Operational Resiliency Must Remain a Top Priority

As a vast majority of the financial industry's workforce continues working remotely, organizations are operating in entirely new ways. No one could have predicted at the end of last year that a global pandemic would impact the world's workers in 2020 and force millions of financial services staff, and staff across other industries, into a remote work environment.

These changes have added layers of risk and complexity to the financial industry ecosystem, magnifying the importance of operational resilience, or the ability of firms to continue to provide critical services in the face of adversity.

Operational resilience has evolved significantly over the years. Although resilience was once focused on siloed risk management areas such as cybersecurity and information technology, operational resilience encompasses additional areas including financial risk, infrastructure stability, vendor risk, product management, security and technology - enabling a more holistic view into risk and resiliency. It calls for all parts of an organization to work collectively across the financial industry and across national borders.

Even before COVID-19, operational resilience was viewed as a key priority across the industry, as documented by a Forbes-BMC white paper, The FinServ Future. In a survey late last year of 300 U.S.-based C-suite executives in financial services, 44% were actively training employees in resiliency protocols to ensure and address potential regulatory issues related to business resilience.

When asked about the measures firms could take to address business resiliency challenges, most respondents (49%) highlighted an emphasis toward industry collaboration with peers. Also, 37% suggested increased audits and assessments, and 37% mentioned the need for clearly defined resiliency ownership within firms.

Forward-Looking Guidelines

At DTCC, we view operational resilience as a key business and industry priority. The increasingly complex financial services environment requires a new approach to enhancing resilience that is holistic, forward-looking and highly collaborative. Our Resilience First white paper outlines a set of guidelines to help drive further advancements around how firms plan for and respond to disruptive events that could impact critical business services. They include:

• A firm's business resilience planning should be holistic. When planning, firms should consider key dependencies and potential vulnerabilities across all areas of the business globally, including operational, technical and financial risk. Firms should conduct an end-to-end analysis of critical services, client activities, third-party dependencies and all touchpoints.

• Resilience should be embedded into an organization's risk culture and mindset in order to drive improvements in risk and response management. Establishing a “resilience centric” culture and mindset emphasizes a shared approach and common objectives supported by and governed by the board and senior management; encourages employees to change the status quo to address weaknesses and risk; and creates a continuous learning mindset.

• To make informed business decisions around resilience, ongoing assessments are key, Firms should determine resilience objectives which should help drive the re-architecting of existing services, and the design of new offerings.

• Finally, as resilience-enhancing initiatives are implemented, industry coordination will be critical. Continued, ongoing, sector-wide collaboration will be necessary to ensure all firms understand their roles and are ready to mitigate the impact future disruptions to critical business services. The work that CPMI-IOSCO is undertaking around cyber resilience is a great example of this. Within one of their working groups, the organization has asked for the industry to look at issues across sectors such as communication, data protection and third-party concerns in order to best identify how we can work together to get even better and stronger.

As of late September, the World Health Organization reported over 32.7 million global cases of COVID-19. The pandemic cannot be understated in its current impact and long-lasting ramifications. As we progress through the final months of 2020, we must stay focused on the fundamental principles of resilience while adapting to changing market and business conditions, as well as new threats and advances in technology.

The pandemic remains a top threat to operational resiliency across the industry, but in many ways, it is no different than previous crises that prompted an unprecedented industry response, like 9/11 and Superstorm Sandy. We must continue to place operational resilience on the top of our priority lists, addressing the challenges of today and ensuring we are well prepared for those future events that are sure to come.

Dan Thieke is managing director for business risk and resilience management, Depository Trust & Clearing Corp. (DTCC) He previously contributed to GARP Risk Intelligence COVID-19 and Operational Resilience: How Past Crises Shape Today's Response.