Operational resilience: Start strong, reap sustainable benefits

Much has happened since December 2019, when the Financial Conduct Authority first began consulting on proposed changes to how firms approach operational resilience. Indeed, it could be said that the intervening period between the consultation and the resulting policy statement PS21/3 in March 2021 (alongside the PS6/21, the policy statement from the PRA) was one of the most testing times for operational resilience that businesses have ever faced. We found ourselves on a countdown to 31 March 2022, when final FCA rules came into place and a three-year transitional period commenced: with eyes now set on March 2025 deadline, how can insurers ensure that they are not only well placed to meet regulatory obligations, but also ready to reap the potential rewards of what can also be a major growth driver for today’s global enterprises.

At EXL, we propose six almost sequential priorities that, if well addressed, will provide a sound basis for moving confidently towards demonstrable and sustainable operational resilience in time to meet the FCA’s deadlines—and beyond this, to a future state of embedded resilience across business-as-usual activities, finding wider synergies along the way.

Priority 1: Define and align

The starting point must be business-wide awareness of this critical, large-scale organisational undertaking’s significance. Strong management sponsorship and clarity are essential for ensuring that teams are informed, galvanised and ready to respond. With this in place, a fundamental question all firms need to be able to answer is, ‘what is the end state we’re aiming for?’. Regulation—quite rightly—is not necessarily prescriptive at a granular level. It is for firms themselves to interpret PS21/3 (and PS6/21 where applicable) as they see fit, and to determine and plan for the target end state accordingly. With this end state definition must come clear objectives to guide an enterprise-wide effort. Robust governance is a must; business leaders can and should continue to set the tone for their organisations and drive the programme forward with energy and ambition. Key to governance of such a critical initiative is a clear compliance framework that provides a structured set of guidelines for the task at hand. Done well, this lays the foundations for a holistic and collaborative effort that aligns with wider organisational priorities and strategic aims.

Priority 2: Categorise and clarify

With the end state defined and governance in place, the next priority is to clarify and categorise business services and more importantly demonstrate underlying methodologies for doing so. There will undoubtedly be variations across the insurance industry as to how firms categorise services. Some may take a granular view (for example, Claims FNOL vs. Claims). Some may differ in terms of whether internal processes like finance and payroll should be considered ‘business services’ in the context of PS21/3. The FCA is not advocating a specific right or wrong route here—rather, they expect firms to establish their own methodologies for defining and categorising ‘business services’ and ‘important business services’ and to be accountable. Given that firms are usually centred on business functions, lines of businesses and products, taking a ‘service-based’ approach will require a mindset change. The same applies to another key term, ‘intolerable harm’, in the context of effectively managing impact tolerance: firms must define what this would mean to their business and critically, to their customers. Again, this is a new concept, one that should build upon current definitions of ‘inconvenience’ and ‘harm’, as defined under existing conduct risk frameworks. Both financial and nonfinancials harms should be considered for a comprehensive view.

With these terms clarified and services and activities categorised, businesses are then better equipped to gather and apply the right data to drive relevant processes.

"The best operational resilience programmes are designed with customers at their centre. For Hiscox, this means ‘thinking customer’ across all of our products and supporting services. With the help of EXL, we are leveraging operational resilience as an opportunity by being clear about what our customers need and working to identify and prevent problems before they happen."

Douglas Stewart,
Head of Governance and Controls, Hiscox UK

At every step-from defining business services and setting tolerances to scenario testing and vulnerability assessments-data can help generate meaningful and actionable insights, leading to better decision-making.

Priority 3: Embed excellence

Next, firms can turn their attentions to mapping systems, suppliers and people, assessing critical resource vulnerabilities, building a scenario library and test scenarios based on a bespoke prioritisation criteria. A robust operating model will help the firm take these kinds of activities from regulation-specific project work to business-as-usual excellence. Newer processes will be needed to enable effective execution – for instance a process to carry out formal operational resilience impact assessment prior to undertaking any new business activity will ensure resilience is embedded by design. Bear in mind the expectation from regulatory authorities that firms will take this opportunity to progressively build sophistication into their compliance activities as they progress from interim deadline in 2022 to the final deadline in 2025, and beyond.

Priority 4: Review and refresh

One way to introduce this desired level of sophistication is to periodically review and refresh important business services, tolerances and mapping. This means that firms can, at any time, measure and demonstrate their ability to meet defined tolerances. Key to ensuring that operational resilience is maintained at optimal levels is clear ownership of roles with well-defined responsibilities. We believe that business service owners are usually best placed to hold overall accountability for the corresponding services, but we also see roles for resilience pillar owners (accountable for relevant systems and suppliers, etc.) and for operational resilience champions, which could be new or repurposed roles embedded in business teams to bridge the gap between regulatory objectives and business as usual.

Priority 5: Explore and exploit synergies

The very nature of today’s regulatory landscape means that at any one time, multiple regulatory priorities and practices are at play. We see this as an opportunity to explore potential synergies and to ensure that other regulatory responses are able to serve the wider drive for operational resilience wherever possible, and vice versa. For example, where there is enhanced product governance work underway in response to the FCA’s rules on fair pricing in insurance, this same work could prove useful in assessing impact tolerance variations per product. The same is true of work taking place around cyber security (or cyber resilience), third party risk management and data protection; these factors have a clear bearing on operational resilience. Enhanced focus on delivering positive customer outcomes and avoiding foreseeable harms would form the core of work in response to the FCA’s upcoming new Consumer Duty reform, which takes TCF principle to a whole new level—clearly, defining intolerable harm and setting impact tolerances will be leveraged to a great extent. Other countries are also contemplating regulatory pronouncements around operational resilience – for instance the Central Bank of Ireland recently published their Cross Industry Guidance on Operational Resilience.

To benefit from such synergies and to avoid siloes or duplicate work, firms would do well to identify commonalities early on, then build them into the ongoing compliance framework. Consider areas such as mapping key customer outcomes against important business services, setting tolerances based on customer harm, embedding critical resource vulnerability assessments of systems and data as part of ongoing data/security activities, adding a resiliency layer to supplier assessments (again, there are synergies to explore with PRA’s SS2/21 standard) and rethinking control and risk frameworks to take resiliency into account.

Priority 6: Harness data effectively

Finally, data should play a priority role in the operational resilience journey. At every step—from defining business services and setting tolerances to scenario testing and vulnerability assessments—data can help generate meaningful and actionable insights, leading to better decision-making. For example, insights around a critical yet legacy technology system could uncover weaknesses that point to an operational resilience weak spot, thus acting as a catalyst for a new and improved cloud migration strategy or add weight and urgency to prior plans for the same under a parallel transformation programme. The right management information data will also prove to be an asset in terms of demonstrating accountability and proving progress.

March 2022 may be behind us, but in truth, the FCA’s operational resilience directive marked just the beginning of essential work that goes far beyond the regulation agenda. If the past few years have proven anything, it is that no organisation can ever be 100% resilient in the face of the many unknowns that the future holds. But by prioritising and industrialising operational resilience as an embedded marker of excellence, organisations can not only safeguard performance and customer satisfaction, but also reap the benefits of good business, timely investment and an enterprise-wide pursuit of excellence.

Written by:

Prakhar Agrawal
Practice Director – GRC Consulting