How centralising risk management can improve resilience

With the threat of cyber attack ever on the hori­zon, both the Euro­pean Commission’s ‘Dig­i­tal Oper­a­tional Resilience Act’ (Dora) and the Finan­cial Con­duct Authority’s Oper­a­tional Resilience reg­u­la­tions have been imple­ment­ed to ensure all finan­cial ser­vices com­pa­nies adhere to a com­mon set of stan­dards around cyber­se­cu­ri­ty and oper­a­tional resilience. The first major insti­tu­tion­al frame­work for ensur­ing oper­a­tional resilience, it is fun­da­men­tal­ly chang­ing the ways in which com­pa­nies man­age risk.

“You need to have a wider enter­prise inte­grat­ed risk man­age­ment solu­tion to cater for the require­ment. Because what you gen­er­al­ly find is that these solu­tions get built up in their siloes. With some­thing like the Archer plat­form,” says Chris Mann direc­tor for Archer Euro­pean busi­ness, “you’re able to achieve con­trol har­mon­i­sa­tion.” With uni­form reg­u­la­tion in place, com­pa­nies can look across their busi­ness units and cen­tralise risk and resilience strate­gies to ensure no gaps are left in the cor­po­rate defences.

But in the 10 years or so that oper­a­tional resilience has become a key cor­po­rate need, own­er­ship of it has sat with­in indi­vid­ual teams. Finance, say, looked after its own resilience strat­e­gy while dig­i­tal did so as well. Now, the shift to cen­tral­i­sa­tion is see­ing organ­i­sa­tions put the reins in the hands of a sin­gle leader with­in the com­pa­ny, says Mann. “It’s start­ing to become the bridge to all of these dif­fer­ent siloes,” he adds.

That’s been the case for glob­al wealth man­age­ment plat­form FNZ, which has built a cul­ture of risk man­age­ment that uses a strong frame­work for risk man­age­ment that links to its oper­a­tional resilience strat­e­gy.

It has deployed Archer’s Oper­a­tional Resilience tool, which enables teams across the organ­i­sa­tion to oper­ate with­in the same frame­work and stan­dard for risk man­age­ment. The sys­tem is con­fig­ured to allow teams to use the same syn­tax across the com­pa­ny, while still enabling them to draw indi­vid­u­alised, mean­ing­ful analy­sis from the data itself.

“Oper­a­tional resilience is strong risk man­age­ment and risk man­age­ment done well,” Kirsty McLaugh­lin, glob­al risk sys­tems man­ag­er at FNZ, says. “All we had to do was pull all those threads of data togeth­er.”

Mann adds that abil­i­ty to gain vis­i­bil­i­ty across the organ­i­sa­tion not only leads to a more resilient busi­ness, but a stronger rep­u­ta­tion as well. “If you don’t have the appro­pri­ate risk con­trols in place to sus­tain busi­ness long-term, you’re going to have share­hold­er val­ue issues and you’re going to have rep­u­ta­tion­al dam­age.”

By align­ing a company’s many data sources and pro­vid­ing a more insight­ful analy­sis of that data will lead to “a sin­gle source of truth.”

The two plus years of dis­rup­tion the world has expe­ri­enced has only elu­ci­dat­ed fur­ther need for bet­ter insight and a stronger, more resilient busi­ness. Not only has Covid-19 affect­ed busi­ness, but cli­mate change has posed a risk to busi­ness­es around the world.

The Dora and FCA reg­u­la­tions are com­ing into force at an opti­mal time to encour­age the finan­cial sec­tor to achieve oper­a­tional resilience. “This reg­u­la­tion just takes that idea that you’re nev­er too big to fail and turns the dial a bit more,” Mann says. He points to key aspects that could lead to an “oper­a­tional down­fall” – the likes of the ongo­ing cli­mate cri­sis, sup­ply chain dis­rup­tion or cyber attack – as indi­ca­tors that there’s a greater need for organ­i­sa­tions to prove to share­hold­ers that they are mit­i­gat­ing risk wher­ev­er pos­si­ble.

If com­pa­nies can imple­ment improved sce­nario analy­sis and risk quan­tifi­ca­tion, as FNZ has done through the Archer Oper­a­tional Resilience plat­form, they will be bet­ter placed to address future dis­rup­tion. Sim­i­lar­ly, quan­tifi­ca­tion of risk, like with Archer Insight, can sup­port deci­sion-mak­ing with action­able infor­ma­tion. Rachael Ward, head of group risk over­sight – oper­a­tional resilience at FNZ says, “Effec­tive risk man­age­ment enables our own man­age­ment to safe­ly deliv­er busi­ness strat­e­gy and plans…It main­tains focus on the pre­ven­tion of con­sumer harm, it sup­ports risk-based deci­sion-mak­ing, and also then deliv­ers clear account­abil­i­ties across all of our lines of defence.”

Defend­ing a com­pa­ny in the finan­cial ser­vices sec­tor against dis­rup­tion is of the utmost impor­tance, affect­ing busi­ness­es and indi­vid­u­als around the world. With the new reg­u­la­tions in place, it is now the charge of com­pa­nies to cre­ate oper­a­tional resilience strate­gies that enable their busi­ness­es to come togeth­er behind a cen­tralised frame­work and resource for under­stand­ing and mit­i­gat­ing risk.

For more, please vis­it archerIRM.com/operational-resilience

Pro­mot­ed by Archer