6 minute read 26 Oct 2018
Skydiving tandem beach spain

Ten ways to enhance firmwide resilience

Authors

Cindy Doe

EY Americas Advisory Risk Leader

Seasoned financial services professional. Resides in Massachusetts with her husband and three children.

Mark Watson

EY Americas FSO Board Matters Deputy Leader

Focused on helping financial services firms become resilient and well-governed. Passionate about sound public policy. Avid movie goer. Electronic dance music fan. Proud Anglo-American.

6 minute read 26 Oct 2018

We identify 10 discrete actions firms can take immediately to better achieve operational resilience.

Resiliency and its impact on the enterprise have shot up the financial services board agendas over the past two years. Boards of directors and senior management are now heavily focused on reducing the probability and impact of disruptions to business, as well as on how to deliver services continuously when such interruptions occur. They also want to know that their firms foster a learning culture, such that resiliency plans are improved upon after near misses or actual incidents. Regulators have also stepped up their focus on resilience and firms’ ability to deliver uninterrupted business services because customers demand this level of service convenience.

Achieving greater resilience is complicated. It requires many groups across each firm — most with differing priorities and disparate reporting lines — to operate differently and more cohesively than in the past, and to do so in a more prioritized, integrated and coordinated manner. Firms’ complex legal entity structures, operating model and technology environment can exacerbate this challenge.

Leveraged from dialogue with industry participants, we point to 10 important ways financial services firms can enhance firmwide resilience in an efficient, effective and urgent manner:

1.  Focus on mapping and demonstrating end-to-end critical business services, beyond the firm’s borders

Too often, firms map their processes by function, which constrains resilience and promotes siloed thinking and solutions. Today, there is a need to understand and manage the entire process, starting with the business service being delivered to the customer or client, then mapping applications, middleware, infrastructure, people and processes — and data flows — that support each service. Such mapping extends outside the firm to include third or fourth parties that are needed to deliver each business service.

2.   Adopt a common resiliency language

Firms have invested much time over the past decade working toward building a common firmwide language or taxonomy. As of yet, few have achieved that fully. Most have sets of taxonomies, each one developed for a specific use case in mind: one for periodic risk-and-control-self-assessment (RCSA) processes, one for operational risk, one for RRP, one for third parties and so on. A common challenge in developing a firmwide taxonomy is embedding business ownership. Too often, taxonomy efforts are viewed as being performed to the first line, rather than by the first line; the first line views these as efforts control groups have to complete to conduct their work and complain they are written in control-speak. Few first-line leaders view such taxonomies as necessary to deliver operational resilience or as being written in a way the first line would describe what it does and how it operates.

3.   Identify and manage dependencies, and single points of failure and concentration inside and outside the firm

Mapping only gets you so far. It’s not simply about understanding how the process or data flows, but as important about identifying key choke points or areas of concentration (e.g., a firm’s key operations or locations). These could include IT or processes that support one or more critical steps to deliver a service, a key upstream or downstream dependency (i.e., something before or after the specific process without which the service is interrupted) and even key subject-matter experts.

4.   Establish a firmwide resilience strategy and operating model

Increasingly, firms have recognized that their continuity and resilience activities are disparate and unconnected. They often have countless activities across business continuity, disaster recovery, cyber-incident response and crisis management. Often, myriad crisis and contingency plans exist across lines of business, technology, human resources and other areas. Few plans are connected or consistently applied; few plans have common or consistent triggers for escalation and decision-making; and few companies have properly prepared their senior executives and/or boards for actual crises. The result is often ineffective, erroneous or slow decision-making in times of stress.

5.   Promote prevention

While the focus has quickly turned to response and recovery, there still needs to be a strong focus on prevention to reduce the probability that disruptions occur and their potential impact. Strategies here include:

  • Segmenting critical systems, including networks and systems, and limiting points of attack and entry
  • Hardening access rights by reassessing access privileges, e.g., when individuals change roles, including those of third parties (especially client-hosted platforms)
  • Addressing IT obsolescence to reduce dependency on redundant systems and validating that IT obsolescence does not create critical-process vulnerabilities
  • Managing change effectively to reduce the likelihood that a poorly executed, a badly controlled, or an ill-timed IT or process change triggers a disruption
  • Implementing resilience by design — versus resilience by remediation — to enable resilience principles to be adhered to from the outset of designing new systems or processes

6.   Establish a well-documented and well-tested resiliency strategy

Traditionally, the discussion about business continuity starts with a discussion regarding the robustness of the firm’s processes — or rather, a debate about whether a key process or piece of hardware or software will or will not fail. Today, firms are being asked by clients and regulators how they will continue to deliver a service assuming a system or process has failed — the exam question is no longer will a disruption occur, but rather when it does, what next?

7.   Validate that backup approaches are sustainable

Clients and regulators no longer want to know theoretical answers about resiliency capabilities — today, they want to know firms have tested those processes for a period of time to determine whether continuous service delivery is possible, and at what point material degradation in service quality will occur. This means moving from discussions about RTOs to recovery time realities.

8.   Establish a robust firmwide testing strategy that drives action

There is now and will continue to be a heightened focus on testing in relation to resilience. Key questions follow: How well and frequently are critical processes and backups tested? How does the firm involve key third parties in the testing scenarios and tests? How frequently does the firm switch over production to alternative sites to test them in a live setting? Does the firm have enough trained staff to run backup operational processes?

9.   Stimulate leaders’ muscle memory through simulation

Firms are stepping up the degree to which they use tabletop exercises or simulations to build experience — or muscle memory — among senior executives and board members, across business lines and ahead of real events or crises. Traditionally, such efforts have been focused on middle management, those who will manage incidents or crises day to day. But, increasingly, firms are realizing the scale, frequency and potential impact of disruptions necessitate an additional focus on crisis-induced decision-making at the top of the house — after all, in extreme crises, boards and senior management need to know their role in decision-making and be used to acting in crisis, regardless of the trigger or type of event. A calm and decisive tone from the top during a crisis instills confidence in all stakeholders and players.

10.   Promote a learning, resilient culture

In the end, resilience is about having the organizational discipline and nimbleness to develop — and constantly enhance — the firm’s plans and capabilities to deliver services continuously. This requires a culture that is open to learning from past mistakes and events — those of the firm and its peers — and that promotes timely and effective remedial and enhancement activities. This focuses attention on changing human behaviors — making employees appreciate their important role because resilience is very much in their hands. It is not someone else’s job. If successful, this creates the necessary conditions for a resilient culture.

Summary

Delivering resilience is sound business sense. As firms transform themselves digitally from front to back office, and as they seek to deliver against the 24/7 promise to customers, achieving operational resilience is core to each firm’s — and industry’s — long-term success and competitiveness.

There may be a long journey ahead. But it’s a journey that could not be more important.

About this article

Authors

Cindy Doe

EY Americas Advisory Risk Leader

Seasoned financial services professional. Resides in Massachusetts with her husband and three children.

Mark Watson

EY Americas FSO Board Matters Deputy Leader

Focused on helping financial services firms become resilient and well-governed. Passionate about sound public policy. Avid movie goer. Electronic dance music fan. Proud Anglo-American.