Ten ways to enhance firmwide resilience

COVID-19 is reminding us all of the need for enterprise resilience against a range of potential disruptors. Here’s what financial services firms can do now to respond and prepare.

Enterprise resiliency has shot up the financial services board agendas over the past few years, but rarely has it been as critical as it is now. The global outbreak of the coronavirus pandemic, and its growing impact on the global economy, has reminded boards of the need to be prepared for the unexpected.  Right now, boards of directors and senior management are heavily focused on reducing the probability and impact of disruptions to business, as well as on how to deliver services continuously when interruptions occur. They also want to know that their firms foster a learning culture, such that resiliency plans are continually optimized against the evolving nature of the risks. Regulators have also stepped up their focus on resilience and firms’ ability to deliver uninterrupted business services because customers demand this level of service convenience.

Achieving greater resilience is complicated. It requires many groups across each firm — most with differing priorities and disparate reporting lines — to operate differently and more cohesively than in the past, and to do so in a more prioritized, integrated and coordinated manner. Firms’ complex legal entity structures, operating model and technology environment can exacerbate this challenge.

Leveraged from dialogue with industry participants, we point to 10 important ways financial services firms can enhance firmwide resilience in an efficient, effective and urgent manner:

2.   Adopt a common resiliency language

Firms have invested much time over the past decade working toward building a common firmwide language or taxonomy. As of yet, few have achieved that fully. Most have sets of taxonomies, each one developed for a specific use case in mind: one for periodic risk-and-control-self-assessment (RCSA) processes, one for operational risk, one for RRP, one for third parties and so on. A common challenge in developing a firmwide taxonomy is embedding business ownership. Too often, taxonomy efforts are viewed as being performed to the first line, rather than by the first line; the first line views these as efforts control groups have to complete to conduct their work and complain they are written in control-speak. Few first-line leaders view such taxonomies as necessary to deliver operational resilience or as being written in a way the first line would describe what it does and how it operates.

3.   Identify and manage dependencies, and single points of failure and concentration inside and outside the firm

Mapping only gets you so far. It’s not simply about understanding how the process or data flows, but as important about identifying key choke points or areas of concentration (e.g., a firm’s key operations or locations). These could include IT or processes that support one or more critical steps to deliver a service, a key upstream or downstream dependency (i.e., something before or after the specific process without which the service is interrupted) and even key subject-matter experts.

4.   Establish a firmwide resilience strategy and operating model

Increasingly, firms have recognized that their continuity and resilience activities are disparate and unconnected. They often have countless activities across business continuity, disaster recovery, cyber-incident response and crisis management. Often, myriad crisis and contingency plans exist across lines of business, technology, human resources and other areas. Few plans are connected or consistently applied; few plans have common or consistent triggers for escalation and decision-making; and few companies have properly prepared their senior executives and/or boards for actual crises. The result is often ineffective, erroneous or slow decision-making in times of stress.

5.   Promote prevention

While the focus has quickly turned to response and recovery, there still needs to be a strong focus on prevention to reduce the probability that disruptions occur and their potential impact. Strategies here include:

• Segmenting critical systems, including networks and systems, and limiting points of attack and entry
• Hardening access rights by reassessing access privileges, e.g., when individuals change roles, including those of third parties (especially client-hosted platforms)
• Addressing IT obsolescence to reduce dependency on redundant systems and validating that IT obsolescence does not create critical-process vulnerabilities
• Managing change effectively to reduce the likelihood that a poorly executed, a badly controlled, or an ill-timed IT or process change triggers a disruption
• Implementing resilience by design — versus resilience by remediation — to enable resilience principles to be adhered to from the outset of designing new systems or processes

9.   Stimulate leaders’ muscle memory through simulation

Firms are stepping up the degree to which they use tabletop exercises or simulations to build experience — or muscle memory — among senior executives and board members, across business lines and ahead of real events or crises. Traditionally, such efforts have been focused on middle management, those who will manage incidents or crises day to day. But, increasingly, firms are realizing the scale, frequency and potential impact of disruptions necessitate an additional focus on crisis-induced decision-making at the top of the house — after all, in extreme crises, boards and senior management need to know their role in decision-making and be used to acting in crisis, regardless of the trigger or type of event. A calm and decisive tone from the top during a crisis instills confidence in all stakeholders and players.

10.   Promote a learning, resilient culture

In the end, resilience is about having the organizational discipline and nimbleness to develop — and constantly enhance — the firm’s plans and capabilities to deliver services continuously. This requires a culture that is open to learning from past mistakes and events — those of the firm and its peers — and that promotes timely and effective remedial and enhancement activities. This focuses attention on changing human behaviors — making employees appreciate their important role because resilience is very much in their hands. It is not someone else’s job. If successful, this creates the necessary conditions for a resilient culture.