That’s gaining a lot of enthusiastic traction within our organisation. For us, it starts, how are we embedding it as part of the programme? That speaks to, of course, making sure at least that our policies and standards, our roles and responsibilities, are clearly articulated. This is where we’ve always been aware that TPRM is a team player. We sit in the middle of so many other parts of the organisation. Whether TPRM as an organisation sits in risk or not, it has lots of tentacles into the risk organisation.
For us now, it’s a mapping exercise, so it’s understanding every part of that programme, every part of this interagency guidance, and understanding who those key players are and creating a playbook. We’ve still got to establish that a little bit further in terms of ensuring from those playbooks and those key stakeholders, understanding how they interact when there’s an event, whether it’s an incident, who comes to the table, what did they do, how was that documented? What do we need to go back and look at?
The one area that we’re hearing here is resiliency. We saw resiliency as a key, almost defined approach, where we’ve talked about this guidance being quite broad, and not really having many definitions. Resiliency comes up an awful lot. How we interact with our resiliency teams and how we build those into our playbook and how we understand that as we think about our third parties, we think about our software, we think about how that software is hosted, our incidents, is going to be absolutely key.
Right now, at this point, how are we embedding it at the moment? It’s going to be through documentation. It’s going to be through those playbooks, and there’s going to be probably at least a year or so of those playbooks being remapped after every incident and event to ensure that we did have the right stakeholders at the party to address whatever the concerns are that came out. But the key thing for us that we took away from this is that we have a bigger presence within the resiliency team for opportunity to provide feedback and to gain information from them as to how they’re going to work through an event, whether it’s a long-term event or a short-term event, a disruption to service, or how do we get out of something if the need arises?