Much has been written about business continuity (BC) and operational resilience (OR) over the last few years.
The speed and impact of the pandemic meant all those carefully laid plans were tested to the limit, with some organizations faring better than others.
Anyone hoping for a let-up would have been sorely disappointed. As Duncan Mackinnon, Executive Director for Supervisory Risk Specialists at the Bank of England said in a speech in May 2022, the previous twelve months had been “another eventful year for operational resilience. World events, technological shifts and policy developments continue to move apace.”
To manage the ongoing disruption, financial service firms must have robust operations and a company-wide commitment to resilience that empowers them to handle whatever the world throws at them. It is a fundamental responsibility that all employees must take seriously. They don’t only have a duty to their customers, shareholders and employees to remain operational – they have a responsibility to the wider industry. The complex interconnectedness of today’s financial ecosystem demands that as a firm’s risk exposure rapidly evolves, so must its ability to operate.
Business continuity and operational resilience is so critical that regulators now expect it and are ready to impose penalties for the responsible parties if firms are unable to maintain appropriate levels of compliance. For example, in the UK the Financial Conduct Authority, the Prudential Regulation Authority and the Bank of England recently implemented new rules and guidance for financial services firms covering OR requirements. In the US, the Federal Reserve has a range of policies supporting firms to develop appropriate BC and OR plans.
But having to do something and being able to do it are two different matters. Just as every firm has a responsibility to the wider industry, so too does it need its employees to be focused on ensuring that it can maintain BC and OR.
This means ensuring that workforces have the right knowledge, experience and tools at their disposal. It means increasing awareness of risk and embedding an understanding of why rules are in place and why activities need to be conducted in a certain way.
For instance, cyber security is clearly a major priority for FS firms, with threats increasing in both volume and sophistication. Workforce education is a critical part of modern, effective cyber defense. From understanding social engineering and what to watch out for in phishing attacks to best practice password management, every member of staff needs to be equipped with the knowledge they need to go about their day safely.
That training should also reflect the current state of working today. With more people working remotely, BC and OR aren’t just about what happens in the office. From a cybersecurity perspective, companies need to be able to protect the dispersed and decentralized networks and endpoints their staff use from a variety of different locations. That means adapting policies and procedures, rethinking securing perimeters and implementing approaches that support people to work where they need to – all without compromising security, operational resilience, or business continuity.
Doing all this requires the right support and guidance and the ability to work with partners that understand both the separate parts of BC, OR and cyber security, and how they all intersect. By accessing that expertise, firms will be better placed to educate employees on the importance of BC and OR and help keep both their businesses and the wider industry safe throughout ongoing turbulence.