As the initial shock of COVID-19 passes and organizations adjust to a “temporary normal” state, most financial institutions across the U.S. have shown remarkable resilience in continuing critical business operations in this new environment. But for many, the challenges are only beginning.
For larger financial institutions, this display of resilience should not have been by chance, but because of implementing operational resilience plans. Aligned with regulatory expectations, these plans should have addressed and bridged areas such as business continuity planning, disaster recovery, cybersecurity, and resolution planning. In order to manage through a crisis, these, along with others, are all important aspects of an operational resilience framework which must be implemented effectively and work cohesively.
The aftermath of any crisis offers a unique opportunity for financial institutions to assess how their business responded to the unexpected challenges it faced, provide an opportunity for lessons learned from any breakdowns in operational resilience, and allow adjustments to be made that can help to ensure future disruptions are dealt with more effectively.
In this series, we will look at six critical areas that should be assessed as part of an operational resilience program when exiting a crisis:
1. Operational Resilience Governance Framework
With an effective governance framework providing the foundation to build resilience across all parts of the organization, operational resilience governance should be a key part of organization-wide enterprise risk management (ERM). For any organization that did not have existing formalized operational resilience governance, the crisis will allow it to use arbitrary actions to form the foundations for assessing what worked well and build out a formal framework.
2. Critical Business Process Identification
A financial institution’s operational resilience plan will identify an inventory of business processes that are critical to maintaining core operations. This firm and accurate understanding will allow for a starting point of the assessment of which processes are operating effectively during a crisis. With more complex organizations, there is a greater risk of not identifying key elements of, or even entire, critical business processes.
3. Business Continuity and Disaster Recovery
During a crisis, an organization must activate business continuity plans (BCP) to ensure that critical departments and systems can continue to operate, while concurrently implementing disaster recovery plans (DR) to restore operations to business as usual. BCP and DR are typically designed and performed on critical functions and systems within each organizational silo, whereas operational resilience is focused on the critical business processes spanning across the organization.
4. Third-Party Risk Management
It is increasingly common for financial institutions to rely heavily on external third parties for the provision of key infrastructure, services, and support for critical processes. Therefore, the resiliency of the organization is often intertwined with the resiliency of the third party, and organizations must have contingency plans to manage the risks associated with their disruptions.
5. Cybersecurity and Privacy
Cybersecurity is a key component of an effective operational resiliency program, which is further underscored by the widespread shift to remote work in the current crisis environment. Technology is the platform upon which all financial institutions are based; therefore, maintaining security and privacy over this technology is imperative to the institution’s internal and external functions.
6. Data Management and Governance
To facilitate decisive tactical and strategic decision-making by leadership, timely and accurate data and management reporting are always vital in times of crisis. The financial institution’s operational resilience plan should address the availability and accuracy of key data sources as part of the data architecture and governance programs.
Building for the Future
Having a robust process to continually reassess critical components of the operational resilience framework is essential for a financial institution to emerge stronger from a crisis. Given the uncertainty of how long this “temporary normal” will last and when the next crisis might begin, it is important to assess the robustness of their operational resilience plans and learn the lessons arising from actions taken to date. This will allow the financial institution to make adjustments that will enable it to:
- Operate more efficiently under the “temporary normal” environment over the short- to medium-term;
- Set up to recover quickly when this crisis is over; and
- Thrive in the long-term with an operational resilience plan that has been battle tested.
Throughout this series, we will dive deeper into each of the six critical areas including providing industry insights and examples of what a post-crisis review of each could look like.