Can You Manage Your Operational Resilience Challenges With Spreadsheets and Consultants?

The UK’s Financial Conduct Authority’s (FCA) requirements for strengthening operational resilience across the UK financial services sector comes into force on March 31, 2022. 

What does this mean? 

This requires all UK authorized financial services firms across almost all financial service (FS) sectors to identify, map scope and dependencies, set impact tolerances and test against severe disruptions to important business services. These disruptions must be severe yet plausible and should include a variety of sources including cyber attacks, operational and technology failures, and external events. Once completed for the first time (in 2022), this process needs to be repeated and reviewed on a regular basis—at least annually or when there are material changes to business, market or technical factors affecting an important business service.

More information about the requirements of this Regulation can be found in our earlier blog

Lessons learned: Preparing for March 31, 2022

Substantial regulatory changes can create major disruptions, particularly in complex and highly interconnected institutions. Many organizations began this process by assigning accountability, ensuring their organizational and governance structures align with the requirements, and consulting with regulators and external consultants in order to translate the guidelines into policies and ultimately procedures that could be executed.  

The first “walk through” for many organizations’ procedures for addressing each important business service are typically manual, including:

  • Enabling the identification of the steps associated with mapping
  • Establishing impact tolerances
  • Testing through exercises designed to explore the impact of severe but plausible disruptions

Starting manually is also a common first step in the discovery and establishment of new business processes, enabling organizations to understand requirements, establish the challenges to be addressed, and the steps that need to be optimized and automated. 

Sizable teams of consultants gathering large amounts of complex data within spreadsheets has resulted in successful completion of the requirements by March 31 deadline for many firms, but not surprisingly, has also incurred significant disruption, expense, and process debt. Some organizations have adopted automated tooling to assist with steps such as mapping but overall, two-thirds of organizations are reporting a lack of effective tooling and the need for substantial improvements in order to make the process repeatable and sustainable. 

How do you make this repeatable? 

Commencing April 2022 the The Bank of England’s Prudential Regulation Authority (PRA) requires that “firms must also have made the necessary investments to enable them to operate consistently within their impact tolerances.” This means that the processes established during this initial exercise need to be embedded within the operational fabric of each organization in a repeatable and continuous manner so that material changes do not impact the ability of an organization to remain within their risk tolerances. Consultants and spreadsheets might have helped to meet the initial FCA requirements, but they won’t cut it going forward. Organizations need to automate processes where they can, and require the capability to identify where exceptions have occurred. This in turn requires a review to determine whether impact tolerances need to be retested.

Why is mapping so important and so hard? 

Mapping is utilized to understand the functions and dependencies required to deliver an important business service. Mapping requires organizations to consider processes, personnel and technologies. Of these, technology mapping can be the most challenging and opaque within modern enterprise architectures as changes at the application, infrastructure, account, or data layers can have non-obvious yet significant impacts on interdependent remote business functions. 

In modern IT environments with cloud-based infrastructure and CI/CD pipelines change is constant. Mapping those changes can be extremely challenging unless automated. Conversely, many financial services organizations also have a “long tail” of legacy applications that are not well-documented and thus rely upon “tribal knowledge” that may not always be current or even available.  For this reason, toolchains are required to illuminate these dark and/or poorly understood areas of an organization’s environment. 

Relying on periodic manual assessment leaves organizations in a situation where they might not be able to meet their impact tolerance requirements following a seemingly unobtrusive change in an application, service or infrastructure component.

How does Application Relationship Management solve the problem? 

Application Relationship Management (ARM) automatically maps the dependencies of important business services in order to enable firms to remain within their impact tolerances. With ARM, you can:

  1. Ingest telemetry, inventory and log information to create a baseline model of an application and its dependencies providing an important business service. This data-driven approach eliminates the risk of the dark areas within an organization’s environment. 
  2. Apply policies to the application baseline to identify risks such as RTO mismatches or vulnerability risks. 
  3. Produce a report that can be utilized during an operational resilience review, including impact tolerance tests.
  4. Continuously update that baseline so that the organization can be immediately aware of material dependency changes which impact mapping information. This enables the organization to reassess the impact tolerances against the updated map.
  5. Produce a manifest of mapping changes across an assessment period to evidence the continuous ability to operate within impact tolerances.
  6. Eliminate the use of clunky spreadsheets and expensive consultants.

This video shows how easy it is to map important business services and identify any material changes that might affect impact tolerances.

Achieving operational resilience

Operational resilience requires a sustainable and repeatable process embedded within an organization’s workflow, within its DNA. For firms of any scale or complexity, this means dispensing with “point in time” solutions such as consultants and spreadsheets, and replacing them with automated tooling that can deliver accurate and continuous information to ensure that impact tolerances continue to be met at all times, as well as recognize where material changes occur. 

ARM has enabled financial services organizations across the globe to meet their regulator’s requirements for real-time automated mapping assessments to ensure their organizations continue to deliver their important business services as applications, environments and threats change. ARM also enables dynamic organizations to meet their operational resilience challenges. 

Related

Read More
January 24, 2024
Meeting APRA CPS 230 and Adopting Operational Resilience as a Strategic Imperative
READ MORE
Read More
December 13, 2023
Decoding DORA ICT Risk Management Requirements: Step 3 - Executing Business Impact Analysis and Risk Assessments
READ MORE
Read More
December 6, 2023
Decoding DORA ICT Risk Management Requirements: Step 2 - Mapping your Business Functions and their Dependencies
READ MORE
close

Timothy Eades

Chief Executive Officer