The operational resilience model is changing. Businesses have spent years and countless money trying to stop bad things happening. Now they are accepting that bad things will happen – and it’s what they do about it that matters. This panel at RiskMinds International explores the fundamentals of building a resilient business while involving various stakeholders in the business.
Left to right: Mihai Popa, ING Bank; Nicky Russell, HSBC; Naomi Springate, Lloyds Bank; Matthew Field, HSBC
The traditional approach that puts cyber front and centre in resilience plans is evolving with a growing recognition that a fully-fledged model needs to take account of a much broader spectrum of risk.
Speaking on a panel at the Technology Risk and Operational Resilience Summit, Nicky Russell, Director, Global Operational Resilience, HSBC, told delegates about the importance of taking an end-to-end approach. Rather than focusing on assets, businesses now need to focus on outcomes: what is an alternative way of delivering business services and keeping up and running while resolving the problem.
This means mapping out each of the business-critical functions and identifying the risks within the entire supply chain. Each of the owners of these critical pillars needs to be asking how resilient their function is – and how resilient will they be in the future based on the threat landscape.
For banks, Russell said, this often requires a fundamental shift in thinking. It is no longer about how much you are willing to spend to try offset risk, and instead more about ‘impact tolerance’. This concept, recently introduced in a Bank of England paper, refers to the point at which there is risk or harm to the customer, marketplace or viability of the firm. Businesses need to hypothesise where this impact tolerance is, and then test that. And very few have the capability or mindset to do that.
The weakest link in the chain
Increasingly, companies are recognising that operational resilience is a board-level issue. It is something that has to be planned into the infrastructure of a business. And it is a critical consideration during business transformation.
It is also important to remember that responsibility for managing risks needs to reside with an individual – devolving responsibility to technology is not the answer, with the panel warning this “often results in the tail wagging the dog”.
Mihai Popa, IT Area Lead Continuous IT Operations, ING Bank, highlighted that businesses are only ever as strong as the weakest link in the chain. This means an operational resilience plan needs to take account of suppliers and third parties – and by extension, their third parties.
For Popa, building operational resilience means constantly testing the business and running through endless ‘what would happen if’ scenarios. This could mean deleting code, taking servers offline, or planning for the failure of a third party. Most businesses have not planned for the failure of a business-critical function, and don’t have a tried and tested alternative that could slot into place.
A customer-first approach
For Naomi Springate, Director, Operational Resilience and Security, Chief Security Office, Lloyds Bank, a changing attitude to operational resilience means focussing on what matters most to the customer. The most business-critical areas are those that affect a business’ ability to deliver its service or product in a way that the customer or client expects. For each critical function, Lloyds will track and collect data on everything from the technology used and where its used from, to the people employed by that business function and the third parties they use, right up to board level.
Collaboration will be key to creating the most resilient risk models of the future. This means collaboration within businesses, across functions, that also takes into account the third parties they work with. In an effective strategic partnership, other players will be able to step in and take the weight at the point of failure, so that services to customers are not disrupted. Single points of failure need to be identified and avoided.
From a regulatory perspective too, working together will be key. Some of the most detailed organisational resilience regulations are coming out of the UK and there is now a growing focus from businesses to coordinate and help avoid too many different requirements in different countries.
Watch this space, said Matthew Field, Senior Manager, Digital Public Policy, HSBC – there is going to be a lot more discussion about operational resilience in the future. And planning for when things go wrong will be the mark of a successful business.