Operational Resilience – 7 Steps To Success And A Helpful Guide
It’s easy to get overwhelmed by the Operational Resilience requirements. At first, you may question whether this is just a new name for Disaster recovery or Business continuity planning, and it certainly compliments those frameworks. However, Operational Resilience is a separate framework, with a distinct purpose and set of requirements for firms to meet.
If you’re new to Operational Resilience and need to implement a framework, or if you are considering how to mature your framework and the sophistication of your testing plan, our helpful guide will be able to provide some insight and guidance on the steps to take.
1. The starting point
Get your team or working party together. Developing an Operational Resilience program and implementing it into the business requires the input and support from a number of departments. Creating the framework is detailed and time-consuming work so ensure you allocate sufficient resources to this project. Once it’s in place, there are ongoing requirements that mean you need to allocate a regular time slot in your calendars.
2. Identify your Important Business Services
List out the services that you provide such as inbound telephony customer service, quotes, underwriting, claims handling etc.
Risk assess or score your business services against the 13 factors or indicators to establish if it is an important business service.
3. Define your impact tolerances for each of your important business services.
This is the maximum tolerable level of disruption, measured in a length in time, to an important business service before intolerable harm will be caused to customers, or risks to the soundness, stability or resilience of the UK financial system or the orderly operation of the financial markets. When defining your impact tolerances, you must consider a specified set of 11 factors as a minimum.
4. Map your framework and identify your vulnerabilities!
The Operational Resilience requirements set out that you must completely map your framework. This involves identifying and fully documenting the supporting structures that underpin your Operational Resilience. This will include people, processes, technology, facilities and information necessary.
As part of your mapping, you must also identify any vulnerabilities within your framework and resolve or mitigate these where appropriate.
5. Scenario Testing and Lessons Learned
You must test your ability to remain within your impact tolerances through scenario-based testing. The testing can start by testing single elements of the framework or simple scenarios, however over time, you must develop the sophistication of the scenario testing and by 31 March 2025 be able to show that you can remain within your impact tolerance levels for all of your Important Business Services.
After each test, a lessons-learned must be completed to detail the outcome of the scenario-based test. If improvements are identified through the testing, these must be remediated.
As part of your Operational Resilience framework, you will need to develop a communication strategy that addresses internal and external communications in order to limit the impact of operational disruptions.
This goes beyond the website and telephony recorded messages and focusses on reaching customers when you have no direct line of communication.
Your self-assessment should document how you comply with all of the FCA requirements for Operational Resilience. They must be approved by your governing body and reviewed regularly.
When you break Operational Resilience into 7 manageable steps, it becomes a lot easier to digest. Our forthcoming helpful guide will go into more detail on each of these areas and includes some useful hints and tips on how to implement a framework and ensure it stays firmly on the radar with the plethora of day-to-day pressures businesses are currently facing. Our guide will appear in the Compliance Resources section soon.