Grygo is the chief content officer for FTF & FTF News.
Should the securities operations industry rethink the gap between operational resilience and operational risk?
Should those working in operations bring the two disciplines closer together, and by doing so, develop a stronger architecture for securities operations?
Those are the questions that Guy Warren, CEO at ITRS Group, is pondering and he wants you to ponder them too.
The problem lies with a split between operational risk and operational resilience, Warren says.
“Operational resilience and operational risk have traditionally been treated as two completely distinct entities, often at the expense of the big picture,” Warren tells FTF News. “But there are subtle yet important differences that separate them: operational resilience is about managing problems when they happen in the production environment and operational risk is about preventing those problems from occurring in the first place.”
Why should they be in tandem now?
“For too long, these concepts have been seen as separate entities, often one being focused on at the expense of the other when it comes to devising operational strategies,” Warren says. “It’s our opinion that the two belong hand in hand, and in order to establish an effective operational practice, firms must consider the interactions between operational risk and resilience and use this to inform their overarching strategy.”
Warren via ITRS is suggesting to firms that they develop an overarching strategy, called Operational Risk and Resilience Management (O2RM).
Guy Warren
“Since the FCA’s [Financial Conduct Authority] new regulations came into force on 31st March of this year, operational resilience has been rightly nudged further up organizations’ agendas,” Warren says. “However, it would be foolish to develop a new strategy to combat operational resilience without accounting for operational risk as part of that conversation. As such, we’ve developed an overarching strategy we’ve dubbed ‘O2RM’ to emphasize the necessary marriage of these too-long divorced practices.”
In fact, ITRS is putting forth suggestions to help firms “incorporate better risk management strategies into their operational practices.”
The company’s major guidances are:
- To achieve “a robust IT architectural design,” financial services firms should consider “all potential failure scenarios thought through and mitigated. This will enable firms to anticipate failures before they actually happen, reducing the failure-disaster recovery cycle;”
- The company is urging the “thorough testing of non-functional requirements, including performance and failure scenarios — just functional testing to see if the software is able to process correctly is not enough;”
- ITRS is endorsing “risk assessed change management, which can be informed by either a strong change risk register or risk change management solutions, which correlate, analyze and deliver actionable IT operations insights from a variety of sources;” and
- The vendor is strongly urging a “360 degree, full-stack monitoring with an active monitoring tool which can take action to correct incidents before they become problems.”
Of course, this new philosophy is in line with ITRS Group’s solutions, which include those that “detect and actively prevent problems,” and offerings that target cost efficiencies for a variety of technologies, according to vendor officials.
It will be interesting to see if the industry takes and runs with the idea of somehow blurring the lines between the distinct roles of operational risk and operational resilience. I suspect that a crisis might spur firms into action and innovation more than any other industry influence.
Need a Reprint?