“Operational resiliency” is one of those phrases in corporate compliance and risk management that, let’s be honest, sounds boring as hell when you first hear it.
Like so much else in this field, however, it’s not boring once you consider what operational resiliency actually means — which is exactly what several dozen compliance professionals did at Fordham Law School last week during a panel session about operational resilience. There was lots to unpack in that subject, and the points raised apply well beyond the financial sector. So let’s take a look.
First we need to clarify the term itself. At its simplest, operational resiliency is a company’s ability to respond to, and recover from, operational disruption. As one panelist put it, resiliency is your ability to “keep calm and carry on.”
Carry on with what, exactly? With providing services to your customers.
That answer may sound flippant. Actually it’s not. It’s a great framing mechanism to help compliance and risk officers understand what they need to do to support operational resilience, because providing services to your customers is the objective. Everything else flows from that point.
For example, the crowd at the Fordham discussion were mostly banking industry people. Think about how complicated that sector is, with so many niche players providing niche services to other parties, in one gigantic chain we call “financial services.” Each link of that chain needs a clear sense of what its mission-critical services to its customers are, and under what circumstances the firm might fail to deliver those services.
Now think about how complicated each player in the banking system is unto itself: all the third parties it uses, all the technology systems it runs, all the financial risks it assumes. How could any of those things somehow disrupt the firm’s ability to provide services to its customers? That’s the critical question for assessing operational risk — and operational risk is what a firm needs to understand, so it can build controls to keep those risks in check. Those controls allow a firm to keep providing services to customers.
Which is otherwise known as operational resiliency.
All About Technology
When you consider operational resilience that way, then of course technology becomes the primary cause of concern. Tech is now how we provide services; it’s the set of tools we use to create value for customers, and then transfer that value to them in exchange for money. Any disruption to technology is a disruption to operations — so by definition, managing IT risk is crucial to operational resilience.
Sure, cybersecurity is a big part of that IT risk. Hackers might penetrate your network and start fiddling with important applications, perhaps disabling communications or erasing valuable data. That’s what happened to Sony in 2014 when North Korea was upset about its release of that Seth Rogen film The Interview.
Then again, cybersecurity is only one part of IT risk — and perhaps not the biggest part. Consider an airline trying to upgrade its ticket reservation system and the whole thing crashes, leaving millions of passengers unable to fly. Or imagine a group of banks that rely on one common messaging platform to conduct trades and that platform crashes, leaving bankers unable to execute deals.
That’s operational disruption due to IT risk, but cybersecurity might have nothing to do with those failures. Instead, the questions are about IT governance: the design of systems, controls for maintenance and upgrades, and so forth. You might have one costly ERP system that exists as its own complicated, closed world (the airline); or you might have a cheaper, more agile collection of cloud-based services that can bring more potential points of failure (the banks).
Which one is right for your firm? How do you control the risks each one brings? Answering those questions correctly is a huge part of operational resiliency.
I would even go so far as to say data breaches, as irritating as they are, are generally not a threat to operational resiliency — because they don’t disrupt your ability to provide services to customers. Will those breaches cost a fortune to fix, and drive the C-suite nuts? Absolutely. But most breaches are thefts of personal data, that hackers resell on the dark web somewhere. Your business operations, meanwhile, can soldier on as usual.
(This does, however, mean that ransomware is a threat to operational resilience, because it does disrupt your ability to serve customers. So if you want one example of cybersecurity that threatens resilience, cite that one.)
Where Compliance Meets Operational Resiliency
By now many of you may be thinking: yes, I get what operational resilience is and how much IT risk is bundled into that idea — so where do I, the compliance officer, fit into this problem? That got a lot of discussion at the Fordham forum too.
Clearly lots of the work for operational resilience doesn’t belong with the compliance function. CCOs can’t design IT systems, or audit security protocols, or assess and monitor the risks of ERP upgrades. Those duties belong with a firm’s CISO and audit function.
Meanwhile, especially for financial firms, many other operational risks are lurking about that CCOs can’t quite address either. For example, your firm might see a spike in trading volume that crashes a transaction-processing system, or pushes liquidity positions to a level that requires some new regulatory filing. What is the CCO’s duty to oversee something like that?
All of these things do touch the compliance function, but only at the periphery. They need to work well, especially if regulators show up looking for documentation of a firm’s operational resilience — and documentation that your firm meets regulatory expectations very much is something compliance officers do. But building those policies, procedures, and controls to assure operational resilience isn’t. So who does what?
It’s a difficult, ambiguous question. At Fordham, numerous panelists and speakers said merging compliance and risk management might be the best answer. Today that’s a very valid idea for financial firms, and we do see examples of compliance reporting into a chief risk officer. The idea isn’t quite there yet with other sectors, but don’t be surprised if it gains traction soon enough.
However we answer that question of who manages it, “it” will involve lots of evaluating third parties that provide IT services to you, assuring employees obey policies and procedures relating to IT governance, monitoring the flow of transactions through your systems, training employees to be aware of cybersecurity risks, and testing controls to be sure they’re designed smartly and working well.
Compliance is going to be in that mix somewhere.