Seven Strategic

Insights to
Operational
Resilience

START
<< 1 >>
>>
Seven strategic insights to
operational resilience

There is a lot of misunderstanding about what

operational resilience is – and is not. As new operational
resilience regulations sweep around the globe, there is
naturally the question of what is needed for compliance
with those rules. And these requirements can differ
considerably from one jurisdiction to another. However,
effective operational resilience is about much more than
checking an obligatory box – in financial services it can
be a significant strategic opportunity that transcends
mere compliance. It puts financial organizations in the
right place to meet requirements regardless of jurisdiction
and delivers outcomes that enable the organization to
meet its business goals and drive customer centricity.

The seven key insights explored set out just what that
strategic opportunity looks like. For organizations that
choose to embrace operational resilience in a more
holistic way, the benefits could include increased
efficiency and collaboration, more robust operations,
and a significant competitive advantage.

<< 2 >>
Although operational resilience looks like another
compliance project on the surface, in truth it presents an
opportunity that could deliver real value. For example, in
this white paper the key insights often refer mainly to the
UK’s operational resilience framework as created by the
Financial Conduct Authority (FCA) and the Prudential
Regulatory Authority (PRA). However, the reality is that
these insights can be applied to any organization
globally due to their strategic nature.

Organizations that embrace true operational resilience

have a truly transformational opportunity that can
position them for success today and in the future. The
seven key insights are:

<< 3 >>
1. To be a digital bank, you need a
real-time view on operational
resilience
True operational resilience is key to supporting digital
transformation overall. Banks want to encourage
customers to use more digitally-based services, but
customers first must trust that these services will always be
there when they need them – this is particularly true for
vulnerable customers. The old-fashioned brick and
mortar branches, with their impressive banking floors and
large vaults, were designed that way to convey trust –
and deliver operational resilience in society that held its
wealth in cash and other physical goods like gold and
gemstones. Today, banks need to be able to deliver the
same operational resilience in the digital world. They
have a duty to keep their customers, and the financial
system overall, safe. Regulators see this of utmost
importance, which is why they are not only focusing on
operational resilience, but also on interconnected topics
of third-party risk management and cyber risk
management.

<< 4 >>
2. Data makes operational
resilience possible
Regulators are demanding that all regulated financial
institutions maintain resilience for their important business
services. Real-time data is key to understanding how well
these important business services are functioning today and
to anticipate tomorrow’s performance.

For example, being able to understand the ripple effect of a

critical business application being down for a period of time
will have on the services it supports. Data is also needed for
benchmarking, i.e., to know how to set impact tolerances,
create controls, and to provide alerts if these tolerances
have been, or are about to be exceeded.

Data is key to understanding how to respond to negative

events – it provides crucial information to help teams locate
the source of an issue.

Also, continuous monitoring of operational resilience

robustness requires data from across the organization, is
analyzed and delivered in ways that support decision-
making. It is clear that data is the lifeblood of an effective
operational resilience program that is capable of delivering
real value to an organization.

<< 5 >>
3. Even regulators are saying that
operational resilience cannot be
achieved through compliance
alone
Both the UK FCA and PRA have made it clear that a “check
the box” approach to compliance would be sub-optimal. In
a recent speech, Duncan Mackinnon, executive director for
supervisory risk specialists at the UK’s PRA said:
“Operational resilience cannot be achieved through
compliance alone. Important business services, impact
tolerances, mapping and testing are only the start.
Approaches and solutions must acknowledge that
operational failures are inevitable. And as we do not know
what disruptions will materialize, firms need to plan for a
wide range of possible failures.”

Regulators want to see engagement with operational

resilience from the board and senior management, on down
through the organization, which will create substantial
cultural change for many organizations. Those with Senior
Managers & Certification Regime (SMCR) responsibility for
the operational resilience of important business services –
and related support functions such as business continuity –
should keep this regulatory perspective in mind. This further
emphasizes the need to have a system-driven approach to
ensure both compliance and operational elements are
accounted for in the most efficient way possible.

<< 6 >>
4. The three lines of defense also
apply to operational resilience
Today, some financial services organizations are creating
bespoke operational resilience teams within the many
individual silos of their businesses, which results in a non-
strategic approach.

Issues are not examined in a holistic way, data is usually

fragmented, and there can be poor collaboration.
Alternatively, organizations are building an operational
resilience team at the top of the organization that often
does not penetrate deeper into the business. For example, a
framework is developed, and policies are written, but
implementation remains surface-level and “check the box”.
Operational risk faced the same challenge and for that
reason the three lines of defense model was created.

As with operational risk, operational resilience is everyone’s

job, and so the three lines of defense model can also be
useful here.

True operational resilience needs to be a collaborative

program across the whole of the organization so that best
practices and data can be shared, and the board and
senior management can view resilience in a more strategic
way delivering real value to an organization.

<< 7 >>
5. Robust operational resilience
should be a unique selling point
within your product strategy
In recent speeches, the PRA has pointed out that, during its
March evaluation of firms’ progress on their operational
resilience programs, CHAPS (The Clearing House Automated
Payment System used for sterling transactions in the United
Kingdom) payments impact tolerances varied between two
days and two weeks.

It’s safe to say that a customer who is unable to make a

CHAPS payment for two weeks, when she knows that
another bank recovered in two days, is likely to move her
accounts.

With this example, it is easy to see how a robust operational

resilience program can translate into competitive
advantage quite easily.

Firms should consider operational resilience as a unique

selling point within their overall product strategies. Certainly,
as third-party risk management becomes more widespread
among companies, financial firms may find their customers
asking for information about operational resilience impact
tolerances.

Retail customers – informed by both traditional and social

media – are likely to vote with their feet or clicks.

<< 8 >>
6. It’s not possible to be truly
customer centric without
operational resilience
Much online ink is being spilled about how achieving success
as a digital financial services provider requires a new kind of
customer-centric approach. Customer experience needs to
be the starting point of process design, and the process
improvements delivered by automation and artificial
intelligence (AI) should improve efficiency and shrink
timescales.

However, delivering true customer centricity is not possible

without operational resilience. A culture of poor operational
resilience will ultimately translate into poor support for
customers. For example, customer-centric improvements to
the mortgage process could reduce approvals from days to
hours, but a cyberattack on the technology estate could
wreck thousands of transactions if operational resilience
impact tolerances are wide – and this would translate into
unhappy customers and potential reputational damage.
True operational resilience, on the other hand, delivers true
customer centricity by ensuring that no matter what
happens, the firm can deliver. Given the growing importance
of environmental, social and governance (ESG), it is likely
that the ability to have operational resilience will soon be
perceived as an important ethical commitment by
customers and shareholders.

.
<< 9 >>
7. Operational resilience ensures
firms survive today’s uncertainty
and thrive tomorrow
At the heart of the operational resilience program is a desire
to ensure the safety and soundness of the financial market
for the benefit of both customers and the firms themselves.
Just think of the events of the past few years – a pandemic,
European conflict, increased cyberattacks, and growing
economic uncertainty – and the impact that they have had
on financial firms and their customers.

So, regulators are making it very clear that they have

substantial expectations of firms around operational
resilience – they know there is a lot riding on getting this
right. It is a topic that will continue to receive considerable
supervisory scrutiny. Firms without adequate operational
resilience, who suffer negative events, can be certain that
they will be made examples of by regulators and in the
media.

On the other hand, organizations that deliver operational

resilience effectively have an opportunity to outperform
competitors, support customers and be seen to deliver on
ethical commitments. Also, true operational resilience has
the potential to nurture the strong relationships across
internal and external networks that enable firms to
collaborate better, to evolve and thrive.

<< 10 >>
In summary, financial services firms who place real true operational resilience at the
heart of their organizational strategy will have:
• More robust digital transformation outcomes, driven by improved processes

• Better operational information to support decision-making and predict customer impacts to customers

• Stronger relationships with customers, built on true customer centricity

• More collaborative teams, breaking down silos

• Greater ability to achieve organizational goals, thanks to minimized disruption

For financial services firms that choose to embrace operational resilience in a more holistic way, the benefits will far exceed
what would be achieved through simple compliance.

When operational resilience forms the bedrock of an organization’s products, processes, and relationships, it positions that
organization to thrive in uncertainty – perhaps the ultimate competitive advantage.

For more information, visit: www.servicenow.com/risk

© 2022 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, Now Platform, and other ServiceNow marks are trademarks
and/or registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company names, product names, and logos
may be trademarks of the respective companies with which they are associated. << BACK
SN-WhitePaper-Operational-Resilience-November-2022
<< 11 >>