Over the last few years the sector has seen more cyber-attacks and firms are increasingly reliant on technology and automation. To respond, financial sector regulators are bringing their focus on operational resilience up to that of financial resilience. This new regime is currently in consultation and will look at firms’ ability to withstand and recover from disruption.
Not the same as traditional business continuity and risk management
Today’s business continuity plans are typically siloed by function. Risk management focusses on identifying potential threats, and reducing their likelihood and impact. Both of these are important, but the new operational resilience requirements are likely to be more demanding:
- Assume key disruptions will happen
- Minimise recovery time from an end-to-end business service perspective, including third parties involved in that service
- Set impact tolerance parameters; Boards will be expected to take the lead on operational governance
Successful implementation of this new regime will require firms to set a clear operational resilience vision and strategy, and will need clarity of planning and reporting. Achieving regulatory compliance in future will be obligatory, but firms should exploit the business advantages that a strong operational resilience can bring.
But we work in a complex ecosystem
Most firms work in a complex ecosystem with reinsurers, primary carriers, capital providers, third party administrators and technology providers, branches and offshore subsidiaries, brokers and distribution partners. As with conduct regulation, regulated entities will be responsible for their end-to-end operational resilience, no matter who performs the activity. This will require more joining up through the value chain on aspects such as:
- Clear and cohesive Board reporting on operational resilience across the various disciplines
- Common regime of business services, processes and impact tolerances
- Increased reliance on others’ operational resilience, with clear and agreed failover plans when a disruption event occurs
- Potentially increased use of cloud processing and storage to underpin the robustness and resilience of interfaces between organisations
Getting this right for your firm may mean considering a different operating model approach, including consolidating third party activities with fewer, more resilient partners or reconsidering which activities you can reliably outsource. Operational resilience brings with it the impetus to eliminate those problem areas in your value chain and strengthen your firm for the longer term.
As always, implementation is not easy
The banking sector is ahead of insurance in preparing for this new regime and there are already some key learnings insurance firms can benefit from. Although a standard approach to the topic is still emerging, we are seeing some common implementation challenges. It is crucial to define a good business service architecture, and using a pilot approach by business service helps to refine the development of a holistic operational resilience regime. The ultimate goal is to ensure that a resilient approach to operations becomes part of your organisational DNA.
The key first step
Each firm is different and will have a unique starting point. To ensure a powerful implementation, and to get prepared for the start of this new regime, the first key step is to perform a high-level framework assessment. This will look at your current business continuity, recovery and risk regimes and compare those to the principles of the operational resilience regulation. From here, you will have a much clearer perspective on which elements of your organisation and operating model you will need to address.
Authors - David Miller, Partner, Insurance Risk and Regulation, KPMG in the UK and Lulu O’Leary, Partner, Insurance Operations, KPMG in the UK