By Shirley Beglinger, Advisory Board Member, Crescendo Advisors
In today's interconnected financial world,
"organisational resilience" must be taken to mean much more than just
"a fully tested disaster recovery plan". Regulators are requiring
boards to see beyond the walls of their own firm and identify its position in
the economic, IT and service-delivery ecosystem with an emphasis on important
services provided. This is a completely different perspective on risk. Boards and CROs need to reconsider many tried
and tested risk methodologies and metrics.
In reviewing the drivers of potential operational disruption,
the CRO may identify several which are difficult or expensive to address.
"Reliance on legacy infrastructure" for example will likely lead to a
lengthy boardroom discussion of the expense and dangers of IT integration
projects. Supply chains and data sharing quickly lead to the realisation that
even if the firm's own arrangements are top-notch, there are probably other
firms in their ecosystem who may not have the same level of preparedness.
Having identified potential sources of disruption,
the board must then quantify potential costs (internal and external) and assess
the ability to recover from severe and plausible scenarios of operational
disruption and compare these with the firm's stated tolerance for operational disruption.
Where necessary, remediation plans must be put in place.
While no board member wishes to explain to the
regulator why their firm was the first domino in the ecosystem to fall over,
such far-reaching change needs to be carefully managed. To implement these requirements firms will
benefit from a pilot that enables them to develop an understanding of the steps
that would be required. This will be
less disruptive and more beneficial than a firm-wide initiative.
However, the need to scale up means that firms will
need to identify or acquire in-house "resilience capabilities". A key
aspect of the output from a successful pilot project would be to identify
exactly what capabilities are required and how they can best be embedded within
the firm's business.
If you found this post of interest, you can subscribe and receive further posts by email. See the box on the right-hand side of the blog's screen or click here.
