Understanding of the importance of operational resilience has been on the rise in the last few years – particularly following the implementation of the FCA’s new operational resilience laws. But according to leading software provider ITRS Group, if firms employ effective operational risk measures, then the need for operational resilience will be largely diminished. As such, in tandem with an operational resilience strategy, firms should also ensure a robust operational risk approach – in an overarching strategy ITRS Group is dubbing O2RM.

The proliferation of operational resilience is a vital development, with financial services firms more dependent than ever on increasingly complex, exponentially expanding digital systems post-pandemic. In fact, research by ITRS Group shows that over 80% of financial institutions say their IT environments have changed more in the last 12 months than in their company’s lifespan.

But, according to ITRS Group, while widespread recognition of the importance of operational resilience is vital – and has been a long time coming – it fails to consider other important risk management practices. Operational resilience focuses heavily on what the user is experiencing (and thus reporting to the regulator), encompassing factors such as downtime and business continuity – which is undoubtedly crucial.

However, in their focus on this, many firms are losing sight of the bigger picture. No matter how resilient firms are, there are often unexpected external threats and risks beyond a firm’s control. If they develop a more holistic view that encompasses a focus on potential external risks and their ability to adapt in the face of threats, then there will be much less pressure on their operational resilience strategy to perform flawlessly.

Guy Warren, CEO at ITRS Group, comments: “This failure to view operational resilience and risk management in tandem is hugely problematic for businesses, customers and the sector at large, as one simply isn’t possible without the other. Think of it like a game of rugby. You’re almost always going to get tackled and take a fall. From a resilience perspective, you can learn to fall better to minimise impact and get back up as quickly as possible. But you should also definitely be focusing on trying to avoid getting hit in the first place.”

To support firms through their compliance journey, ITRS Group has provided guidance for financial institutions to incorporate better risk management strategies into their operational practices:

1. Ensure robust IT architectural design that takes into consideration all potential failure scenarios thought through and mitigated. This will enable firms to anticipate failures before they actually happen, reducing the failure-disaster recovery cycle.
2. Thorough testing of non-functional requirements, including performance and failure scenarios – just functional testing to see if the software is able to process correctly is not enough.
3. Risk-assessed change management can be informed by either a strong change risk register or risk change management solutions, which correlate, analyse and deliver actionable IT operations insights from a variety of sources. According to Gartner, 85% of all performance incidents can be traced back to changes – so by capturing risky changes, firms can detect and manage these incidents before they happen.
4. 360 degree, full-stack monitoring with an active monitoring tool which can take action to correct incidents before they become problems. Automated monitoring solutions can give firms a full picture of any given IT estate, from legacy to cloud-based systems. This will give them access to information that allows them to mitigate operational, reputational and financial risk, shorten issue detection and resolution time, and comply with operational resilience