Operational Resilience Measure and Report · Meeting regulatory expectations Define Risk Appetite & top-down KPIs & KRIs Risk Appetite and KRIs 2 Risk assessment leverages reproducible,

Operational Resilience Measureand Report26 Sept 2017

Lewis McKenzie | Andrew Charlton

PwC

Evolution of Resilience RegulationThe supervisory journey

CHAPS RTGS outagehighlights concentration risksin payment infrastructure.

FCA / PRA fine RBS £56m.

Banks respond to DCEII.

SEC ‘Flash Crash’ proposals.

European SupervisoryAuthority joint committeereport identifies insufficientunderstanding of IT risks byregulators.

Payments outage at RBSaffects 6.5m customers for upto a month.

Q2 2012 Multiple incidents at several

banks.

Gamechanger

FSA undertakes DearChairman Exercise making ITresilience a Board issue.

Q3 2012

Board Chairpersons explain toFSA how they manage andcontrol IT risk, and deliverDCE1 response.

Q4 2012

Supervisory focus on resilience at FCA /PRA and international regulators.Technology Resilience Questionnaireissued by FCA.

Private DCEII feedback to 7participants. No marketreport was forthcoming fromFCA / PRA.

FSA becomes PRA and FCA.Focus on IT resilience issustained.

Q2 2013

Q3 2014

Q4 2014

H2 2015

H1 2012

Validation/Learning

Regime response

Supervision

Today

Regulatory Challenge Outcomes

Board accountability for critical infrastructure. Requirement forIT expertise on the board.

End-to-end (E2E) resilience collaboration vs silo approach.

Resilience requirements not as advanced as they should be [e.g.E2E mapping and testing of critical economic functions (CEFs)].

Insufficient prioritisation in operationalising resiliencerequirements that have been identified.

Greater appreciation for / demonstration of conductconsiderations within IT Risk appetite.

Maturity and delineation of 3LoD - risk and control managementnot keeping pace with newly emerging risks.

Breadth of IT risk assessment activities vs individual service.

Need for a better understanding of 3rd party dependencies andensuring their compliance with the given organisation’s conductframework.

Granularity of RTOs, including interdependencies.

• Increase in infrastructure reviews to address ITresilience. However, firms are not fully taking intoaccount the need for resilience across the business.

• Confused granularity of metrics, compounded by alack of clarity / consistency in key metric reporting.

• PwC development of the Operational ResilienceMaturity Assessment tool (ORMA), utilisingknowledge of Dear Chairman exercises.

• PwC development of Operational Resilienceprogramme methodology and supporting tools.

PwC

Regulatory Changes Worldwide

FFIECIT Booklet – BCP2015

Institute of InternalAuditorsBCM Practice Guide2014

InternationalOrganization forStandardizationISO 22316 OrganizationalResilience2017

MASBCM Guidelines2003

Central Bank ofIrelandGuidance Tech & Cyber2016

European Central BankIT Risk Stocktake2016

FCA / PRA- Dear Chairman II 2014

- FCA Tech & Cyber Questions 2017

- FCA Business Plan 2017

SECUpdated BCM Guidance2016

HKMABCP Supervisory PolicyManual2002

European regulators andinternational standards are nowsetting a clear expectation thatorganisations should make thestrategic shift from BCM,recovery focused programmes to anintegrated multi-disciplined end-to-end resilience approach, withclient and market impacts asthe significant influencers.

Global regulatoryexpectations and standards

PwC

The Path to Resilience

.Optimised

Resilience is integratedwithin the overall riskmanagement approach,and is embedded withinthe corporate governanceprocesses.

Investment in resilienceand risk is optimised, andthe organisation hassustained capability torespond to major threats.

Resilience analysis hasbeen done across theorganisational silos,taking into accountsupply and value chaindependencies and risks.

.Integrated

Key business prioritiesare understood, and theorganisation canimplement a strategicresponse to disruptions,across its sites and supplychain.

Business Continuity isintegrated with incidentand crisis management,and emergency response.BCM is embedded in theorganisation, with regularexercising.

.Established

Response capabilities areoptimised at a site leveland their ability torecover operations isreasonably certain andefficient.

BCM policy is set, andbusiness continuity plansdeveloped for key sitesand facilities.

.Formalised

Key sites and facilitiescan respond to majorincidents and they shouldbe able to reduce thedisruption to theiroperations.

Piecemeal and ad hoc

plans, usually driven by a

need to comply with

legislation or regulation.

.Undeveloped

Minimum legal /regulatory requirementsare met, but the ability torespond is patchy anduncertain.

Siloed Continuity, Recovery & Planning Operational Resilience

KRIs inform keyresilience decisions at alllevels. KRIs arestreamlined andmanageable.

The organisation hasidentified a set of KRIswith which to measureresilience.

Mature set of metrics, butrequires refinement toidentify gaps andestablish those metricsthat are truly key.

Metrics have beenformalised, but reporting/ capture lacksconsistency.

Little evidence of metricguided BC.

Metrics are minimal andfragmented.

Ab

ilit

yto

Res

po

nd

Ch

ara

cter

isti

csM

etri

cs

Resilience LevelMinimal High

PwC

Identify & SelectMeasure

&Assess

Resilience Trajectory

End-to-End Operational Resilience – The Journey

Ben

efit

s

CS selection should take into accountservices identified as systemic by theregulator, as well as the following fourareas:

(1) License to Operate

(2) Customer Promise

(3) Business Strategy

(4) Business Impact Assessment

Knowing what matters most to the bank

Well-understood priorities

Ownership established

Quicker decision making in crises

Identify Critical Services(CS) & set Governance

Critical Services

1

The CS and principle channels are mappedout, identifying the critical path throughactivities. The four pillars of servicecapability (People, Premises, 3rd Parties,and Technnology) are mapped against eachactivity on the critical path.

Understanding of value chain

Critical path identified

Key dependencies and their ownersidentified

Single points of failure andconcentration of risk identified

Mapping

End-to-End Mapping

3

Define risk appetite for the CS (includingthe channels that make up the CS) byutilising prioritised service tiers; assignthresholds for KRIs based on this tiering.

Driven by risk appetite andperformance

Linked into Risk Management

Resilience across siloed activities

Meeting regulatory expectations

Define Risk Appetite &top-down KPIs & KRIs

Risk Appetite and KRIs

2

Risk assessment leverages reproducible,consistent methodology, delineated throughexecution of the initial programme. Thisapproach provides an overall risk profileand gap analysis; risks, summaries, andoverall ratings are mapped for each service.

Assessing KRIs – KRIs are appliedacross the critical path to help identify riskhot-spots (both vulnerabilities anddependencies).

Direct link between KRIs and riskappetite

Ability to drill down and diagnoseissues relating to service delivery

Cross-cutting analyses provide pillarswith business impact data

Ability to assess forward lookingindicators to anticipate problems

Combination and extension of existingmetrics for efficiency

Assessment

Metrics that count

4

Reporting will enable the bank to makeinformed decisions regarding remediationactions spanning the organisation.

Overall Resilience dashboard

Controls applied at best point

Integration with risk management

Joined up top-to-bottom view

Follows regulatory direction

Timeliness of action

Efficiency of investment

Insight and Action

Reporting & Remediation

5

Reporting & Controls

Sta

ges

Ph

ase

s

You are here…

PwC

Stage 2 – Define Risk Appetite & Top-Down KPIs & KRIs

Operational Resilience Policies, Standards & Procedures

Operational Resilience Risk Appetite

Service alignment to Service Tiers and Risk Thresholds

To

p-d

ow

n,

Bu

sin

es

sa

lign

ed

,R

MF

Risk Appetite statement and metrics, agreed by the Board, help define the high-levelboundaries of the Risk Management Framework (RMF).

Risk Appetite articulated to reflect the operational impact that management is willingto accept, with respect to Operational Resilience. This is aligned to the RMF / Impactcriteria.

Risk Appetite established for each service. Services are subsequently categorised intodefined service tiers: Severe, High, Medium, Low. Systems, data facilities, and vendorsare categorised by the corresponding tier level of the service they support.

Operational Resilience metrics and thresholds [e.g. Maximum Acceptable Outage(MAO), Recovery Time Objective (RTO), etc.] are defined for each of the four servicetiers. Service categorisation is determined by way of the Risk Appetite .

Operational Resilience capabilities, required to support the achievement of theOperational Resilience thresholds in the resilience service tiers, are defined in terms ofthe four pillars:

i. People & Processii. Technologyiii. Suppliersiv. Premises & Assets

Policies, internal controls and procedures supporting Operational Resilience are fullydocumented.

Board agreed Risk Appetite

Risk Appetite defined for Servicese.g. ‘access to cash for ATMs’

Operational Resilience Capabilities supportingMetrics and Thresholds

KPIs and KRIs areset in parallel withtiers andthresholds so thatgenerated MI issuccinct, specific,and relevant.

Stage 1:Identify CriticalServices (CS) & setGovernance

Stage 2:Define RiskAppetite & top-down KPIs & KRIs

Stage 3:Mapping

Stage 4:Assessment

Stage 5:Reporting &Controls

PwC

Stage 4 – Assessment

In scope E2EName:

SWIFT & CHAPSPayments

E2E TypeHigh-ValuePayments

Resilience Category Tier 1Profileversion

1 - Resilience

E2E Owner A.N.Other Aligned CEF Payment ServicesCreationdate

01/01/0000

E2E OverviewPayments process for both SWIFT & CHAPS outwards and inwards payments. Inwards uses same teams, systemsand process steps as outwards. Outwards is deemed more critical.

Dateapproved

01/01/0000

Daily TransactionsDaily

FinancialVolumes

Timecritical

Work arounds Systems on critical path Business Functions Critical Suppliers

xxx xxx xx xx xxxx xxxx xxxxx

Risk 1

Risk 2

Risk 3

Known Risks to the Process

The Critical Process owner isresponsible for the completion of theGap Analysis using data validatedthrough the workshop, risks that sitwithin the risk portal, and KRIs.

Once approved this should be sharedwith the organisation’s Resilienceteam for their oversight and collationinto a central repository.

Example Output:Board Risk Profile

Risk profile



Stage 3:Mapping

Stage 4:Assessment


PwC

Stage 5 – Reporting & Remediation

People Premises

Suppliers Technology DA

TA

YTD TrendsMonthly

AggregationProcess Level

Dashboards of relevant granularity provide audience appropriate MI

KRIs across 4 pillars inform MI summary

Gradual aggregation of data provides a reliable view of organisational resilience, and presents a dependable methodology that ensuresaccuracy of data reported

Process Name:

Process

Resilience

Tier:

DateOverall Process RAG

Status

Overall

Process

Score

Feb-17 Amber 0.50

Pillar RAG Status Score

People & Process Amber 0.50

Premises Amber 0.50

Technology Amber 0.50

Third Parties Amber 0.50

Overall Resilience Team

Opinion

Operational Resilience

High-Va lue Payments

e

Comments

a

b

c

d

Process Name:

Process

Resilience

Tier:


Status

Overall

Process

Score

Feb-17 Amber 0.50



Premises Amber 0.50




Opinion


High-Va lue Payments

e

Comments

a

b

c

d

The KRIs utilise data from across the 4 pillars of resilience, this data can be fed in to the reporting dashboard to provide 3 views. From the process level the data can be aggregated to providemonthly and quarterly reporting and YTD trend analysis.

While the 4 pillars provide a mutuallyexclusive and comprehensivesegmentation of the business, weunderstand that many organisations mayalign their focus differently. PwCmethodology and tools are customisableto your needs.



Stage 3:Mapping

Stage 4:Assessment


PwC


Process Level

OverallRAGstatus ofProcess

Overall RAG status of eachPillar

KRI RAGs brokendown by Pillarsimple,digestibleformat

KRIs defined by a set ofAttributes. Individual RAGscores per attribute allow youto quickly identify problemareas / gaps

Pillar assessments that are segmentedappropriately:• People = Teams• Premises = Location• Technology = Systems• 3rd Party = Suppliers

Process Name:

Process

Resilience

Tier:


Status

Overall

Process

Score

Feb-17 Amber 0.50



Premises Amber 0.50




Opinion


High-Va lue Pa yments

e

Comments

a

b

c

d



Stage 3:Mapping

Stage 4:Assessment


PwC


Monthly Aggregation

YTD Trends

Quickly identify emergingtrends in your resilienceportfolio using aggregateddata from your monthlyassessments

Monthly view across criticalprocesses, aligning eachprocess to specific functions

Remediation

Prioritisation – MI dashboards provide ameans to identify those areas that requireimmediate attention

Repeat Issues – automated 90 day RAGstatuses allow the resilience team to make afairer assessment on the state of a givenresilience area

Investment – MI reporting in this wayallows the organisation to distribute itsinvestment into the most relevant areas



Stage 3:Mapping

Stage 4:Assessment


PwC

Stage 5 – Reporting & Remediation – Dashboards

Easy-Interpret Metrics

Audience Specific

Quickly identify emergingtrends in your resilience in aformat that can be tailoredeasily to different audiences

Pivot data at the touch of abutton without fear ofscrambling data

Benefits

Disseminate data without the need for staticreporting

Identify trends using dynamic data arrays

Instant visualisation in a plethora of charttypes, matrices, etc.

Minimises exposure to editable data



Stage 3:Mapping

Stage 4:Assessment


This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon theinformation contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to theaccuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers LLP, its members,employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, inreliance on the information contained in this publication or for any decision based on it.

© 2017 PricewaterhouseCoopers LLP. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers LLP (a limited liability partnership in theUnited Kingdom) which is a member firm of PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.

Operational Resilience Measure and Report · Meeting regulatory expectations Define Risk Appetite & top-down KPIs & KRIs Risk Appetite and KRIs 2 Risk assessment leverages reproducible,

Documents