Q: What can I do to manage vulnerabilities in my systems and achieve operational resilience?
A: Operational resilience can be defined as a company’s ability to prevent, respond to and recover from operational disruptions.
The concept has been in the regulator’s sights for some time but the pressure is growing – 2019 ended with joint consultation papers on operational resilience from the Financial Conduct Authority, Prudential Regulation Authority and Bank of England.
The FCA’s shift in focus requires companies to understand and manage the threats to and vulnerabilities that exist within their business. They are also expected to invest in strategies to help them recover from significant unplanned disruptions, protecting their business, its customers and financial markets as a whole.
Operational system vulnerabilities are weaknesses that, if not identified and remediated, could be exploited by anyone inside or outside of your organisation.
As a business, you are likely to have many vulnerabilities, some of which you may not be aware of. So it’s important that you take steps to identify these vulnerabilities and that there are controls in place to help minimise and mitigate their impact.
A review of your operating environment and important business services is an essential first step to identifying and assessing the threats, vulnerabilities and dependencies that could be present. This should involve mapping systems, people, processes, information assets and third-party service providers.
It is important that you highlight the key risk areas, in line with your company’s impact tolerances and broader operational risk framework.
Creating an operational resilience strategy will help manage any disruption to your key business services, ensuring they can be recovered within predefined impact-tolerance levels.
Be clear on who is responsible for operational resilience as a whole, and who is in charge of each process within it. Consider how you will communicate changes and the importance of operational resilience to embed it in your business and your culture.
Using various scenarios to test your company’s ability to effectively respond during an operational resilience event will help you assess the ongoing appropriateness of your controls and impact tolerances. This should help identify any further gaps and vulnerabilities that could affect the delivery of key business services.
Whatever the size of your company you need to make sure operational resilience is a continued priority, as it will be for the regulator in 2020.
Lorraine Mouat is an associate director at compliance consultant TCC
