How prepared is your firm to deal with the unthinkable?
A number of recent high profile systems failures and data breaches have put operational resilience towards the top of the regulatory agenda. In an article first published in T-C News, Richard Whittington, Product Manager at Access Group Training, takes a look at what that means for you and your firm.
TSB, Ticketmaster, British Airways, Dixons Warehouse - you don’t need it spelling out what all these huge businesses have in common.
While these might be the most high-profile corporations to have their reputations tarnished following data breaches or systems failures, they are not the first and the only guarantee is they won’t be the last.
That is why last summer the Bank of England, Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) published their joint discussion paper on an approach to improve the operational resilience of firms and financial market infrastructures (FMIs).
This paper reinforces the need for firms and FMIs to develop and improve response capabilities so that any wider impact of disruptive events is contained. The speed and effectiveness of communication with the people and institutions most affected, in particular customers, should be at the forefront of every firm’s response.
Its key message is simple – it’s no longer a case of ‘if’ this happens to you, but ‘when’ and how are you prepared for it?
Shortly after the publication of this discussion paper, I joined an extremely well attended webinar with our partners at UK Finance, where both the Bank of England and FCA introduced the topic of operational resilience.
The biggest thing I took away was firms are still focusing on technical resilience and not thinking about the human aspect, despite the fact some of the most headline-grabbing failures have highlighted concerns around single person dependency, staff resilience and reliance on small or sub-teams not as ‘gold-plated’ as the ‘A’ team.
Additionally, when 90% of all successful cybersecurity breaches rely on human error it is astonishing that the torch continues to be shone on the technology, not the people when the concept of operational resilience is so enmeshed with risk management and Three Lines of Defence (3LOD).
In an age where accountability and culture are amongst the regulator’s primary concerns, and with the Senior Managers and Certification Regime (SMCR) leaving no hiding place, the mindset that ‘it is an IT issue’ on its own has to change.
Later this year we expect to know how firms will be regulated on operational resilience. But that doesn’t mean you should wait for the defined rule to consider what you need to do, as with ‘the speed and effectiveness of communication’ so explicitly referenced in the discussion paper - the human aspect will be central.
First and foremost training will be required as to what operational resilience actually is across all managerial levels. Cyber resilience is a huge part of operational resilience, yet recent UK Government research showed that only 20% of organisations provide cyber awareness training for their staff. Accordingly, staff should be given the skills, awareness, knowledge and confidence to make the right decisions in the face of growing cyber threats.
GDPR and cyber resilience are also inextricably linked, so mitigating risk through embedding a firm-wide culture of good data protection behaviour is fundamental.
As our partners, AXELOS Global Best Practice (a joint venture between the UK Government and Capita plc) attest, you need to help your people become your greatest information security asset. That comes down to effective training rooted in relevant, digestible and impactful content that delivers real behavioural change.
AXELOS RESILIA®’s Frontline suite of cybersecurity awareness training includes courses on protecting information, safe device use, managing online risks and keeping safe online, while to support this firm-wide education, here at Access Group we are consolidating our Risk Management and 3LOD training modules into new Operational Resilience content.
|
|
|
Then there is the chain of command and knowing you have competent (even certified) teams and/or individuals within the business that can step into the breach to, as the discussion paper states contain the ‘wider impact of disruptive events’, whether that be a significant data breach or a major systems failure.
Training and Competence (T&C) will also inevitably play a big part in this.
For example, where does the information you will need to create competency assessments currently sit? Is it offline on paper forms, online or a mixture of both? If it is online does it sit on different systems across HR, compliance and L&D? What are your onboarding processes around GDPR and cyber resilience for new joiners? How do you identify and fill knowledge gaps and log and report on individual activity?
Especially in the world of challenger banks and new fintech start-ups, teams are often small and staff turnover can be rapid. So how do you make sure critical knowledge isn’t lost from the business? What succession planning policies and procedures are in place so that ‘single person dependency’ doesn’t become a business-threat should a key person leave the firm, be off sick or on holiday?
The SMCR underlines the need for firms to have robust performance management and workflow systems in place, where recording, file checking and reporting against your T&C scheme is as effective and accessible as possible. Whatever the new regulation around operational resilience ends up being, it will need the same.
So when not if, the unthinkable does happen to your firm, how prepared are you?
Need help? Access Group Training is not just a learning management system and a content provider. We are your regulatory compliance expert.
Explore our Access Digital Learning and Compliance software
