How to Build Operational Resilience With Process Management
The financial services industry has become increasingly complex and interconnected due to the rapid adoption of technologies, the rising frequency of cyber attacks and a growing reliance on third-party vendors such as fintech companies.
Numerous high-profile failures, such as the financial crisis of 2008, various information technology system outages and significant data breaches, have demonstrated the profound impact these disruptions can have on customers and the entire financial system.
What Is Operational Resilience?
Operational resilience is a business’s ability to respond to and overcome adverse circumstances — such as natural disasters, supply chain disruptions, pandemics or economic crises — while maintaining a minimum level of operations for critical business services. Achieving resilience requires an organization to identify potential risks, develop preventative strategies and create robust response plans.
Regulatory Demands for Operational Resiliency
These failures have caught the attention of several regulatory bodies, which are increasing expectations for robust operational resiliency programs.
The E.U. recently rolled out the Digital Operational Resilience Act, mandating that financial entities and digital service providers operating in the E.U. ensure robust operational resilience by January 2025. Regulatory bodies in other jurisdictions have enacted similar legislation or will do so soon.
DORA mandates that organizations implement a strong risk management function, identify critical or important functions, manage information communication technology risk in their own operations and across their third parties, establish robust processes for incident management, reporting and classification and perform risk-based operational resiliency testing.
Challenges in Meeting Regulatory Requirements
There are significant challenges for organizations that must comply with these regulations.
Lack of Comprehensive Documentation
Most organizations lack comprehensive documentation and visibility into their IT infrastructure, operational processes and the details of their third-party relationships.
Silos and Collaboration
Organizations have traditionally viewed resiliency as an IT or risk function. Regulators, though, are increasingly looking for evidence that risk management efforts are business-led and involve leaders from across the organization. This requires breaking down silos and establishing a common language to enable collaboration across these groups.
Data Integration Complexity
Resiliency challenges can originate from any resource — people, processes, technology or third parties — making it a massive data integration challenge to connect the dots and maintain this intelligence over time.
What Is the Process Inventory Framework?
To address these challenges, organizations need to establish a single model of everything they do and integrate operational resource data to serve as the ground truth for their resiliency program. This model enables all stakeholders to collaborate and perform their roles using a common business-oriented language.
Fortunately, a framework exists that provides this level of operational intelligence: the Process Inventory Framework. This framework can serve as the basis for managing all types of risks, not just operational resiliency.
Inventory Your Processes
To develop a comprehensive inventory of processes, anchor the creation to a complete foundation: your organization’s hierarchy.
Your process modeling team should conduct interviews starting at the top of the hierarchy with the simple question, “What do you do?” Then, translate the answers into verb plus noun process naming standards.
Repeat this interview process as you move down the hierarchy until you achieve the desired level of detail. You should conduct reviews with stakeholders in the hierarchy, starting from the bottom up, to obtain explicit attestation that the information captured is complete and accurate.
What you’re creating is a process taxonomy, called a Process Inventory, which describes what the organization does at various levels of granularity, including key metadata such as process description, ownership and other crucial operating information, such as product alignment.
Integrate Critical Metadata
Organizations have many sources of internal data describing their operations, such as system repositories, human resources information, vendor repositories and more. The challenge is that this data is often siloed, unconnected and lacking consistent context within the business.
To address this, migrate the data to a single repository anchored to a common ground truth: an index of business context or your Process Inventory.
Your modeling team will then associate data elements with the relevant processes. This creates a unified repository that holistically describes how your organization operates through a business-oriented lens.
Benefits of a Process Inventory Across Teams
This single comprehensive view of your business will provide seamless collaboration and communication across all stakeholders engaged in resiliency.
- Business leaders: Benefit from this list of processes to identify, which are critical based on their importance to the customer and to the business.
- IT leaders: Can use this data to identify the infrastructure supporting each critical process and fortify the resiliency of that infrastructure through additional redundancy.
- Risk managers: Benefit from the list of processes and their accountable ownership, enabling them to perform their risk functions through a consistent business lens, including the identification of adverse scenarios, assessments, reporting and testing.
- Testers: Can use this classification method to define the scope of processes requiring resiliency testing.
- Third-party risk management: Benefit from the clear connection this establishes between operational processes and the third parties that support them.
- Incident managers: Gain clarity on the scope needed to identify the people, processes and procedures required in case of an incident.
Beyond operational resiliency and risk, this level of operational intelligence helps organizations define strategies with clear impacts. It also enables an organization to define and run transformation programs, execute change more efficiently, drive operational excellence to remove waste and inefficiencies and design a more agile IT environment that aligns closely with the needs of the business.
Integrate the Process Ordering Into Your Risk Data
To facilitate accurate reporting and information sharing, integrate this taxonomy into your risk repository, such as a governance, risk and compliance data model to provide a precise process index for all risk types.
This integrated approach addresses many challenges in risk data and the risk operating model across the three lines of defense, leading to more comprehensive risk assessments and delivering an accurate view of the risk landscape to executive decision-makers and external regulators.
Create a Central Process Capability
This is not a one-time exercise, as organizations are in a constant state of change. Establish a central process capability, such as a Process Center of Excellence, which can be accountable for defining standards, creating models, validating quality and accuracy, governing assets over time and managing the tool infrastructure and data.
To achieve this, organizations need to commit to a process-driven approach, identify a strategy that aligns process value with resiliency and other use cases, and build a playbook detailing the methods for creating models and validating their accuracy.
link