Operational Resilience: A 2020 Prerogative for Financial Institutions

Feb 27, 2020

Digitalization is the future for all businesses, especially financial institutions. Your customers want to manage their accounts from their mobile devices and ensure their accounts are secured on the web.

There are also expectations for financial institutions. Cybersecurity is a huge concern for clients, and your customers demand digitalized interactions. Unfortunately, not all businesses are willing to comply with digitalization. 87% of companies believe the digital landscape will disrupt their market.

The key is to work with digitalization, not against it. That’s why more financial institutions are implementing an operational resilience strategy. Below, we’ll discuss the importance of operational resilience and business continuity, and what it all means for financial institutions.

Why Is Operational Resilience a Priority?

More financial institutions are focusing on operational resilience. Why? Here are three factors impacting the financial landscape.

The Risks of Increased Digitalization

Power outages cost the U.S. $150 billion annually. The increased reliance on digital solutions also puts your organization at risk for downtime impacted by the outages. The increased threat of security breaches impacts not only your institution but also your customers’ finances and data.

You should address any risks and pre-plan your solutions. The best way to do this is by creating a business continuity and disaster recovery strategy.

Focusing on Operational Resilience

Operational resilience is at the forefront to keep up with customer demands. More customers want to access their finances on digital mediums. They also want to contact your institution via digital measures, all without interruption.

Besides, more financial institutions are relying on third-party platforms. Examples include money transfer software and application platforms. However, with the demand comes increased risk. If ever an issue occurs, financial institutions need to know how to act fast enough to get your systems back in working order.

Protecting Reputation Risk

Let’s say your financial institution faces a security breach. Will your customers want to continue doing business with you? They will more than likely support your competitors instead. In addition, the internet makes public outcry louder. Your reputation will increase quicker and will impact your market severely.

An Approach to Operational Resilience

How can a financial institution create a detailed operational resilience plan? Here are four factors to focus on.

IT Upgrades

The best way to ensure your systems are secure and efficient is by upgrading your technology without any delay. Also, it’s essential to migrate your existing systems to the latest platforms whenever it’s necessary. While these upgrades carry their own risks, your company will stay safer in an unpredictable digital world.

Effectively Executed Digital Transformation

With that being said, it’s essential that all financial institutions effectively execute their digital transformation efforts. Any new system initiatives should undergo risk assessment, and you set risk controls in place.

For the best results, you should partner with a technology-focused business continuity solutions provider. In case any issues occur with your digital transformation, you’ll always stay running.

Timely Board Involvement

Your board needs to be informed immediately when an issue occurs. Communication is the key to a powerful operational resilience strategy. The faster your board knows about the problem, the faster they can set a solution in place.

Learning Opportunities

Unfortunately, many businesses don’t have time to learn from a digital mistake. They also don’t have a chance to improve their reputation. However, financial institutions should use the digital landscape as an opportunity to learn the digital systems and what downtime could mean for your business.

Knowing this information ahead of time will prepare you for an issue, so you know how to react if downtime occurs.

Additionally, training your employees on the most common threats your organization may face will help thwart the disruptive events and any unfortunate business impacts.

Conducting a tabletop exercise is another great way to ensure everyone in the organization knows their roles and how to act in a different scenario. With planning and training capabilities, employees know exactly how to respond in an emergency, and management can make sure everything is in place to handle the next incident. 

Emergency Notification and Incident Management Software

To ensure that all of your employees are well and receive timely critical information, and to minimize the impacts of a disaster on a business, companies need to implement an emergency notification and incident management system and test it regularly. Besides that, companies should deliver pandemic-related business continuity training to enhance employee preparedness and alleviate any concerns. 

Utilize mission-critical business continuity software and services. Software, such as Preparis, can target the response and recovery of particular locations, thanks to geofencing and bi-directional messaging. 

For instance, a top-notch tool will allow you to send company-wide alerts using a variety of mediums, for example, push notifications, emails, text messages, and voice messages. The more mediums you use to send out an emergency message, the better your chances of reaching all of your recipients.  

Challenges of Operational Resilience

There are many operational resilience challenges that financial institutions have to endure. Here are three common ones.

Managing Third-Party Relationships

Banks can’t achieve operational resilience alone. Financial institutions need the help of third-party platforms. These include your technology platforms, staff that maintains your app, and other companies that collaborate on money transfers and payments.

Managing your third-party relationships can be a challenge, even in our digital-centered world. It’s easy to struggle with collaboration agreements, information and data sharing, industry-funded utilities, and third-party risk management. Proper third-party management is becoming increasingly important to clearly define your collaboration with your colleagues, to improve your relationships with your vendors, and assess any collaboration risks.

Impact Tolerance

Unfortunately, disruptions happen, no matter how well you plan. It’s best to prepare for the impact a disruption will take on your business rather than facing the unpredictable setbacks. Establish your impact tolerance during the pre-disaster stage. Don’t just plan for your response to a disaster. Understand recovery time objectives and what’s expected of your business. Identify key functions, assets, and activities that you’ll need if a disaster strikes.

You’ll also want to plan your communication strategy. Plan how you’ll approach customers, third-party vendors, and other members of your organization about the disaster and your process of improving it.

Data Security

Financial institutions not only worry about hackers compromising their company data but also their customers’ data. Many sources say company-wide data breaches could signal the end of a financial institution. Data security isn’t only a cybersecurity risk. With the growing demand for migration and digital transformation, you risk data loss when transferring your systems.

How to Improve Your Testing

Testing is key to a successful operational resilience strategy. But how do you improve your testing?

Keep these facts in mind:

  • What you’re testing
  • How frequently
  • The testing method
  • The testing results
  • How comprehensive the testing is
  • How the testing helps you respond to issues

Testing also takes time and may not identify all issues. But comprehensive testing will help protect your business.

How BCM Helps

Business continuity management (BCM) is one of the core factors of any operational resilience plan. To ensure your financial institution complies with the best BCM strategies, the FFIEC released a new business continuity booklet in 2019.

Here are the changes all banks should know.

Business Continuity Testing

BCM testing is easily understandable, compared to previous FFIEC booklets. The booklet defines specific expectations, including testing governance and strengthening outsourced technology.

Consider the following testing areas to focus on:

  • Programs
  • Strategies
  • Policies
  • Plans
  • Objectives
  • Methods
  • Scenarios
  • Full-scale exercises
  • Limited-scale exercises
  • Tabletop exercises
  • Industry exercises
  • Testing for core and significant firms
  • Industry exercises
  • Post-test actions

Testing is a significant part of your BCM, and the FFIEC’s new testing standards will improve your testing strategies.

Board Reporting

This section details best practices when reporting any downtime to the board. Here are the requirements to make during board reporting:

  • Risk assessment
  • BIA
  • Exercise and test results
  • Resilience
  • BCP
  • Strategy updates
  • Identified issues
  • Metrics
  • Audit results

While a BCM report isn’t required, the booklet does recommend providing a written presentation, which includes risk assessment, BIA, exercise and test results, BCP, and any identified issues. The booklet also requires that Board minutes should reflect business continuity discussions, credible challenges, and approvals.


Instead of referring to it as a business continuity plan, the FFIEC now calls this method as business continuity management. What’s the difference? Business continuity planning signifies responding to a disaster, implementing recovery and resuming operations.

BCM is different. This method focuses on addressing the risks and vulnerabilities of your system, helping prevent a disaster, and improving your business continuity strategy.

Important Steps of BCM

The FFIEC lists significant steps of BCM. These include:

  • Oversee and implement resilience
  • Align BCM with goals
  • Develop business impact analysis
  • Conduct risk assessment
  • Develop effective strategies to meet resilience
  • Establish a plan that includes incident response, disaster recovery, and crisis/emergency management
  • Implement a BCM training plan for stakeholders and other personnel
  • Conduct exercises and tests
  • Review and update your BCM
  • Monitor and report business resilience activities

There’s flexibility with these requirements. But your financial institution must meet all of them for compliance.

BCM as a Part of ERM

BCM is no longer relegated to a committee or staff person. Instead, it’s included in your ERM, which means your BCM will regularly be assessed, along with your compliance, operation, transaction, financial, and reputation risks.

With this integration, your BCM will adopt risk management practices like measuring risk and the effectiveness of your risk mitigation.

What Does This Mean for Your Financial Institution?

The financial industry is moving in the direction of operational resilience and enterprise risk management. That’s why it’s not only imperative to implement ERM practices but align them with your BCM practices.

ERM helps financial institutions assess, identify, monitor, measure, and mitigate risk. Integrating BCM helps improve the risk assessment function and also optimizes the plan for testing. Both of these management methods help a financial institution make better decisions if a disaster strikes.

Let us help your organization with its Operational Resilience and BCM. Operational resilience and BCM compliance are integral for financial institutions. But it would be best if you didn’t create a strategy alone. A certified business continuity professional can help. Take a look at some of the packages we offer.