Operational Resilience Measure and Report 26 Sept 2017 Lewis McKenzie | Andrew Charlton
Operational Resilience Measureand Report26 Sept 2017
Lewis McKenzie | Andrew Charlton
PwC
Evolution of Resilience RegulationThe supervisory journey
CHAPS RTGS outagehighlights concentration risksin payment infrastructure.
FCA / PRA fine RBS £56m.
Banks respond to DCEII.
SEC ‘Flash Crash’ proposals.
European SupervisoryAuthority joint committeereport identifies insufficientunderstanding of IT risks byregulators.
Payments outage at RBSaffects 6.5m customers for upto a month.
Q2 2012 Multiple incidents at several
banks.
Gamechanger
FSA undertakes DearChairman Exercise making ITresilience a Board issue.
Q3 2012
Board Chairpersons explain toFSA how they manage andcontrol IT risk, and deliverDCE1 response.
Q4 2012
Supervisory focus on resilience at FCA /PRA and international regulators.Technology Resilience Questionnaireissued by FCA.
Private DCEII feedback to 7participants. No marketreport was forthcoming fromFCA / PRA.
FSA becomes PRA and FCA.Focus on IT resilience issustained.
Q2 2013
Q3 2014
Q4 2014
H2 2015
H1 2012
Validation/Learning
Regime response
Supervision
Today
Regulatory Challenge Outcomes
Board accountability for critical infrastructure. Requirement forIT expertise on the board.
End-to-end (E2E) resilience collaboration vs silo approach.
Resilience requirements not as advanced as they should be [e.g.E2E mapping and testing of critical economic functions (CEFs)].
Insufficient prioritisation in operationalising resiliencerequirements that have been identified.
Greater appreciation for / demonstration of conductconsiderations within IT Risk appetite.
Maturity and delineation of 3LoD - risk and control managementnot keeping pace with newly emerging risks.
Breadth of IT risk assessment activities vs individual service.
Need for a better understanding of 3rd party dependencies andensuring their compliance with the given organisation’s conductframework.
Granularity of RTOs, including interdependencies.
• Increase in infrastructure reviews to address ITresilience. However, firms are not fully taking intoaccount the need for resilience across the business.
• Confused granularity of metrics, compounded by alack of clarity / consistency in key metric reporting.
• PwC development of the Operational ResilienceMaturity Assessment tool (ORMA), utilisingknowledge of Dear Chairman exercises.
• PwC development of Operational Resilienceprogramme methodology and supporting tools.
PwC
Regulatory Changes Worldwide
FFIECIT Booklet – BCP2015
Institute of InternalAuditorsBCM Practice Guide2014
InternationalOrganization forStandardizationISO 22316 OrganizationalResilience2017
MASBCM Guidelines2003
Central Bank ofIrelandGuidance Tech & Cyber2016
European Central BankIT Risk Stocktake2016
FCA / PRA- Dear Chairman II 2014
- FCA Tech & Cyber Questions 2017
- FCA Business Plan 2017
SECUpdated BCM Guidance2016
HKMABCP Supervisory PolicyManual2002
European regulators andinternational standards are nowsetting a clear expectation thatorganisations should make thestrategic shift from BCM,recovery focused programmes to anintegrated multi-disciplined end-to-end resilience approach, withclient and market impacts asthe significant influencers.
Global regulatoryexpectations and standards
PwC
The Path to Resilience
.Optimised
Resilience is integratedwithin the overall riskmanagement approach,and is embedded withinthe corporate governanceprocesses.
Investment in resilienceand risk is optimised, andthe organisation hassustained capability torespond to major threats.
Resilience analysis hasbeen done across theorganisational silos,taking into accountsupply and value chaindependencies and risks.
.Integrated
Key business prioritiesare understood, and theorganisation canimplement a strategicresponse to disruptions,across its sites and supplychain.
Business Continuity isintegrated with incidentand crisis management,and emergency response.BCM is embedded in theorganisation, with regularexercising.
.Established
Response capabilities areoptimised at a site leveland their ability torecover operations isreasonably certain andefficient.
BCM policy is set, andbusiness continuity plansdeveloped for key sitesand facilities.
.Formalised
Key sites and facilitiescan respond to majorincidents and they shouldbe able to reduce thedisruption to theiroperations.
Piecemeal and ad hoc
plans, usually driven by a
need to comply with
legislation or regulation.
.Undeveloped
Minimum legal /regulatory requirementsare met, but the ability torespond is patchy anduncertain.
Siloed Continuity, Recovery & Planning Operational Resilience
KRIs inform keyresilience decisions at alllevels. KRIs arestreamlined andmanageable.
The organisation hasidentified a set of KRIswith which to measureresilience.
Mature set of metrics, butrequires refinement toidentify gaps andestablish those metricsthat are truly key.
Metrics have beenformalised, but reporting/ capture lacksconsistency.
Little evidence of metricguided BC.
Metrics are minimal andfragmented.
Ab
ilit
yto
Res
po
nd
Ch
ara
cter
isti
csM
etri
cs
Resilience LevelMinimal High
PwC
Identify & SelectMeasure
&Assess
Resilience Trajectory
End-to-End Operational Resilience – The Journey
Ben
efit
s
CS selection should take into accountservices identified as systemic by theregulator, as well as the following fourareas:
(1) License to Operate
(2) Customer Promise
(3) Business Strategy
(4) Business Impact Assessment
Knowing what matters most to the bank
Well-understood priorities
Ownership established
Quicker decision making in crises
Identify Critical Services(CS) & set Governance
Critical Services
1
The CS and principle channels are mappedout, identifying the critical path throughactivities. The four pillars of servicecapability (People, Premises, 3rd Parties,and Technnology) are mapped against eachactivity on the critical path.
Understanding of value chain
Critical path identified
Key dependencies and their ownersidentified
Single points of failure andconcentration of risk identified
Mapping
End-to-End Mapping
3
Define risk appetite for the CS (includingthe channels that make up the CS) byutilising prioritised service tiers; assignthresholds for KRIs based on this tiering.
Driven by risk appetite andperformance
Linked into Risk Management
Resilience across siloed activities
Meeting regulatory expectations
Define Risk Appetite &top-down KPIs & KRIs
Risk Appetite and KRIs
2
Risk assessment leverages reproducible,consistent methodology, delineated throughexecution of the initial programme. Thisapproach provides an overall risk profileand gap analysis; risks, summaries, andoverall ratings are mapped for each service.
Assessing KRIs – KRIs are appliedacross the critical path to help identify riskhot-spots (both vulnerabilities anddependencies).
Direct link between KRIs and riskappetite
Ability to drill down and diagnoseissues relating to service delivery
Cross-cutting analyses provide pillarswith business impact data
Ability to assess forward lookingindicators to anticipate problems
Combination and extension of existingmetrics for efficiency
Assessment
Metrics that count
4
Reporting will enable the bank to makeinformed decisions regarding remediationactions spanning the organisation.
Overall Resilience dashboard
Controls applied at best point
Integration with risk management
Joined up top-to-bottom view
Follows regulatory direction
Timeliness of action
Efficiency of investment
Insight and Action
Reporting & Remediation
5
Reporting & Controls
Sta
ges
Ph
ase
s
You are here…
PwC
Stage 2 – Define Risk Appetite & Top-Down KPIs & KRIs
Operational Resilience Policies, Standards & Procedures
Operational Resilience Risk Appetite
Service alignment to Service Tiers and Risk Thresholds
To
p-d
ow
n,
Bu
sin
es
sa
lign
ed
,R
MF
Risk Appetite statement and metrics, agreed by the Board, help define the high-levelboundaries of the Risk Management Framework (RMF).
Risk Appetite articulated to reflect the operational impact that management is willingto accept, with respect to Operational Resilience. This is aligned to the RMF / Impactcriteria.
Risk Appetite established for each service. Services are subsequently categorised intodefined service tiers: Severe, High, Medium, Low. Systems, data facilities, and vendorsare categorised by the corresponding tier level of the service they support.
Operational Resilience metrics and thresholds [e.g. Maximum Acceptable Outage(MAO), Recovery Time Objective (RTO), etc.] are defined for each of the four servicetiers. Service categorisation is determined by way of the Risk Appetite .
Operational Resilience capabilities, required to support the achievement of theOperational Resilience thresholds in the resilience service tiers, are defined in terms ofthe four pillars:
i. People & Processii. Technologyiii. Suppliersiv. Premises & Assets
Policies, internal controls and procedures supporting Operational Resilience are fullydocumented.
Board agreed Risk Appetite
Risk Appetite defined for Servicese.g. ‘access to cash for ATMs’
Operational Resilience Capabilities supportingMetrics and Thresholds
KPIs and KRIs areset in parallel withtiers andthresholds so thatgenerated MI issuccinct, specific,and relevant.
Stage 1:Identify CriticalServices (CS) & setGovernance
Stage 2:Define RiskAppetite & top-down KPIs & KRIs
Stage 3:Mapping
Stage 4:Assessment
Stage 5:Reporting &Controls
PwC
Stage 4 – Assessment
In scope E2EName:
SWIFT & CHAPSPayments
E2E TypeHigh-ValuePayments
Resilience Category Tier 1Profileversion
1 - Resilience
E2E Owner A.N.Other Aligned CEF Payment ServicesCreationdate
01/01/0000
E2E OverviewPayments process for both SWIFT & CHAPS outwards and inwards payments. Inwards uses same teams, systemsand process steps as outwards. Outwards is deemed more critical.
Dateapproved
01/01/0000
Daily TransactionsDaily
FinancialVolumes
Timecritical
Work arounds Systems on critical path Business Functions Critical Suppliers
xxx xxx xx xx xxxx xxxx xxxxx
Risk 1
Risk 2
Risk 3
Known Risks to the Process
The Critical Process owner isresponsible for the completion of theGap Analysis using data validatedthrough the workshop, risks that sitwithin the risk portal, and KRIs.
Once approved this should be sharedwith the organisation’s Resilienceteam for their oversight and collationinto a central repository.
Example Output:Board Risk Profile
Risk profile
Stage 1:Identify CriticalServices (CS) & setGovernance
Stage 2:Define RiskAppetite & top-down KPIs & KRIs
Stage 3:Mapping
Stage 4:Assessment
Stage 5:Reporting &Controls
PwC
Stage 5 – Reporting & Remediation
People Premises
Suppliers Technology DA
TA
YTD TrendsMonthly
AggregationProcess Level
Dashboards of relevant granularity provide audience appropriate MI
KRIs across 4 pillars inform MI summary
Gradual aggregation of data provides a reliable view of organisational resilience, and presents a dependable methodology that ensuresaccuracy of data reported
Process Name:
Process
Resilience
Tier:
DateOverall Process RAG
Status
Overall
Process
Score
Feb-17 Amber 0.50
Pillar RAG Status Score
People & Process Amber 0.50
Premises Amber 0.50
Technology Amber 0.50
Third Parties Amber 0.50
Overall Resilience Team
Opinion
Operational Resilience
High-Va lue Payments
e
Comments
a
b
c
d
Process Name:
Process
Resilience
Tier:
DateOverall Process RAG
Status
Overall
Process
Score
Feb-17 Amber 0.50
Pillar RAG Status Score
People & Process Amber 0.50
Premises Amber 0.50
Technology Amber 0.50
Third Parties Amber 0.50
Overall Resilience Team
Opinion
Operational Resilience
High-Va lue Payments
e
Comments
a
b
c
d
The KRIs utilise data from across the 4 pillars of resilience, this data can be fed in to the reporting dashboard to provide 3 views. From the process level the data can be aggregated to providemonthly and quarterly reporting and YTD trend analysis.
While the 4 pillars provide a mutuallyexclusive and comprehensivesegmentation of the business, weunderstand that many organisations mayalign their focus differently. PwCmethodology and tools are customisableto your needs.
Stage 1:Identify CriticalServices (CS) & setGovernance
Stage 2:Define RiskAppetite & top-down KPIs & KRIs
Stage 3:Mapping
Stage 4:Assessment
Stage 5:Reporting &Controls
PwC
Stage 5 – Reporting & Remediation
Process Level
OverallRAGstatus ofProcess
Overall RAG status of eachPillar
KRI RAGs brokendown by Pillarsimple,digestibleformat
KRIs defined by a set ofAttributes. Individual RAGscores per attribute allow youto quickly identify problemareas / gaps
Pillar assessments that are segmentedappropriately:• People = Teams• Premises = Location• Technology = Systems• 3rd Party = Suppliers
Process Name:
Process
Resilience
Tier:
DateOverall Process RAG
Status
Overall
Process
Score
Feb-17 Amber 0.50
Pillar RAG Status Score
People & Process Amber 0.50
Premises Amber 0.50
Technology Amber 0.50
Third Parties Amber 0.50
Overall Resilience Team
Opinion
Operational Resilience
High-Va lue Pa yments
e
Comments
a
b
c
d
Stage 1:Identify CriticalServices (CS) & setGovernance
Stage 2:Define RiskAppetite & top-down KPIs & KRIs
Stage 3:Mapping
Stage 4:Assessment
Stage 5:Reporting &Controls
PwC
Stage 5 – Reporting & Remediation
Monthly Aggregation
YTD Trends
Quickly identify emergingtrends in your resilienceportfolio using aggregateddata from your monthlyassessments
Monthly view across criticalprocesses, aligning eachprocess to specific functions
Remediation
Prioritisation – MI dashboards provide ameans to identify those areas that requireimmediate attention
Repeat Issues – automated 90 day RAGstatuses allow the resilience team to make afairer assessment on the state of a givenresilience area
Investment – MI reporting in this wayallows the organisation to distribute itsinvestment into the most relevant areas
Stage 1:Identify CriticalServices (CS) & setGovernance
Stage 2:Define RiskAppetite & top-down KPIs & KRIs
Stage 3:Mapping
Stage 4:Assessment
Stage 5:Reporting &Controls
PwC
Stage 5 – Reporting & Remediation – Dashboards
Easy-Interpret Metrics
Audience Specific
Quickly identify emergingtrends in your resilience in aformat that can be tailoredeasily to different audiences
Pivot data at the touch of abutton without fear ofscrambling data
Benefits
Disseminate data without the need for staticreporting
Identify trends using dynamic data arrays
Instant visualisation in a plethora of charttypes, matrices, etc.
Minimises exposure to editable data
Stage 1:Identify CriticalServices (CS) & setGovernance
Stage 2:Define RiskAppetite & top-down KPIs & KRIs
Stage 3:Mapping
Stage 4:Assessment
Stage 5:Reporting &Controls
This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon theinformation contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to theaccuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers LLP, its members,employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, inreliance on the information contained in this publication or for any decision based on it.
© 2017 PricewaterhouseCoopers LLP. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers LLP (a limited liability partnership in theUnited Kingdom) which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.