Financial firms have had to deal with a high number of cyberattacks and IT incidences in the last few years. Some of these have been high profile and have led to millions of dollars in loss. Consequently, the operating and risk environment for financial institutions has changed drastically leaving both these institutions and their customers vulnerable.
Therefore, both regulators and governing bodies have been promoting operational resilience as the next step forward for financial firms. Operational resilience is about determining the probability of a cyberattack happening and working on ways to minimize the damages. When firms focus on operational resilience, they assume that cyberattacks will happen rather than just thinking they might happen.
However, it can be difficult to get operational resilience right since it requires a change in IT infrastructure, functions, and management. In this blog post, we put forward the 8 key actions that you can take towards building operational resilience within your organization.
8 Key Action Items for Operational Resilience
The key actions that businesses should take to support their path to operational resilience are:
- Prioritize critical services: Organizations should identify the services that are most critical to their customers and partners or that ensure continuity of business processes. All such critical services should be prioritized for resilience and the firm should set a clear and reasonable tolerance for them.
- Understand what impact tolerance is: An organization needs to understand and have clear estimates for how much disruption their business can tolerate. The scenarios that are used to come up with such estimates should assume the failure of critical systems and processes. Once such scenarios have been run, firms should determine what their impact tolerance is i.e. the point after which disruption will cause the business will start going down. For cyber threats, the scenarios for determining tolerance should be focused on the failure of IT implementations and disruption at partners/third-parties/offshore-centers.
- Know and understand the third-parties involved: Third-parties are one of the biggest causes of operational outages in organizations. Whether it is due to poor security implementations at their endpoints or because of a lack of awareness, third-parties can expose firms to all sorts of cyber risks. Therefore, businesses need to understand that they will still be responsible if a lapse in their security occurs because of a third-party. Firms should have a thorough process of knowing and understanding their third-parties, especially their IT implementations, before working with them. To become operational resilience, you need to ensure that all third-parties are resilient, too.
- Come up with communication plans: Communication is a key aspect of operational resilience. The questions you need to ask yourself is: If a disruption of a key business process/service occurs, how will stakeholders, regulators, counterparties, customers, and third-parties be informed? How will staff be informed so they can react and respond to the disruption appropriately? Who will govern what, when, and how customers will be informed of the disruption? Your communication plans for each stakeholder should address these questions and you need to lay down a clear outline of who will be informed, when they will be informed, and how will they be informed. A great communication plan also includes pre-made templates that can be used to reduce response time to stakeholders and customers.
- Be flexible: Remember that an operational resilience program is not a one-time task that will be set in stone forever. Instead, as your business evolves, so will your resilience program. You need to understand that as internal and external factors change with time, so will the risks and threats that are posed to your business. Consequently, your resilience plans should be adjusted regularly as and when your business changes.
- Formalize your reporting: For senior management and boards, the most effective method of evaluating an operational resilience program is through risk metrics and proper reporting. The board needs to have a sound understanding of the resilience plan since they are the ones who make informed decisions about the direction and investments that go into operational resilience.
- Put the focus on assessments and audits: Organizations should prepare a three-line defense model for operational resilience that includes operational management, compliance functions and risk management, and internal audit. It is also important to get a neutral (and external) view of your firm’s operating environment through a detailed assessment. This should not just be considered a tickbox on your security checklist, but an opportunity to learn more about cybersecurity on an ongoing basis. Over time, these audits and assessments will become an annual process that reminds and reprioritizes operational resilience within your firm.
- Take a proactive approach: Operational resilience is all about preparation and putting into place proactive measures that can minimize damages or entire incidents altogether. Hence, it is important that you turn away from traditional reactive approaches towards security and rather focus on proactive planning to ensure that you can solve resilience issues at the initial stage when problems or risks are identified.
With the imminent threat of cyberattacks and growing pressure from regulators, it is clear that operational resilience will remain the center of attention in 2020 and beyond. The 8 action items that we have presented in this blog post will help organizations get started with and develop a robust strategy for building their operational resilience program.
Apvera is a cybersecurity partner that specializes in risk and compliance management with expertise in facilitating firms from various industries across the world. We help organizations understand and achieve operational resilience through our proven and well-tested strategy. For more information about how we can help you, please get in touch.