8 Reasons Why You Need OpRes in Your Resilience Program
Drafted by Ben Saunders: OpRes Founder
Roughly an 8-minute Read
In my last blog, I spoke about the FCA’s recent policy updates to PS21/3 - “Building Operational Resilience”. This week, I wanted to spend some time to map the various requirements that are outlined in the policy and explain how the features within OpRes will make many of these tasks easier and faster for firms to execute against.
We’ve provided 8 initial reasons why we believe firms need OpRes as a part of their resilience program. However, there are more! So do feel free to get in touch with us and learn more about how we can help your organisation in the coming months. March 2022 will soon be upon us faster than you know it.
So, let’s get to it!
Number 1 - End to End Mapping of Business Services
Within OpRes, we provide users with the capability to map business services, across any channel end to end. We do this in the persona of our customers, customer. As an example, a firm’s customer executes a journey or action to make a payment or complete everyday banking transactions in their mobile application. As they execute these “steps” in the flow, they interact with and touch many systems that are either hosted within the firm’s technology estate or under the control of a 3rd/4th party supplier.
With OpRes, firms can map each step of their customer’s journey across the business services end-to-end flow and map system/supplier dependencies across their technology estate. This is an important prerequisite for firms when they set impact tolerances for the business services.
Number 2 - Document Critical Data About Your Business Services
With OpRes, firms can also capture critical business information. As well as functional and non-functional requirements about a specific business service. Our experience tells us that the following data points are vital to support rigorous scenario testing, which the FCA has informed firms they must complete by 2025 across their important business services. Some of the key data points we can capture or ingest include:
What functions the business service supports
The material risk-taker of the business service
Data classification and information sensitivity that the business service interacts with
Historical incident management data against the business service, its systems, and suppliers
Revenue generated across a business service in a defined period
Number of active customers/users of the business service
Number of new customers onboarded in a defined period
Peak usage windows & customer/user transaction volumes
Monitoring system data (e.g., SRE golden signals: saturation, latency, errors, traffic)
These are but a few of the data points we can analyse and report upon with OpRes.
Number 3 - Set Impact Tolerances for Business Services
The FCA has given firms a deadline until March 2022 to have defined the impact tolerances for all of their important business services. This is no easy undertaking. As such, we have built a simple yet effective framework for setting impact tolerances across an initial set of time-based data points that all firms must be compliant with. Using a simple Likert Scale framework, firms can set impact tolerances for the following areas across their business services:
Service Level Agreement
Service Level Objective
Recovery Time Objective
Recovery Point Objective
Incident Notification Timeframes
Incident Restoration Timeframes
By using our rules engine to configure these impact tolerances, firms can set conditions in order to understand where a supplier or technology system either directly matches impact tolerances, sits within acceptable boundaries, or does not match their risk appetite. Furthermore, users can document their justifications within OpRes for regulatory reporting purposes. Whilst periodical reminders and notifications can be set at pre-defined intervals, to ensure that the tolerance thresholds are regularly reviewed as per the FCA’s policies and recommendations to firms.
Number 4 - Identify At-Risk Suppliers & Systems
By correlating the data captured across business service records and those of suppliers/systems, firms can quickly identify where impact tolerances are not in line with their risk appetite and take appropriate action to remediate potential resilience gaps. Using the workflow automation within OpRes firms can mitigate, track and report on their remediation steps without having to populate other data sources which can often take time and become quickly out of date.
Not only can OpRes identify where impact tolerances do not match your firm’s appetite. We can help your organisation understand the distribution of your technology estate across private and public cloud deployments. Whether this is across IaaS, SaaS, or PaaS consumption models. This is a critical requirement for firms to ensure that they understand the hosting dependencies of their business services. Particularly as more firms adopt SaaS solutions that are more widely being hosted in the public cloud. If you haven’t done so already then read the guidance for firms outsourcing to the ‘cloud’ and other third-party IT services.
It is not unheard of firms to start adopting SaaS solutions at speed and very quickly identify that they have a heavy concentration of critical or important technology services residing with a single third-party supplier!
Number 5 - Real-Time Dashboards and Actionable Insights
Generating reports for internal compliance teams and regulators takes time and is a costly exercise. With OpRes, firms can generate tailored views and dashboards which aggregate multiple data sources in real-time. This enables firms to gain a global perspective of their operational resilience, whilst allowing them to filter on regions, countries, institutions, entities, firms, and more specifically business services or suppliers. Our dashboards can surface key insights such as high-risk business services, highly volatile or non-performant suppliers, and concentration risks with specific suppliers and or systems. Whilst we can also surface compliant or non-compliant systems based on whether they are classified as critical or important to multiple business services.
This is an important point to make as one single supplier/system could underpin multiple business services yet be “critical” to the normal operations of one business service. Yet, the same supplier could be deemed to be “important” to another business service as a result of an architectural choice that enables acceptable operations to function without any recognisable impact on customers or the firm’s obligations to meet its financial activities.
Number 6 - Rapid Scenario Testing
Once firms understand their business services end to end. The next critical step that they must execute, is to perform scenario testing of the business service. This means they must identify any risks and vulnerabilities that could cause intolerable harm to the ongoing operations of the service. Whether these be technology or supplier disruptions, loss of key personnel, or indeed socioeconomic disruptions like a global pandemic. By all intents and purposes, firms must plan for the worst possible scenario and conduct an in-depth “what-if analysis” to levels that they deem suitable for their important business services.
With OpRes we have created a Resilience Calculator which allows firms to determine the impact of experiencing disruption to a system or supplier for a period of time (seconds, minutes, hours, days, weeks). We correlate this with the business MI & IT performance data and provide firms with a simulated view that highlights the potential impact on customers, business operations, and the firms underlying revenue should a disruption occur.
Resilience-driven scenario testing can be an exhaustive and costly exercise that often results in firms needing to build production-grade systems. With OpRes, we enable firms to execute lightweight dress rehearsals of their scenario testing. This allows them to make more informed choices about where they must focus their attention, before setting off and addressing areas that might not be as problematic as others.
Number 7 - Aggregate Trusted Data Sources in Real-Time
Many firms will have already invested significant time and resources into building monitoring systems, configuration management databases, and established a governance model for tracking operational resilience gaps in their organisation. However, more often than not this information often resides in multiple data sources. Such as systems of record, spreadsheets, word documents, supplier contracts, and DevOps-oriented tooling.
With OpRes, we have an API-rich proposition that allows firms to quickly integrate with trusted data sources and stream relevant updates into the platform in real-time. This can be achieved through our partnership with Timeflow Systems and the use of higher-level services in the public cloud that apply artificial intelligence and machine learning patterns.
As such, we enable firms to move towards an evidence-based resilience approach that is built on relevant data. As opposed to subjective analysis that could be out of date and no longer relevant.
Number 8 - Make Better Investment Choices
Ultimately, with all the data we can provide firms with OpRes, it is the firms themselves that will need to take action. Whether that be on their own steam or with the support of a trusted partner. However, through a combination of our resilience calculator and scenario testing capabilities, we can allow firms to build more rigorous business cases and investment plans where they need to act the most.
Operational resilience fundamentally comes down to risk and how much appetite a firm has to absorb technical debt or work with sub-standard suppliers that don’t match their service level agreements. The FCA makes this very clear in its policies.
With OpRes, because firms can align business services back to key products and business MI, they can quickly understand the repercussions of its choices should a business service experience intolerable harm. Namely, what is the impact on its customers, revenue, reputation, and the market as a whole. As such, a firm may choose to invest more heavily in remediating operational resilience gaps in its investment banking estate, over its SME business banking proposition because of the commercial exposure any such long-tail disruption would result in.
Because OpRes captures data and provides historical reference points for firms to refer back to, they can be reminded of why investment choices have been made and use this information when interacting with regulators.
Closing Thoughts
The one thing that is constant in any firm, is change. The people, the processes, and the technology evolve over time as a result of many external factors. The FCA recognise this and even after March 2025, firms will constantly have to reassess their operational resilience at defined junctures.
We believe that OpRes will provide value to firms as they aim to meet their targets of mapping important business services by March 2022. Whilst the additional features we are building into the solution provide firms with a solution that can be used more broadly as part of their operational resilience initiatives into 2025 and beyond.
We provided 8 reasons as to why we think OpRes should be a critical component of your firm’s resilience program. As ever, if you have any questions about the platform and our product roadmap then please feel free to get in touch. We are actively engaged with a number of design partners already but welcome feedback and input from firms of all shapes and sizes!
Thanks for reading as ever,
Ben
