One of the benefits of monitoring resilience regulation across multiple jurisdictions (and being involved in shaping legislation at the consultation phase) is that we notice trends.
One such trend we are noticing right now is regulators’ approaches to resilience testing. We think this is worth sharing because it enables our clients to get slightly ahead of the curve, to start planning for compliant testing programmes, and possibly even to gain competitive advantage through enhancing trust from their stakeholders.
The trend we are noticing at the moment is a move away from assuming continuity within tolerances, towards assuming discontinuity. Regulators in the UK financial sector are telling firms to assume that discontinuous events will push a service beyond its impact tolerances, forcing them to consider their response in four areas: contingency, mitigation, decision-making and communication.
- Contingency plans: Has there been proportionate investment in planning extraordinary measures (or workarounds). And do they work?
- Mitigation plans: Assuming they may not work, are there plans to reduce the impact of failure on customers, the institution, and the wider sector?
- Decision-making: What is the quality of decision-making on the crisis management team, and how is decision-making coordinated across the sector and supply chains?
- Stakeholder communications: How effective, how consistent, and how fast can the crisis team communicate with the full range of stakeholders, across all channels?
So, how do we operationalise this approach, so our clients can test their resilience capability, with due regard for these four criteria?
1. Co-creation of a rich picture of failure
We start from our library of severe but plausible scenarios and use structured scenario analysis to make a chosen scenario that’s specific to your entity and industry. We start with a plausible failure and use root cause analysis techniques to describe the conditions that led to failure, which contextualises decision-making and engages participants. We also validate the likely point at which impact tolerance is breached.
2. Simulating post-impact response
Rather than timing your disaster recovery (which is a connected, but separate issue) we focus on assessing adequacy of contingency and mitigation plans for effectiveness in this scenario. Using wargaming approaches, often with a small red or purple team, we assess the quality of decision-making and stakeholder communications by the crisis team.
3. Effects-based assessment, and options for change
Instead of a clipboard, component part check, we assess the combined effect of your preparedness and response capability to maintain continuity of critical services. We report on options to enhance arrangements, so you can make evidence-based, business-led decisions to invest in service resilience.
