Operational Resilience: The opportunity for Internal Audit to support Operational Resilience implementation

June 2022 Blog

The first key regulatory deadline has now passed as of 31 March 2022. Operational Resilience should remain a key priority and an area of focus for Internal Audit.

Firms need to demonstrate that a full assessment of their Operational Resilience has been completed, vulnerabilities have been identified, and there is a focus on the remediation activities to complete in order to demonstrate that important business services can operate within their impact tolerance by no later than 31 March 2025.

Amongst the broader suite of activity required to continue on the Operational Resilience journey, the following areas are likely to be key areas of focus and challenge for Boards and Senior Management over the next three years:

1. Scenario Stress Testing - Testing is likely to be the area of the core Operational Resilience regulation which continues to evolve throughout the period up to 31 March 2025, as Firm’s gain experience in the stress testing necessary, and the regulators react to the approach being followed.
2. Third Party Risk Management – Third party dependencies pose a significant threat to a firm's Operational Resilience. Visibility, oversight, and assurance is imperative to adequately understand and manage the risks posed by third party and outsourced arrangements (including technology giants and those responsible for providing IT services). Boards and senior management cannot outsource their ultimate accountability and responsibility for their Operational Resilience and therefore need to gain assurance over the risks posed by the web of third and fourth parties in the service chain, especially when the service being provided is critical for providing a firm’s important business service.
3. Transition to BAU – As firms look to build longevity in their Operational Resilience framework and capabilities, embedding Operational Resilience across the organisation will transform meeting the current policy requirements and expectations into sustainable BAU activity.

The role of Internal Audit

By holding both broad and deep organisational knowledge and a range of skillsets, Internal Audit functions can play a leading role in supporting firms to meet Operational Resilience expectations and continue to build confidence for the future. Internal Audit, as the third line of defence, has a role in providing independent, objective assurance that an organisations risk management, governance, and internal control environment are operating effectively, and Operational Resilience is no exception to this.

To date, Internal Audit has focussed on challenging management’s approach to Operational Resilience and to assess “readiness” against regulatory requirements. However, Internal Audit’s focus on Operational Resilience should continue to evolve, but certainly not in a manner which reduces continued involvement; If anything, a greater emphasis may be prudent over the coming three years, as many of the bigger challenges remain to be overcome.  

Internal Audit will also be one of the best sources for the identification of vulnerabilities and required improvement activity, as a result of their historic work over key risk areas throughout the organisation. However, we have seen little evidence to date of previous Internal Audit findings being incorporated into Operational Resilience planning and vulnerability assessments.

The regulators are already playing an active hand in terms of direct engagement with Internal Audit functions, and we expect to see this continue over the remainder of the three-year transition period. The PRA recently confirmed in their Operational Resilience: Next steps on the PRA’s Supervisory roadmap − speech in April 2022 that Operational Resilience remains one of the regulators’ highest supervisory priorities currently.

What should Internal Audit be doing?

It is expected that Internal Audit will already have identified Operational Resilience as important due to the long focus on this topic on the firm’s and the regulator’s agenda. As a result, it is expected Internal Audit have either scheduled or delivered a review of the progress made to assess and respond to the final policy statements. Indeed, the majority of Internal Audit functions we engage with across the Financial Services sector have already performed a number of reviews on the topic. There is a need to move from programme readiness assessments to broader engagement with the business including progress against management’s remediation of vulnerabilities, further embedding of the framework and continued development of scenario testing. Further details of which are included below.
 

Work already Completed to Date: Readiness Assessments

Internal Audit’s primary focus to date has been to assess the firm’s Operational Readiness to meet the Operational Resilience requirements set out by the regulators. This may have included gap analysis against the policy statements and should have considered the documentation and evidence that supervisory authorities expected to be in place by this date:

• Reviewed how the firm has interpreted the regulation and taken actions in response to this, leveraging industry response and lessons learned from COVID-19.
• Reviewed the roles and responsibilities which relate to Operational Resilience, and their adequacy for achieving the related goals of the business in relation to the regulation. This should include the board’s understanding of its own responsibilities and where their sign off for the approach under the regulations is required.
• Challenged management’s process for identifying the most Important business services to prioritise work and investment in Operational Resilience, and whether the associated rationale for inclusion or rejection of business services as important demonstrate sufficient merit and is built upon the three criteria on which this assessment should be made (levels of customer harm, financial impact on the business should something go wrong, systemic harm to the wider financial system).
• Assessed the robustness of management’s service mapping, including documentation of the people, processes, technology, facilities, information and third parties that support Important business services in order to identify vulnerabilities and substitutions and to run meaningful scenario stress-tests.
• When considering the above process mappings, paid particular attention to third party risk management, as a key area of resiliency risk which has both i) typically not been well understood within organisations, and ii) is subject to parallel and related regulatory attention. 
• Ensured that management has set appropriate Impact tolerances that articulate the maximum tolerable disruption to Important business services, through appropriate controls assessments as well as the rationale and data points utilised to support the conclusions.
• Reviewed the severe but plausible scenarios and stress-testing approach developed by management. Whilst substantial testing may not have been fully completed before 31 March 2022, management should have considered how they will assess the firm’s resilience and demonstrate that this falls within the Impact tolerances that have been set. Careful consideration should be given by Internal Audit as to whether the scenarios being used to really fit into the parameters of ‘severe but plausible’ and whether there is an adequate feedback loop of the results back to the selection of important business services and their related impact tolerances.
• Validated whether the firm has an adequate governance framework in place for managing Operational Resilience.

Longer Term: Building Maturity to 2025 and Beyond

Operational Resilience should remain a key area of focus on Internal Audit Plans following the effective date and remain a dedicated review at cyclical intervals in advance of the three-year transition deadline, during which time activities are expected to mature. An important decision for firms to make is how Operational Resilience thinking will be embedded across all reviews to ensure a ‘resilience by design’ culture and help to support resilience through change across the business. For example, when reviewing a capability or functional area, this should include assessing whether vulnerabilities have been adequately considered and how resilient related Important Business Services are.  It may be appropriate for firms to consider this in a thematic review cycle or with any major change to the capability or functional area, depending on the size and complexity of their operational resilience programme.

Moving forward, the role of Internal Audit should move to more holistic, thematic based formats, challenging stakeholders over the validity and accuracy of outputs in line with changes in the external environment and maturing of the Operational Resilience Framework. Internal Audit should focus on:

• Challenging and benchmarking management’s scenario stress-testing programme and assumptions regarding the nature, extent, and duration of the included scenarios, as well as the plan to deliver important business services during prolonged uncertainty in a way that is safe, flexible, and resilient. The scenario stress-testing programme should also include involvement and engagement with third parties where they support the provision of an important business service.
• Carefully considering the timing and involvement of any procedures around scenario stress testing – as an important and challenging area within the overall Operational Resilience methodology, innovative audit approaches such as real-time reviews of the scenario modelling could help provide valuable assurance that the Operational Resilience Self-Assessment responses are based on well-defined and executed models.
• Assessing and monitoring actions arising from scenario stress-tests to address identified vulnerabilities and enhance resilience, enabling the firm to demonstrate its ability to remain within impact tolerances in the event of disruption.
• Tracking of costs and investment required to fix vulnerabilities, and budgeting and resource planning around these areas is also key.
• Understanding the organisation’s ‘resilience toolkit’; what else does the firm have available to it to respond to resiliency challenges? How strong and understood are recovery plans? Where can substitutions be made in the delivery of services, and how well is this already understood? Are crisis management processes and communication plans well understood?
• Consideration of the evolution of scenario testing and ‘stressing’ the scenario using severe but plausible scenarios, and whether this is developing in lines with regulatory exceptions and peer organisation’s approaches. As part of this whether appropriate toolsets are being deployed to assist with the development of these processes.
• Evaluating the dedicated Operational Resilience management information provided to the Board and management committees, considering whether this is adequately robust.
• Reviewing management’s plans to roll out the firm’s approach to Operational Resilience and consider progress made in embedding the framework across the business. Operational Resilience outcomes need to be delivered in a sustainable manner which ensures long term compliance with the regulation. Internal Audit should therefore be mindful of the sustainability of Operational Resilience delivery, after any related project or programme concludes. Culture towards resilience and entrenchment of Operational Resilience within the delivery of the organisation’s change agenda are both key areas to consider.
• Further on culture, assessing whether the organisation has embraced resilience not just as a cost, but a means of obtaining competitive advantage; if Operational Resilience is truly entrenched in the mindset of an organisation, then the enhanced resilience outcomes which will be achieved over time, should result in better strategy achievement.
• Validating forward-thinking and planning on third party arrangements to ensure that suppliers and partners can meet expectations of the firm and ultimately the full gamut of regulatory expectations by, not least the March 2025 deadline to live within Impact Tolerance Limits. Consideration will need to be given to third parties’ ability to ensure they can meet tolerance levels when providing a downstream service that feeds into firms’ Important Business Services, and where there may be vulnerabilities, concentration risk or doubt about meeting SLAs, ensure that remediation activities, substitutability and exit arrangements are in place.
• For multinational organisations, Internal Audit teams will need to play their role in horizon scanning and understanding the international regulatory requirements around Operational Resilience, with increasing requirements around Operational Resilience in other legal jurisdictions (e.g. DORA and BASEL).
• Scenario stress testing is imperative to validate mapping activities and to ensure that as many potential areas of vulnerability and single points of failure are understood. The UK Financial Authorities’ have taken the responsibility for testing across the sector into their own hands when the systemic risk is deemed critical, with initiatives such as CBEST – hence ensuring there is sufficient assurance of the maturity of testing programmes should the replication or use of tools such as CBEST expand is also key.
• Considering whether their Firm’s Operational Resilience programme is being delivered in isolation, or (more desirably) in collaboration with industry groups, and other forums, to help with external benchmarking and formulating a proportionate response aligned with the marketplace.
• Understanding the role, remit, and integration of 2^nd line teams with Operational Resilience approaches and outcomes.
• Ultimately operating within an acceptable tolerance (i.e. within a tolerable level of impact) will be the focus for firms – whether that is through effective recovery, substitution of service, alternative procedures, or a combination of all three. 
• Finally Internal Audit shouldn’t neglect pre-established expected competencies in this area i.e., the focus on the assumption a disruption will occur and ability to adopt the original definitions around ‘protect’, ‘prevent’, ‘respond’, ‘recover’ and ‘learn’.
  
  

In Summary

At the heart of the response, financial services firms have needed to respond to the publication of the Operational Resilience Policy and Supervisory Statements by carrying out their work based on the following five step approach:

1. Identification;
2. Mapping;
3. Impact tolerances;
4. Testing; and
5. Self-assessment.

However, there are much wider implications for the successful adoption of this regulation. The right leadership, mindset, culture, and operating model are needed to make resiliency and a resilient framework embedded the organisation’s DNA and align functions and risk management systems, and these foundational elements underpinning the mechanistic interpretation of the methodology highlighted above will now come to the fore in the run up to 2025.

 The regulators are looking for:

1. A mindset shift, with resilience a core consideration throughout business delivery of change (both strategically and on a day-to-day basis), and a core competency of personnel responsible for delivering the important business services.
2. Strong leadership and understanding from the board and the executive on the expectations related to Operational Resilience, appropriate tone from the top, and ready engagement on the required sign offs and oversights demanded by compliance with the framework.
3. A well-designed governance structure for the delivery of Operational Resilience outcomes below the board and the executive, and across the lines of defence.
4. Ultimately appropriate integration between Operational Resilience tools and techniques and wider risk management and governance systems within the organisation.

Internal Audit has an important role to play in the development of firm’s framework over the next three years ahead of the regulatory deadline of 31 March 2025. Firms should expect significant scrutiny and follow-up from UK supervisors after the implementation and into the transition period as they will be keen to ensure that the sector is on track to put in place the new framework according to the timeline they have set, and Internal Audit should now be providing internal challenge in anticipation of this regulatory focus.

Other resources

The Deloitte Financial Services Internal Audit practice has worked with in-house Internal Audit functions across the sector, providing guidance and support at each stage of Operational Resilience Framework development both during the consultation stage and as firms finalise their approach in line with the policy statements.

The team has built up the skills and experience, backed by industry wide insight, to be able to support any in-house Internal Audit needs. We provide subject matter and methodology training, specialist input and benchmarking to support work delivered by in-house teams and outsourced Internal Audit reviews.

For more of our views on Operational Resilience, emerging regulatory approaches and the hot topics Internal Audit should be considering in the coming year, you can consult the following resources:

Preparing for the ‘next normal’ - Build modified resilient operations | Deloitte UK

Operational Resilience and COVID-19: Internal Audit Planning Considerations | Deloitte UK

Operational Resilience: 2021 Hot Topics for IT Internal Audit | Deloitte UK

Building resilience in Internal Audit | Deloitte UK

Resilience Reimagined | Deloitte UK

Resilience by Design | Deloitte UK

Time to Thrive | Deloitte UK