The critical need for IT operational resilience

Simon Morgan at CSI Ltd argues that building IT operational resilience by 2025 to meet incoming regulations requires action now

We live in an ever more complex digital world, with threats to business coming from every angle, from cyber-security issues to pandemics and economic instability. As a result, regulations have been toughened for financial organisations to ensure their digital resilience. Addressing tolerance to disruption, regulators have sharpened their focus to make topics like operational resilience, business continuity, and disaster recovery critical across the financial services landscape.

DORA (the EU’s Digital Operational Resilience Act) is set to become a globally influential piece of legislation, which will impact EU banks (and their customers) directly. They will need to be compliant by January 2025. Meanwhile, the Bank of England and other regulatory entities are deliberating on adopting analogous measures. For UK national banks devoid of EU subsidiaries, DORA may not apply directly, yet the principles of operational resilience remain relevant, sharing similar ground with existing UK regulations.

The UK’s Financial Conduct Authority (FCA) presides over a spectrum of financial institutions, but DORA casts a wider net, encompassing explicit directives for ICT and third-party risk management that are more stringent than those in the UK. The FCA, together with the Prudential Regulation Authority (PRA), is contemplating regulations that would encompass provisions for third-party technology providers. It seems the UK is moving towards a regulatory framework that could harmonise with DORA. Firms are expected to assure the PRA of their operational resilience capabilities by March 2025.

So, whether you operate in the EU or not, it’s worth thinking now about whether your organisation has good operational resilience or not.  

Every financial organisation, and indeed every business, should be stepping up its data protection and operational processes that guard critical systems against all interruptions. This will ensure the continuity of critical services so that incidents that breach personal data can’t.

Here are my top tips for ensuring your organisation is compliant to any regulations that might affect you coming down the line.  

Identify important services

Organisations must identify their important business services and set impact tolerances for them, ensuring they can prioritise and make investment decisions effectively.

First, you must understand what constitutes an ‘important business service’. This involves mapping out and understanding the services that, if disrupted, could cause harm to consumers, or threaten your firm’s viability, or cause instability in the financial system. Each service should be evaluated based on its criticality to the organisation’s operations and its impact on stakeholders.

Secondly, once important business services are identified, you need to establish impact tolerances for each service. Impact tolerance is the maximum tolerable level of disruption a firm can withstand before serious harm is caused. This includes considering factors such as the duration of a disruption and the volume of business affected. Setting these tolerances requires a deep understanding of your firm’s operations, dependencies, and the potential for systemic risk.

Once you have clear impact tolerances, you can then prioritise resources and investments to ensure that the most critical services are the most resilient. This means investing in systems, processes, and controls that can prevent, respond to, and recover from operational disruptions.

Engage in scenario testing

Data integrity is the assurance that data is consistent, accurate, and reliable over its entire lifecycle. Scenario testing for data integrity involves simulating events that could compromise data, such as cyber-attacks, system failures, or human errors. You need to create realistic scenarios that challenge your organisation’s ability to maintain data integrity.

Critical to the process is to test backup and recovery procedures to ensure that data can be restored accurately and promptly – many organisations still don’t do this regularly. And make sure to assess the impact of data loss or corruption of third-party suppliers on business operations

Scenario testing should simulate outages of your own and third-party services by identifying a range of potential failures, from minor glitches to major disasters. By assessing the likelihood and impact of each scenario on the firm’s operations you can then tailor your contingency plans to ensure you can respond to each appropriately.

Once you’ve done this you MUST test them in real-time to ensure your backup and recovery plans work how you need them to. They should also be regularly updated and refined to reflect the changing risk landscape. You can then use the results of testing to inform decision-making and improve resilience measures if required. But this should not be a one-off – you need to continually use scenario testing to ensure your operational resilience.

Build resilience

Investing in resilience is crucial for any organisation to ensure continuity and reliability of service delivery. Creating substitutable service delivery methods is one such investment, which involves developing alternative ways to provide services that can be quickly deployed in case of a disruption. This could mean having multiple channels for customer interaction, such as online platforms, call centres, and physical locations, which can compensate for each other if one fails.

Additionally, adapting outsourcing arrangements to include multiple vendors or cloud-based solutions can provide flexibility and reduce dependency on a single source, thereby mitigating risks associated with third-party failures.

Updating legacy systems is another vital aspect of building resilience. Legacy systems often pose significant risks due to their outdated technology and lack of support. By modernising these systems, you can improve their efficiency, security, and ability to integrate with newer technologies. Investments in updating legacy systems should be strategic, focusing on areas that will yield the most significant impact on your organisation’s overall resilience and operational capabilities.

Policy compliance

Ensuring compliance with operational resilience policy by March 2025 is a strategic imperative for financial institutions. It requires a concerted effort to focus on the ultimate outcome of remaining within impact tolerances.

To achieve this, it is essential to actively engage senior management and boards in the process, as their leadership and commitment are critical to integrating resilience into the corporate culture. They must drive the implementation of resilience measures, allocate resources effectively, and ensure that all levels of the organisation understand and contribute to the resilience objectives.

Approaching operational resilience in a planned and logical way will ensure your organisation will not only meet regulatory expectations but also strengthen its ability to withstand and quickly recover from operational disruptions, thereby safeguarding your customers and the wider financial system.

Simon Morgan is Client Director at CSI Ltd

Main image courtesy of iStockPhoto.com and Marco VDM