The shift from reacting to disruptions to leading with resilience by design

Authored by: Adeline Cheng, Partner, Non-Financial Risk Lead

Co-contributed by:

• Céleste Duke, GRC and Data Risk Lead
• Claire Harper, Senior Consultant, Operational Risk and Resilience, Financial Services Risk Management
• Gwendal Le Puil, Manager, Operational Risk and Resilience, Financial Services Risk Management
• Padraic O Maille, Manager, Operational Risk and Resilience, Financial Services Risk Management
• Srishti Gulati, Manager, Operational Risk and Resilience, Financial Services Risk Management

EY offers a three-step approach for financial institutions to enhance their resilience capabilities and meet regulatory requirements.

In brief

• In recent years, the concept of ‘resilience’ has grown in prominence to become an international topic of focus: 76% of global CROs see operational resilience as an increasing priority over the next 3 years¹
• In Canada, OSFI plans to release an updated draft of E-21 in Fall 2023, embedding operational resilience requirements within their existing operational risk management guideline
• EY established a robust three-step approach to help organizations not only meet these upcoming compliance requirements, but to unlock additional value through the exploration of GRC/IRM tooling and strategic reporting opportunities

[1] 12th annual EY/IIF global bank risk management survey

In recent years, organizations have faced a series of disruptions, by way of not only the global pandemic and its cascading impacts, but also through high-profile data breaches, ransomware and cyber attacks, supply chain shocks, service outages and more. This, paired with increasing expectations from clients, the market, and regulators, has led organizations globally to initiate transformations to protect their most critical operations from these potential disruptions. 

More recently, regulators have amplified their focus on operational resilience as a part of an organization’s risk framework.  Financial regulatory bodies across the globe have witnessed how interconnected global financial ecosystems are and have taken steps to protect the integrity of these systems by issuing regulatory requirements that market participants must adhere to. 

A strategic, enterprise-wide operational resilience framework will be critical to address new risks and compete in today's complex environment, prompting organizations worldwide to increase investments in resilience capabilities to manage disruptions. 

Resilience is one of the key defining characteristics of long-term success for banks and organizations globally. To deliver long-term value to their stakeholders, organizations must capture the potential offered by change, manage intensified risks from disruption and remain resilient across many complex dimensions.

What this means for Canadian federally regulated financial institutions:

In Canada, the Office of the Superintendent of Financial Institutions (OSFI), the federal regulator of Canadian financial institutions, is expected  to publish a draft revised version of their existing E-21 operational risk guideline, in Fall 2023, to encompass new requirements for operational resilience. 

OSFI’s guidelines are principles based and outcomes focused. It is expected that OSFI’s stated outcomes will include the following:

• Financial institutions should be able to identify and protect themselves from threats and potential failures and respond to, and adapt to, and recover and learn from, disruptive events to protect the delivery of critical operations through disruption (Basel Committee on Banking Supervision (BCBS) principles for operational resilience).²
• The board of directors should own and be accountable for operational resilience oversight.
  
• Institutions should use both an internal and external-facing lens to consider the impact of an operational disruption on not only the organization itself, but its clients and other market participants.
• Decisions should be made under the assumption that a disruption, including simultaneous disruptions, will occur.
• Operational resilience should be linked to and embedded within other risk programs, such as third-party risk management and resolution planning.
• Decision-making and oversight should be enabled by robust metrics and reporting.

[2] Principles for operational resilience (bis.org)

EY’s proven approach to achieve resilience

Financial institutions are taking steps to establish and embed resilience into their existing risk frameworks. The critical operations approach, as detailed below, is a systematic way to build and implement a balanced resilience program. By following three steps, financial institutions can enhance their resilience capabilities and meet regulatory requirements.

What will be expected of you, now, next and beyond

All federally regulated financial institutions should be aware and knowledgeable of the key elements and lifecycle stages of operational resilience. Depending on your organization’s complexity and maturity, you should be establishing or developing your foundational capabilities, conducting pilots and exploring emerging capabilities.  

As organizations seek to implement these regulatory requirements, it is critical to coordinate efforts across business, operations, technology and risk functions and connect the dots between various risk frameworks (such as technology risk, data risk, third-party risk, etc.) with a view towards enterprise resilience. 

How we can support you throughout your operational resilience journey

At EY, we are prepared to meet you where you are today. Our solutions and offerings have been skillfully developed and will be tailored to your unique needs.

Governance and methodology –  We support you in the design of a target operating model, establishing governance, ownership and accountability for resilience, and developing a tailored resilience methodology to guide you through regulatory requirements.

Current state assessment – We perform a current state maturity assessment and provide recommendations aligned with industry leading practices to help you meet regulatory expectations. 

Operational Resilience training – A fundamental building block in establishing operational resilience is educating and aligning employees on operational resilience and practical solutions to achieve resilience.  Given the top-down approach required to enable a resilient organization, our training will enhance your organization’s understanding of the core concepts and fundamentals of operational resilience. 

Critical operations lifecycle pilot – We guide you through an operational resilience journey — identifying critical operations, mapping, tolerances for disruption and scenario testing — focusing on knowledge transfer to avoid common implementation pitfalls.

Enterprise Resilience data strategy – We can help you transform your management and board reporting to respond to the question “Are we resilient?” and drive internal alignment on investments and strategic decision-making.

Technology enablement and support  - We can help you evaluate, design and implement Governance, Risk and Compliance (GRC) or Integrated Risk Management (IRM) solutions to automate and optimize your enterprise resilience activities.  Our approach to GRC/IRM technology enablement is based on extensive experience enabling GRC transformations and is focused on delivering value at every stage of  the transformation. Whether you are looking to leverage existing technology or embark  on a GRC/IRM transformation, we will be there to guide you every step of the way. 

The advancement of GRC/IRM tools as an operational resilience enabler

The shift from managing risks in silos to managing  risks through coordinated functions — supported by integrated and automated processes and consistent reporting to generate return on technology investment — is accelerating the advancement of GRC/IRM transformations. 

In the context of operational resilience, these solutions can help you manage and mitigate risks, improve incident response and recovery, enhance business continuity planning, and much more. 

Key capabilities of GRC/IRM solutions include:

• Risk prioritization – Define and prioritize operations with corresponding risks, controls and tolerances for disruption.
• Continuous monitoring – Oversee risks, controls and issues in real time around the clock using existing operational data.
• Scenario testing – Analyze the potential impact of disruptions on clients, employees, products and technology.
• Scenario analysis – Conduct a range of disaster scenarios and test the steps your business can take to return to normal.
• Service disruption management and recovery – Incident analysis, response and recovery decision support and disruption incident trend monitoring. 
• Risk contextualization and dynamic reporting – Dashboard reporting that includes business contact around risk and resilience, and progress tracking and insights reporting to exhibit your organization’s overall resilience.
• Decision and workflow support – Real-time, multi-channel notifications, and alerts, and data organization and automation.