Resilience and readiness
Operational resilience remains a key challenge for many organisations in 2019. Although much effort will be spent on preventing disruptions taking place, there will be many tough and searching reviews of ‘what went wrong’ in the wake of major incidents. The real challenge, though, will be for companies to demonstrate that their resilience is constant and supple – not only do they have in place the capacity to respond and recover but that power is in match-fit condition at all times.
The external environment is only going to get more hostile. The FCA’s recent report on cyber and technology resilience in the financial services sector showed that cyber attacks accounted for 18% of operational incidents reported to the FCA between October 2017 and September 2018. The number of reported outages increased by 138%.
Regulators will demand to see evidence of resilience capacity. As the Bank of England’s 2018 discussion paper stated:
“The operational resilience of firms and financial market infrastructures is a priority for the supervisory authorities and is viewed as no less important than financial resilience.”
From our perspective, we are seeing that some boards are demanding to see this evidence. The FCA’s report found that nearly 80% of respondents admitted that they struggled to maintain a view of the information that they – or their third parties – held.
One way in which board-level interest is being reflected is in the influence of internal audit. In the past, it was viewed as dull but necessary; today, especially in regulated organisations, such audits can carry considerable authority and provide a currency for change in areas that are deemed to be potential points of failure.
Greater levels of risk management surrounding suppliers and third parties are being enacted. A new supplier is not just being assessed as a provider of resources or technology or business process but is kept under constant analysis in the context of the whole supply chain. Due diligence is no longer a one-off process; the performance and capability of third-party suppliers is being constantly monitored. The era of checking once that a supplier passed muster and then being left alone ‘to do their job’ is over. In the truly resilient organisation, suppliers are being assessed at least annually – and it is not just a tick-box review as the evidence requirements can be quite invasive.
This ongoing need for assurance surrounding the risks of cyber security, information leakage, and incidents that could give rise to outages, means that online risk dashboards are becoming must-haves. It’s not going to be enough to have an annual review and a set of documents collecting dust in a corner: risk is real-time – and so is resilience.
We’re being asked more often by clients about how we can provide this assurance of ongoing resilience. It’s more than simply about backup procedures and capability but instead about enabling highly-regulated companies to rapidly recover and respond to damaging situations of many different types. In today’s environment, suppliers must be rather more than an insurance policy – invisible until needed – but a frontline soldier in the battle to stay resilient.