oversight, and governance.
The terms “organizational resilience” and “operational resilience” are often used interchangeably. How do they differ in your view?
In my view, quite simply don’t focus on the “Resilience” just yet as this means different things to different people. We should first concentrate on what “Organisational” and “Operational” mean in the context of business.
The former includes – but it is not limited to – culture, values, appetite and business model of the entire organisation, which expands beyond just the products and services offered. The latter is more process driven and refers to how we deliver products and services.
So, although Resilience may be varied in definition depending on who you speak to, I believe we universally agree that it includes being able to get back up if knocked down and to go one better, not being knocked down at all.
In this broader resilience context, what role does BCM play? What other disciplines should it work with?
Resilience should form part of a firm’s culture and values. We all should consider the “what ifs”, “whys” and “hows”. This, applied across all our business decisions, will help ensure that we are doing the right thing and that we understand any implications of these decisions should they go wrong.
BCM plays an integral role in bringing together siloed departments, initially acting as a conduit between them. BCM with its wider reach can build a map of dependencies between multiple areas of the business and work collaboratively on ensuring breaking points are identified and mitigated.
Risk management generally has a holistic view and is a key discipline BCM should work with, as there can be an understanding as to the broader concerns of the organisation. Other disciplines used across physical security, human resources, technology (including cyber security) and vendor management can complement a good BCM program.
In your experience, what are some practical tips that can help raise awareness on BCM and resilience through the organization?
Gather allies across the business. You can do this simply by being present, I believe in shadowing and taking an interest in what other people do, it shows them that you are engaged, and you might find opportunities to present your role within the organisation, more so, offer them the opportunity to help them identify and mitigate gaps or weaknesses in things they absolutely rely upon day-to-day.
Do not just send the business an excel spreadsheet and ask them to complete it on an annual basis, explain the rationale behind each question and describe how the efforts of working with BCM will benefit their ability to continue operating should there be a major incident.
As we enter out third year of the current global pandemic, what other challenges do you see for organizations in the upcoming year?
Climate change and Sustainability. This is due to the increased pressure on doing what is right for the good of humanity and being able to continue delivering shareholder value, including the ever-increasing demand of products to their customers. This can’t be achieved alone and until everyone across the industry agrees there is a threat of Climate Change and Un-sustainability the responsibility will yet again fall upon the regulators and supervisory authorities to enforce change.
In addition, firms are still defining what a working environment looks like in the ongoing pandemic, with higher rates of attrition partially owing to people wanting greater degrees of flexibility around home working. Thus, firms need to continue re-thinking how their Mon-Fri, 9-5 roles will adapt going forward. As building leases come up for review, do they downsize in favour of greater home-working or do they create collaborative spaces for employees? These are some of the many things employers need to think about as we exit the peak of the pandemic.
How has the workforce in BCM and resilience changed through the years? How are we responding to issues of equality as well as the need for certain specific skills (e.g. cyber)?
A large number of BCM practitioners fell into this profession either as a side gig or because someone asked them to do it. A lot of people born from this were operating in areas such as Security or IT. Over the years, a good portion of practitioners have come through, some purposefully studied for it, others didn’t, which is why they now vary in background, skills, and experience. There is now a global reach, and we are fortunately exposed to multiple skillsets and cultures, which can help us better understand different needs when implementing BCM programs across different continents.
Diverse workforces do not need the exact representation of all demographics, but they do need to allow equal opportunities to all. I do however believe in merit; therefore, just because an industry, department or role does not equally represent all demographics, it does not mean that it is not diverse. We mustn’t judge based on pre-conceived stereotypes, but we need to consider candidates based on their skillset and suitability for the role.
On a different note, while our daily lives revolve around technology, the risk of human error is still present, adding to the current cyber threat. Accessing quick resources on the internet can lead us to let our guard down, compromising security for speed. Accepting a website cookie because we are in a hurry is a classic example of this. Therefore, additional protocols need to be put in place to understand the human factor of security as we try to retain our seat next to the growing need for technology.
What advice would you give to newcomers to the industry?
Connect with people in the industry, there are lots of membership bodies consisting of practitioners varying in experience, my view is that we are all happy to help one another especially those who operate as a team of one.
In addition, there are networking groups on LinkedIn and Think Tanks that are inclusive of all those within our industry and beyond.
The disciplines you adopt do not need to be executed rigidly, it is vitally important to understand the organisation you work for, how they operate, what their goals are and adapt your program according to these.
Do not be afraid of speaking up about ideas and views that are important to you. There is rarely a right or wrong answer and even if your idea is not concretely taken on, it could be thought provoking and inspire others to influence and take action.
About Andreas Bryant, MBCI
I have been operating within the resilience industry for over 8 years with work experience spanning over 21 years. I am one of the co-founders of the #ResilienceThinkTank, dedicated to providing independent guidance and research to the risk and resilience industry. We are also committed to ensuring diverse voices are included in making communities and organizations more resilient including but not limited to:
Being an ally for risk and resilience professionals
Promoting diversity within our profession
Being champions for the ‘teams of one’
Remaining independent, vendor and product neutral
Focusing on what is relevant in risk and resilience right now
Mentoring the next generation of professionals