How can you improve your ability to identify, respond and adapt to significant operational interruptions?
Agenda I Introductions and objectives II Why is resilience important III Typical issues — be aware IV What do you need to do V Summary and questions How can you improve your ability to identify, respond and adapt to Page 2 3 May 2017 significant operational interruptions?
Introductions and objectives Objectives for this session Ali Kazmi To understand why resilience is ► Executive Director — IT Risk Transformation important To understand common challenges ► amongst building societies, mutuals and the wider FS sector John Milne To explore the path towards operational ► Director — IT Risk and cyber resilience Transformation James Turpie Senior Manager — IT Risk Please feel free to ask questions Transformation throughout this session How can you improve your ability to identify, respond and adapt to Page 3 3 May 2017 significant operational interruptions?
Defining resilience ► Operational Risk is defined in Basel II as the ‘risk of loss resulting from inadequate or failed internal processes, people and systems or from external events’. ► Operational Risk functions are tasked with identifying, measuring and assessing these operational risks. ► Operational Resilience is the organisation’s set of people, processes and technology marshalled to reduce operational risks down to an acceptable level and react effectively when they do crystallise. How can you improve your ability to identify, respond and adapt to Page 4 3 May 2017 significant operational interruptions?
Polling question 1 How aware of resilience are you? We regularly read about service disruptions and cyber attacks which bring down critical services. Taking proactive preventative action now can reduce the risk of disruption. Polling question: How hot a topic is resilience within your organisation? • What is resilience? • Resilience is occasionally discussed. • We have an active resilience programme. Resilience is discussed at senior management and board levels on a regular • basis. How can you improve your ability to identify, respond and adapt to Page 5 3 May 2017 significant operational interruptions?
Resilience is in the mind of the consumer How can you improve your ability to identify, respond and adapt to Page 6 3 May 2017 significant operational interruptions?
Media headlines ► There are many famous and infamous examples of when systems outages and cyber attacks affect customers and hit the headlines. How can you improve your ability to identify, respond and adapt to Page 7 3 May 2017 significant operational interruptions?
Agenda I Introductions and objectives II Why is resilience important III Typical issues — be aware IV What do you need to do V Summary and questions How can you improve your ability to identify, respond and adapt to Page 8 3 May 2017 significant operational interruptions?
Why does resilience matter to you? Complex operating environments Cyber crime Meeting rising customer expectations Systematic IT failures Competitive forces Protecting brand and reputation Increased regulatory focus Digitalisation and emerging technology Competing successfully Economic upturns Emerging competition Legacy IT systems Elections and governance challenges Regulatory compliance Supply chain disruption Customer expectations How can you improve your ability to identify, respond and adapt to Page 9 3 May 2017 significant operational interruptions?
The regulatory dimension Main regulatory focus Main regulatory drivers Industry response ► High profile operational ► Recognition that resilience is ► Governance - resilience is a events and follow-up a mainstream risk Board issue ► Prevalence of legacy IT ► Increasing application of ► Critical Economic Functions – systems traditional risk-management identifying “crown jewels” ► Emergence of cyber attack as techniques ► Risk Appetite - clear an increasing threat ► Increasing senior statement of tolerance for loss management engagement ► Progress on financial of key business capabilities and oversight up to and resilience Recovery and against a wider range of including Board Resolution Planning (“Living criteria Wills”) ► Better articulation of Risk ► Accountability – individual ► More aggressive regulatory Appetite against not just responsibilities should be quantitative but also culture (“prove it to me”) clearly defined and set qualitative criteria against an unambiguous Main regulatory tools ► Clearer definition of roles and chain of command ► Forensic testing (CBEST) responsibilities (SMR) ► 3 Lines of Defence – each line ► More “deep dives” ► More disciplined application of should be independent and be 3 Lines of Defence ► Wider use of skilled persons equipped to provide effective reports (s166) challenge ► Improved and more regular MI ► Improved operational data - ► Resilience culture – benchmarking continuous improvement not ► Increased investment in “fix on fail” training to promote resilient ► Regular collective exercises behaviours ► Resilient behaviours – ► Non-binding Guidance/Dear effective and proactive ► Promoting a resilience culture CEO training and awareness ► Enhanced testing/simulation ► SMR How can you improve your ability to identify, respond and adapt to Page 10 3 May 2017 significant operational interruptions?
Advantages held by resilient organisations Confidence Coherence Competitive advantage Competition Agility How can you improve your ability to identify, respond and adapt to Page 11 3 May 2017 significant operational interruptions?
Agenda I Introductions and objectives II Why is resilience important III Typical issues — be aware IV What do you need to do V Summary and questions How can you improve your ability to identify, respond and adapt to Page 12 3 May 2017 significant operational interruptions?
Polling question 2 The ownership challenge Polling Question: Who is ultimately responsible for resilience within your organisation? • Chief Executive Officer • Chief Risk Officer Chief Information Officer • • Chief Operating Officer • Head of Risk • Board • Chief Resilience Officer / Head of Resilience Other • How can you improve your ability to identify, respond and adapt to Page 13 3 May 2017 significant operational interruptions?
Resilience challenges Dynamic landscape CTO Security & risk management Customer expectations Poor leadership IT disaster recovery HSSE Limited strategy Piecemeal approach Information Business security continuity Organisational change COO Skills gap and resource limitations CIO Supply chain Underinvestment resilience Reputation risk Inconsistency of technology CEO CFO Inaccessible information Cyber security Cost Crisis management CRO Ineffective controls How can you improve your ability to identify, respond and adapt to Page 14 3 May 2017 significant operational interruptions?
Agenda I Introductions and objectives II Why is resilience important III Typical issues — be aware IV What do you need to do V Summary and questions How can you improve your ability to identify, respond and adapt to Page 15 3 May 2017 significant operational interruptions?
Polling question 3 Resilience strategy Polling Question: Does your organisation have a resilience strategy in place? • Yes • No How can you improve your ability to identify, respond and adapt to Page 16 3 May 2017 significant operational interruptions?
Strategic approach to resilience Sense , Resist and React to disruptive events, while Adapting and Reshaping operations in environments characterised by both foreseeable and unforeseeable risk Sense Resist Reshape Lead React Adapt How can you improve your ability to identify, respond and adapt to Page 17 3 May 2017 significant operational interruptions?
Polling question 4 Testing your readiness Polling Question A: How often do you test your resilience capabilities? • Monthly • Bi-annually • Annually • Occasionally • Never Polling Question B: What is the nature of the testing that you perform? • Only single functions End to end business processes • • Including suppliers • Cross-industry • We do not test our resilience capabilities How can you improve your ability to identify, respond and adapt to Page 18 3 May 2017 significant operational interruptions?
How much resilience is enough resilience? Investment in resilience is informed by a number of factors including: Nature and type Customer Competitive of services expectations landscape provided Cost vs. risk Regulations appetite How can you improve your ability to identify, respond and adapt to Page 19 3 May 2017 significant operational interruptions?
Components of an effective resilience strategy 1. Strategy needs to be dynamic 2. Strategy needs to include key dependencies 3. Have the right governance in place 4. People are key 5. Have a resilient culture How can you improve your ability to identify, respond and adapt to Page 20 3 May 2017 significant operational interruptions?
Recommend
More recommend