‘Operational Resilience’ is the subject of an important new Discussion Paper (DP1/18) issued by the Bank of England and Financial Conduct Authority, but which has important implications for treasurers of all types of businesses that are subject to, and need to manage, operational risk. Some background and guidance is set out below.
Over the years since the financial crisis, a number of high-profile operational failures and cyber-attacks have led the Bank to believe that firms were operationally under-prepared for scenarios that could affect their ability to deliver vital business services. The authorities are concerned that operational risks could threaten not just banks and their customers, but the very financial stability of the UK. As a result, they are seeking to lay out an approach that will make firms more resilient.
Central to the concept is the overall resiliency of end-to-end business services, rather than just individual processes and hardware in isolation, helping to ensure that the most important services are the most resilient. It is also important to assume that no matter how strong operational risk is, failures will occur and plan accordingly. This goes beyond traditional business continuity planning, and is about continuing to deliver a business service throughout an extended interruption coming from any source.
Corporates are exposed to many of the same risks as banks, such as cyber-attacks, technology outages, supplier failures and financial failures. There are also a number of risks arising from third-party outsourcing of critical IT services and cloud computing. Companies are therefore coming under increased scrutiny from customers and suppliers and there are valuable lessons to be learned from what banks have being doing in recent years to improve their resilience.
The focus on ‘Operational Resilience’ presents a new way of looking at how operational risks are managed:
- Thinking about the business services that need to be resilient rather that individual systems or processes;
- Doing more than just trying to stop disruptions happening – assume that disruption will happen and what the response will be;
- Considering the impact of disruption that companies are prepared to tolerate when business services are interrupted, particularly in terms of harm done to customers, suppliers and other stakeholders, and using this to shape recovery (e.g. alternative delivery channels);
- Mapping the most important business services to supporting operational dependencies (e.g. IT, suppliers, staff and locations);
- Developing a stakeholder communications plan to accompany response and recovery plan (e.g. customers, suppliers, the media, investors and regulators), so that the broader impact can be managed.
Further lessons from recovery planning undertaken by financial institutions will also help companies be more financially resilient:
- Contingency Funding Plans (CFPs) and Recovery Plans to help generate capital and liquidity in a crisis – developing options for where it can be raised and planning the steps needed to do so to operationalise the implementation if it is ever needed;
- Holding sufficient liquidity reserves stressed against contractual outflows and a disruption to funding lines and inflows;
- A business that is more resilient in a variety of stresses may benefit from increased orders, improved cost of funding and credit ratings.
What does this mean for treasurers?
- The Treasury department is typically responsible for a wide range of activities, from ensuring sufficient liquidity, to debt issuance and group settlement, which can all be threatened by operational issues.
- Treasuries are often dependent upon key systems – bank systems, the TMS or online dealing and settlement systems. It is important to build an impact tolerance for operating without them and a realistic plan if the system cannot be recovered in that time.
- The issues that apply to the Treasury will likely apply elsewhere in the organisation – resilience and recoverability is therefore crucial.
- Ensuring financial resilience through severe disruptions by developing a contingency funding plan (CFP) and Recovery Plan is important.
- Has your organisation identified its most important business lines, processes and support?
- Are your impact tolerance levels for business interruption clearly defined by your business model and risk appetite?
- How long can your treasury survive without key systems and what is in place if they fail?
- How reliant is your organisation on outsourcers? What would occur if they failed and what is the back-up plan?
- Do buyers take into sufficient account the operational and financial resilience of their suppliers?
- How does the Board and senior management gain assurance over their own operational resilience?
- Have technical innovations opened up new threats that your treasury or wider organisation has not dealt with?
- What additional benefits could arise from investing money in operational resiliency?
- Do you have a plan for maintaining financial resilience should the need arise?
Henry Basing, Senior Manager – Audit and Risk Advisory, Deloitte
Neil Bourke, Director -Audit and Risk Advisory, Deloitte.