Protiviti Unveils Critical Role in Industry’s Effort to Create an Operational Resilience Framework
After nearly six months of behind-the-scenes engagement with major financial services firms, global regulators and industry trade groups, Protiviti has unveiled its critical role in the financial services industry’s effort to create a global framework around operational resilience.
During a panel discussion at the 46th annual SIFMA Operations Conference & Exhibition in Boca Raton, Fla., Protiviti’s top consultants and experts on operational resilience announced that the firm is collaborating with key stakeholders on the first comprehensive global industry response to the July 2018 discussion paper on operational resilience issued by the Bank of England, the Prudential Regulation Authority and the Financial Conduct Authority.
This industry response will be presented in a major white paper slated for release in the next few months, according to Ron Lefferts, managing director, global leader of Protiviti Technology Consulting.
Lefferts said Protiviti is facilitating the development of the white paper, which consolidates the industry’s viewpoints on operational resilience and provides crucial guidance on how firms can build a firmwide operational resilience culture in today’s dynamic landscape. An evolving concept, operational resilience represents an organization’s ability to detect, prevent, respond to and recover from operational and technological failures that may impact delivery of critical business and economic functions or underlying business services. The need for financial institutions and financial market infrastructures (FMIs) to develop and improve response capabilities against such disruptions has never been more critical than in the current environment of hostile cyber attacks and large-scale technological changes.
Currently, financial services firms are subject to at least 60 different regulations that relate to operational resilience. Lefferts said Protiviti is leveraging its knowledge of these regulations and industry practices to help develop industrywide best practices for implementing a resilience program, with a focus on governance and alignment with foundational elements – business, cyber, third-party and technology.
Andrew Retrum, managing director, global operational resilience leader, Protiviti Technology Consulting, said the proposed industry-led framework is designed to be collaborative in nature as it requires substantial coordination – internally and externally at the firm level, and in cooperation with associations and regulators – to respond to an extreme but plausible event successfully. Retrum said the industry recognizes the need for global harmonization and, as such, strongly advocates for the establishment of a common lexicon that financial firms and regulators can adopt to facilitate discussions on the topic of operational resilience.
According to Retrum, the proposed industry taxonomy would include definitions for key terms such as “critical business services,” which are services that have been identified through separate regulatory obligations or meet certain established criteria that demonstrate a broader economic importance beyond a firm.
The white paper also provides guidance on how firms can assess impact tolerance and economic impact, said Douglas Wilbert, managing director, U.S. operational resilience leader, Protiviti Risk & Compliance. Impact tolerance describes a firm’s ability to withstand a resilience event and continue to provide critical business services. The practices around establishing impact tolerance are different from other traditional and tactical measures such as system uptime and recovery time objectives (RTO).
The proper way to measure economic impact is also evolving. Wilbert said previous approaches have looked at this issue solely from the perspective of a cost to a firm due to an outage. However, going forward, there is a clear need for firms to have a comprehensive understanding of processes, systems and data flows to be able to assess economic impact effectively.
Jordan Moss, manager, operational resilience SME, Protiviti Technology Consulting, said establishing proper governance functions is another key focus of the industry effort and the white paper. It is critical that firms create governance structures around existing processes that is supported with the appropriate tone from the top, Moss said.
In the coming months, Protiviti will engage with industry players on resilience scenario testing exercises to simulate “extreme but plausible” events that can impact critical business services of firms. The results of the exercises and the continued discussions around the white paper will drive the next phase of this collaborative effort to help firms enhance operational resilience.