Navigating operational resilience: are you operationally resilient enough?

Thomas Lemon, Managing Director, UK Country Market Leader, Protiviti (Chair)

Laura Moore, Managing Director, Protiviti

David Gardner, Partner, Tech, IP & Data, TLT LLP

Steve O’Regan, Group Chief Risk Officer, Skipton Group

Operational disruptions can cause damage to customers, market integrity and the stability of firms. With the implementation date of the next phase of the Operational Resilience rules coming up in March 2025, the panel discussed the importance of moving to a truly embedded culture for Operational Resilience. 

Thomas Lemon from Protiviti opened the panel by discussing the importance that Operational Resilience frameworks can have in ensuring the stability of firms. In recent years, there have been large failures of firms which possibly could have been prevented if there had been better thought through and embedded Operational Resilience policies. Even recently, there has been considerable damage caused by damage to operations in various parts of the UK, such as the e-gate failure by UK Border Force causing travel chaos for flyers into the UK, or cyber-attacks of firms holding details of people employed by the Minister of Defence.

Even more so, firms must consider the risk of external threats, and not just business as usual risks, but really consider single points of failure as well as a mixture of risks arising at the same time and how they might interact with each other. 

Led by Laura Moore, from Protiviti, the panel discussed how you make Operational Resilience embedded in the firm foundational elements through to the governance culture. She stressed how Operational Resilience is more than a tick-box exercise, it is an active culture of testing to evaluate risks, learning from risks arising and improving going forward. 

Embedding Operational Resilience is not without its challenges, prompting the panel to discuss some common issues which arise. For one, creating a data resilience strategy is not straight forward, it is evolving and the needs of firms will differ, but it is important that firms actively engage and plan for a variety of scenarios. 

The panel discussed how important it is that Operational Resilience maps the variety of business services end to end, through true tests of how a firm could fare in severe but plausible scenarios, and active engagement and planning on how a firm could deal with that. 

The panel discussed at length what good scenario testing looks like and how it may be approached. Scenario testing must look at severe but plausible scenarios which firms may face. To do effectively, set a strategy of what scenarios should be tested, and how often those scenarios should be tested and retested. Firms need to think about the risks posed by cyber-attacks, data loss and data corruptions and how firms prioritise their actions in these scenarios. Firms should be confronting if there are single points of failure, with broad agreement that it is better to know an exposure and take action rather than shying away. 

Laura and Steve O'Regan (Skipton Group), both discussed the importance of communications plans should issues arise and how you respond to them. Firms should consider if they want to proactively create communications in line with severe but plausible scenarios that may arise, or if they would rather wait until a risk arises to respond. 

Steve also spoke about how Skipton is driving Operational Resilience, not in second line, but through a separate first line, which they called “Line 1B”. This has given them a team who can see the wood for the trees, allowing them to focus on core processes and journeys, and acting in key role of supporting the heads of business. They have found merit in splitting the savings and lending functions with separate COOs, but with Line 1B Operational Resilience teams being able to work horizontally. 

Dave Gardner from TLT led the panel in a discussion that from a third party perspective, there is a lot to be learned from third parties who have relevant experience in seeing Operational Resilience as seen in other firms.  

As said by Laura, the most crucial thing for boards is not the answer to the question “am I compliant with the regulations”, but “am I resilient enough” It is a difficult question, but it is one that must be confronted to give boards the confidence to proceed that they are doing the best for their firm.