Why Prevention is Better Than the Cure. The Lesson of the Oak and the Reed. 


Achieving Operational Resilience in UK Financial Services

In March 2022, systematically critical British banks, building societies, and insurers will be subject to a broad set of regulatory requirements from the Bank of England / Prudential Regulation Authority (PRA) to assure their Operational Resilience in the face of an increasingly complex and interconnected operating environment. Operational Resilience is defined as the ability of organizations (and the financial sector itself) to prevent, adapt, respond to, recover and learn from operational disruptions. 

The focus on remaining operationally resilient, as opposed to creating plans to recover from a major event is not new. This approach to deliver critical services was initially defined within the US FFIEC’s Business Continuity Management handbook in 2019 as a reaction to the increasing complexity and interconnectedness of businesses; and the increasing sophistication of threats and interdependency risk. Operational resilience encourages organizations to be flexible, continuously assessing risks and response readiness–in marked contrast to a prior focus on burdensome recovery event planning that often failed to account for real world disruptions. Operational resilience means that prevention is every bit as critical as the ability to remediate. 

In Aesop’s tale of the oak and the reed, the mighty oak boasted of its strength and ability to resist any known weather. But, the oak’s strength proved brittle.  When a hurricane struck, the unplanned event, the tree was broken. In contrast, the slender reed was flexible and resilient, which allowed it to survive this particular storm. Operational resilience focuses an organization’s posture to that of the reed in order to protect the firm–and the entire UK financial services sector–from the next hurricane or other unforeseen event. This mitigates adverse impacts, and points the way to planned, timely responses when the worst occurs.  

How do you build Operational Resilience?


Prioritize the Things That Matter: Important Business Services.

In order to build resilience cost-effectively, a Firm must first identify and prioritize their Important Business Services. For Financial Services organizations this includes:

  1. Systemically critical functions that might affect the stability of the financial system itself for example, treasury and reporting functions.
  2. Institutionally critical functions that might impact the ability of the Firm to continue to function (for example, functions that fund a firm or enable it to calculate risk).
  3. Customer critical functions particularly those relating to policyholder protection for Insurance providers.

The identification of Important Business Services is the starting point for this process and needs to be completed by organizations by March 31, 2022. Once a service is identified, it needs to be scoped and articulated in a manner which enables impact tolerance to be determined. This includes technical components of applications, infrastructure, and services provided by third parties. This step is called Mapping.


Understanding and Mapping Dependencies

A firm must identify and document the dependencies required to deliver an Important Business Service including applications, infrastructure, processes, organizations, and external service providers required to deliver each part of the Service. 

Mapping enables organizations to assess potential business impact and plan remediation as risks occur. The Mapping function should be conducted regularly, and whenever a material change occurs in order to maintain accuracy. For organizations adopting agile development or business principles, or those with complex application ecosystems automation and detection of material mapping changes is a necessity. This ensures Business Impact Assessments remain relevant without the need to dedicate teams to the process in futile attempts to “keep up.” 

Additionally, the SS2/21 regulations state that “firms that enter into outsourcing arrangements remain fully accountable for complying with all their regulatory obligations” so the mapping function must also integrate with third party cloud-delivered services.

vArmour customers utilise the Discovery and Visualization functions within vArmour’s Application Controller–the core of vArmour’s Application Relationship Management approach to security and resilience–to ensure that the mapping of Important Business Services is delivered in an accurate, automated, data-driven fashion. This approach significantly reduces risk through errors, reduces operational cost and, crucially, informs organizations when material changes to a mapped Business Service occurs.

Figure 1: Mapping the eBanking app functional components and external dependencies, including applications, user’s OUs, and removing infrastructure “noise.”

Assessing Impact Tolerances

Impact Tolerances start from the assumption that disruption and failure will inevitably occur and  is the basis of any approach placing resilience at its core. Impact Tolerances enable organizations to set a requirement to recover Important Business Services following failure, and then assess the risks associated with achieving that recovery requirement or recovery time objective (RTO).

Once Impact Tolerances are defined, the PRA expects organizations to identify where recovery cannot be achieved within those tolerances. To achieve this, organizations must continually assess and address the risks associated with Important Business Services and their dependencies, particularly in dynamic and complex environments. An important aspect of this assessment includes understanding the ability of interdependencies to recover as required, any new risks associated with dependencies, and the interdependencies on their party service providers. Over the years a significant number of high profile failures within the financial services industry have been a result of poorly understood dependencies, or unexpected changes to those dependencies.

vArmour customers utilise Application Relationship Management (ARM) to understand where dependencies within complex environments might lead to increased risk and potential violation of Impact Tolerances, e.g.,  where Recovery Time Objectives do not align, or where interdependencies are carrying increased risks associated with vulnerabilities or misconfiguration. ARM enables organizations to define their Impact Tolerances as baseline policies and continuously evaluate the runtime environment for compliance. 

Figure 2: Highlighting discovered RTO mismatches between ‘Real Time Pricing’ application (RTO=1) and downstream dependencies within ‘Risk Calcs’ (RTO=4).

Pulling It All Together

Operational resilience is universally understood to provide the solution to delivering world class financial services to customers in modern financial markets around the world. In order to achieve this goal in highly competitive, complex, dynamic environments, organizations need tool sets that can allow them to understand their Important Business Services, map their scope and dependencies, and understand when impact tolerances change. Application Relationship Management provides a data-driven and highly automated methodology and solution to achieve this goal, ensuring that organizations can remain dynamic, flexible, secure and resilient. Like Aesop’s reed. 



Read More
April 2, 2024
What the Financial Services and Markets Act means for Technology Resilience
Read More
January 24, 2024
Meeting APRA CPS 230 and Adopting Operational Resilience as a Strategic Imperative
Read More
December 13, 2023
Decoding DORA ICT Risk Management Requirements: Step 3 - Executing Business Impact Analysis and Risk Assessments

Timothy Eades

Chief Executive Officer