2. Adopt a common resiliency language
Firms have invested much time over the past decade working toward building a common firmwide language or taxonomy. As of yet, few have achieved that fully. Most have sets of taxonomies, each one developed for a specific use case in mind: one for periodic risk-and-control-self-assessment (RCSA) processes, one for operational risk, one for RRP, one for third parties and so on. A common challenge in developing a firmwide taxonomy is embedding business ownership. Too often, taxonomy efforts are viewed as being performed to the first line, rather than by the first line; the first line views these as efforts control groups have to complete to conduct their work and complain they are written in control-speak. Few first-line leaders view such taxonomies as necessary to deliver operational resilience or as being written in a way the first line would describe what it does and how it operates.
3. Identify and manage dependencies, and single points of failure and concentration inside and outside the firm
Mapping only gets you so far. It’s not simply about understanding how the process or data flows, but as important about identifying key choke points or areas of concentration (e.g., a firm’s key operations or locations). These could include IT or processes that support one or more critical steps to deliver a service, a key upstream or downstream dependency (i.e., something before or after the specific process without which the service is interrupted) and even key subject-matter experts.
4. Establish a firmwide resilience strategy and operating model
Increasingly, firms have recognized that their continuity and resilience activities are disparate and unconnected. They often have countless activities across business continuity, disaster recovery, cyber-incident response and crisis management. Often, myriad crisis and contingency plans exist across lines of business, technology, human resources and other areas. Few plans are connected or consistently applied; few plans have common or consistent triggers for escalation and decision-making; and few companies have properly prepared their senior executives and/or boards for actual crises. The result is often ineffective, erroneous or slow decision-making in times of stress.
5. Promote prevention
While the focus has quickly turned to response and recovery, there still needs to be a strong focus on prevention to reduce the probability that disruptions occur and their potential impact. Strategies here include:
- Segmenting critical systems, including networks and systems, and limiting points of attack and entry
- Hardening access rights by reassessing access privileges, e.g., when individuals change roles, including those of third parties (especially client-hosted platforms)
- Addressing IT obsolescence to reduce dependency on redundant systems and validating that IT obsolescence does not create critical-process vulnerabilities
- Managing change effectively to reduce the likelihood that a poorly executed, a badly controlled, or an ill-timed IT or process change triggers a disruption
- Implementing resilience by design — versus resilience by remediation — to enable resilience principles to be adhered to from the outset of designing new systems or processes