With the end of March fast approaching, firms subject to the new FCA rules on operational resilience have only two months left to become compliant.
Organisations are busily signing-off their impact tolerances, running scenario tests, updating communication plans and writing up their self-assessment documentation. As with many regulatory changes, hard deadlines demand action, and firms have stood up project teams, brought in external expertise and re-prioritised work to meet the deadline.
The drive to hit the deadline is understandable, but it will be important to ensure you are setup to succeed beyond 31st March. The FCA is clear that it wants firms to embed operational resilience thinking into all aspects of their business. The regulations themselves are explicit about the requirement to revalidate and sign-off the key decisions about Important Business Services and their Impact Tolerances, at the very least annually. The mappings are likely to change more frequently, especially for firms that have adopted micro-services architectures and are moving to continuous deployment of core business platforms. The challenge is significant: project teams will be disbanded, and the all-encompassing nature of operational resilience makes it hard to find a single home for it in an organisaton structure.
To succeed beyond 31st March and embed operational resilience, firms need to ensure that they can easily update their operational resilience assessment for three key scenarios:
- When the implementation of a business service changes (maybe a change in supplier, automation of a process, …), how is this recorded so that the operational resilience implications can be understood?
- New propositions and service enhancements regularly introduce new business services for customers. How are these identified and considered against the criteria for being “Important” under the regulations?
- As customer needs and preferences change over time, the volumes of service requests will vary, e.g., as customers move from debit card payments to direct payment via open banking. How do volumes feed into the annual consideration of which services are important?
To complicate the analysis, most Important Business Services will depend on several other business services. Changes to the dependencies will need to be fed back into consideration of the Important Business Service itself.
The Business Services that the regulators are interested in will be at the heart of any logical model of a business. So, can such a model help with the nitty gritty of proving your operational resilience? Perhaps, unsurprisingly, Altus Consulting argue that yes, a logical model of the business provides the critical structure to allow operational resilience thinking to be clearly documented and, crucially, easily maintained going forward.
With a comprehensive model of all the services (capabilities) performed by a firm, implementation changes can be reflected at the level of the specific granular business service concerned. This is easy for the team making the change (who know what they’re working on), and easy to check/require as part of change control processes. If the model of the business is maintained in a suitable tool, such as PEAK, that tool can work out which (if any) important services are impacted, who needs to be concerned etc.
Similarly, starting with a comprehensive model makes it easy to add new services. The entities those services relate to will already exist, and the business will have more experience of adding them. Most firms have less than ten “Important” business services; if you only document those it’s likely to be a much bigger struggle to document a new one when it finally launches.
Lastly, a flexible tool will allow metrics to be imported. Allowing metrics about service usage to be visualised as a heatmap across the full range of the business will ensure that newly popular services are highlighted for consideration as to their “Importance” (capital I), not just an annual re-review of the set that firms originally started with.
If you are interested in using PEAK to document and understand your operational resilience assessments, please get in touch for an informal chat.