In December 2019, The Bank of England, together with the FCA & PRA published consultation papers and a policy summary on the issue of Operational Resilience. The ethos of the papers appears to encourage considering a proactive approach to this issue rather than just reacting directly in response to a disruptive incident. Clearly both approaches are important.
In summary, the proposals mean that, firms and Financial Market Infrastructures (FMIs), are responsible for ensuring their operations, including outsourced services, are resistant to disruption. This includes ensuring the necessary investments and adjustments are made throughout the company (and its supply chain) to ensure that important business services can continue to be delivered in the event of an incident.
There is definitely an intensified focus on outsourced services, particularly in ensuring that through outsourcing any parts of operations there is no internal dilution of the internal skills and knowledge required if the operations were still run internally. It’s a bit like delegation – by delegating you don’t lose overall responsibility for the task – outsourcing should be treated the same way. Clearly choosing outsourcers with best of breed, automated systems, implemented within your organisations is a win, as accurate automation undoubtedly removes the chance of human error causing an issue.
Unfortunately, human error is one of the most significant and likely contributors to operational failure. The breadth of causes of human error – from lack of attention to detail to inadequate training, to use two examples, is immense. Given the ever increasing complexity of enterprise landscapes, the points at which failure is liable to occur will only multiply, and automation of human touchpoints will reduce operational risk overall.
The regulators’ requirements for the setting of impact tolerances is something ideally placed for the introduction of automated processes. When disruption occurs and the tolerances are close to being breached, an issue can be identified and addressed by an automated process far quicker than by a human. Stress and uncertainty can be reduced with the knowledge that, once a firm is made aware of an issue, mitigating steps have already been taken. There is probably an angle for the use of AI in much of this process, albeit this may be some time off.
Automated processes should become a standard of business operations and will assist with Operational Resilience requirements. Whether considering internal enhancements, new software or outsourcing to providers with automated capabilities (often achieved by integrated workflow), it should become the norm to consider Operational Resilience policy and its likely requirements for the business in the future.