Building Operational Resilience:
The Critical Need to Learn from Failure


By anyone's standards, the scale of prudential and conduct‐related failures in the financial system over the past decade has been staggering. The failures have shaped the regulatory response and influenced developments in risk management. What’s more, they provide fertile ground for learning.

This three‐article series – written by Jo Paisley, Co‐President, GARP Risk Institute; Dr. Mike Humphrey, former Head of Security, UK National Crime Agency; and Caroline Stroud and Emma Rachmaninov, Partners, and Holly Insley, Senior Associate, of Freshfields Bruckhaus Deringer LLP – demonstrates, from different points of view, that the lessons that arise out of mistakes can be turned into essential building blocks of an organization's resilience.

Of course, the past may not be a good guide to the scale and nature of potential losses in the future. Since the threat landscape is constantly evolving, it's not enough to have learned lessons from the past – learning needs to be forward‐looking, too.

Increased digitalization and changes in the technology that supports it, for example, raise new security and technology risks. Increased reliance on outsourcing – for example, via cloud computing, open banking and fintech partnerships – further raises firms' vulnerabilities, particularly to third‐party vendor risk. Greater regulatory safeguards on data privacy and protection raise the prospect of larger fines and increased reputational risk in the case of breaches.

Moreover, the consequences of operational outages and failures are changing: firms that display any sort of IT weakness themselves become targets for fraudsters. As a consequence of all of these issues, the likelihood and potential costs of operational failures are rising.

Regulators are, in turn, changing their approach. Rather than focusing on financial resilience (as they did in the wake of the financial crisis), they are now requiring firms to prove their operational resilience. Indeed, firms are being asked to plan on the basis that they will experience some sort of failure. Managing this rapid and disruptive change is becoming a key priority for firms, clients, regulators and politicians.

So, if we can expect more frequent operational incidents or failures at firms, with potentially more substantial and unpredictable impacts on both individual firms and the financial system, is it time to start thinking about failure in a different and more proactive way?

Each of the three articles in this series provides a unique perspective on learning from failure.

Insights from Across Industries

Not all failures are the same. Even so, some industries facing similar types of failures (for example, resulting in loss of life) have proven better than others at hardwiring learning from failure into their risk management. Industries such as aviation and health care offer valuable insights into the value of both collecting and learning from good‐quality incidents data, as well as the critical roles of culture, organizational and regulatory structures.

Creating Effective Incident Reporting

Collecting comprehensive incident data is challenging. People find it difficult to admit when things go wrong, and even making reporting mandatory doesn't always work. Drawing on his own original research, Dr. Mike Humphrey explores the critical success factors for building an effective incident reporting system. Good‐quality data on accidents and near misses are vital to our ability to understand the root causes of failures, their frequency and the threat landscape.

The Critical Connection Between Culture and Misconduct Failures

Even with good‐quality data, it takes the right business culture and openness to learning to make a difference. Misconduct risk is one of the most significant areas of cultural failure over the past 10 years. Lawyers at Freshfields Bruckhaus Deringer provide an external perspective on misconduct cases in banks over the past decade, examining the common themes.


Insights from Across Industries
By Jo Paisley

Insights from Across Industries

By Jo Paisley

Creating Effective Incident Reporting

By Dr. Mike Humphrey

The Critical Connection Between Culture and Misconduct Failures

By Caroline Stroud, Emma Rachmaninov, and Holly Insley

We are a not-for-profit organization and the leading globally recognized membership association for risk managers.

weChat QR code.
red QR code.

BylawsCode of ConductPrivacy NoticeTerms of Use © 2024 Global Association of Risk Professionals