Operational resilience for business continuity in a changed world

Systems need to be more than just robust to deal with operational risk. Agility and intelligence are also needed writes Esteban, a director of IBM Financial Markets Asia Pacific.

Underpinning the development of the global financial services industry has been the deployment and integration of highly sophisticated systems and technology. The past decade has experienced unprecedented demands for capital with corresponding record trading volumes to hedge and manage risk in a wide range of capital investment opportunities.

While the global development of the industry has expanded economies and lifted profits for many financial institutions, it has also resulted in a global financial system whose major participants, markets, infrastructures and national economic institutions are interconnected. The high level of integration has decreased many forms of risk but it has also increased others, most notably operational risk. 

While many operational risks can be controlled through a variety of awareness and mitigation strategies, many operating risks can be problematic; some can be threatening; and others have the potential to cause serious damage.

This condition has caused financial institutions, market regulators and governments to focus not only on managing identifiable and predictable risks, but also on analysing how resilient financial operations are in light of these risks; and how resilient financial operations will be in the event of unpredictable risks and events. The events of September 11 amplified existing worries, triggering an increased focus on risk, vulnerability and operational resilience.

Financial Services: Risky Business

All financial services organizations need to manage risks. Techniques and sophistication may vary according to environment, strategies or regulation, but controlling and supervising risks for any financial institution is both a regulatory duty and a business imperative.

Information technology has developed at a formidable speed to become incredibly powerful, fast, and reliable. This change, combined with sustained business innovation, has generated a new world of financial services where volumes are enormous, product diversity is widespread and global reach is pervasive.

But the infrastructure supporting this sector is not perfect: like any other system, it is the result of years of investment, building, rebuilding, partial improvements and some temporary fixes that have stayed on longer than anticipated. Complexity has significantly increased the risks that each financial system participant is taking. The networked nature of modern economies - the fact that each actor is tightly connected to and dependent on many others - may result in a potential instability of a single institution, part of the industry, and in the worst case, the whole global economy.

Many things can damage a business. September 11 reminded us that many potential dangers are unpredictable. Nature, technology, and human behaviour evolve in a way that it is impossible to capture all their states, making it impossible to build effective protections against rare catastrophes. Although the financial services sector is very focused on managing risks, there are no blank cheques for this purpose. Risk management is dependent on the assessment of the probability and likely impact of a specific risk to the on-going operation of the institution.

From a business standpoint, not all specific vulnerabilities are important; but those of critical functions are vital to understand. After all, systems may be tolerated to fail if processes can tolerate such failures. And provided that the business structure is sufficiently adaptive, even process failures can be tolerated. Intelligence and 'agility' are as important to resilience, if not more, than reliability and robustness. Information technology has generally made great improvements in the latter. The problem for financial institutions is that it is harder to achieve the former. Improving infrastructure reliability and robustness in order to achieve greater business intelligence and agility is the foundation for improved operational resilience and is the next big combined challenge of IT and business management in the financial services sector.

Given the diversity of business and operating concerns affecting the Financial Services Sector IBM has defined Operational Resilience as follows:

"Operational Resilience is the ability of systems, resources, processes and people to effectively support a financial institution under any sudden and unexpected adverse condition."

The concept of operational resilience poses major challenges for the leaders of financial markets firms. Management attention needs to focus on the areas of process efficiency; business agility; and operational resiliency. Initiating improvements in an area as vast as operational resilience requires a strong structure and a comprehensive methodology.

The first step of our approach for the financial services sector consists of decomposing the various aspects of resilience in seven domains. We have created these domains with a goal of creating highly manageable components, aligned together within the model. Although the domains are not independent, each one can be addressed with some independence resulting in significant resilience improvements within a financial institution. The five columns symbolise essential features conferring resilience - the foundation supports and align the columns constituents and the top layer unifies and integrates them across several dimensions, looking at resilience from a holistic viewpoint. In particular, the elements that constitute an enterprise can be treated jointly instead of independently, in the same way that entities can be considered collectively rather than individually.

Operational resilience requires that an organisation manages their processes, procedures and systems in an overall framework across these five pillars:

Control: In addition to the obligation to comply with new regulations, financial services firms need more than ever to control their operational risks and optimise their economic capital.

Detect: Filtering the excessive amount of information continuously produced by an organisation to extract meaningful signals and indicators supporting business decisions. Deploying an efficient process control framework.

Optimise: Automation, in addition to boosting productivity, has a tremendous but often under exploited potential for improving reliability and mitigating risk.

Solidify: Critical technology not only needs to be totally reliable, but it also has to be available under all kinds of unpredictable circumstances.

Recover: Restoring business processes, especially those critical to a company, requires much more than recovering resources. Dealing from a disaster may involve managing a crisis and temporarily redesigning the operating model.

Operational resilience is not just for the major markets of New York, London, Frankfurt and Tokyo, but also the financial services industry across Asia Pacific. Industry analysts IDC expect Asia Pacific to lead in B2B e-commerce growth, predicting a 109% jump in compound annual growth by 2005. This growth poses a major challenge for financial institutions as they struggle to improve process efficiency while maintaining organisational agility to differentiate, coupled with the pending BIS regulations on operational risk - and do this under increased resource constraints.

The implications to financial institutions in China with entry to the WTO add another degree of complexity. They are looking at two very significant regulatory events occurring almost simultaneously - BIS (Bank of International Settlement) Basel Accord II and WTO and its resultant increased pressure in the form of competition from global players entering China's previously closed market. However, as the Chinese domestic financial institutions prepare for these events, they have the opportunity to leap frog their local and global competition and create the required resilient infrastructure to manage operational risk.

Chinese firms are under pressure to do something about their infrastructure and systems very quickly, which will ultimately be beneficial to their long-term goals. They have the opportunity to overtake their competitors - local and global - because many financial institutions globally have not begun to strategise for the BIS regulations that come into effect from 2005. Financial institutions in China will be able to move fairly quickly as they proceed with planning new systems and procedures that will enable Operational Resilience and comply with BIS and local regulatory demands. They don't have the existing infrastructure the Wall Street firms have; their legacy systems can be discarded, and they will not be throwing away billions of dollars of investment.

Outside of China, financial institutions across Asia face an even greater issue - an inability to adequately manage financial risk, let alone understand and put in place operational risk processes and procedures. These firms will need to quickly examine their operations, including people, processes and systems, to evaluate their operational readiness. In the book "Against the Gods: The Remarkable Story of Risk" (Peter L Bernstein) the concept of risk management is shown to be a recent construct in western culture. In many parts of Asia, where the culture has strong ties to religion and fate, risk management of any sort is still a relatively new concept that unfortunately is too often ignored when it comes to managing financial assets.

The need by financial institutions for operational resilience is clear. Recent events coupled with regulatory drivers have forced the issue of operational risk and the ability of operations to support a business under any sudden adverse or unexpected condition. Financial Institutions in the Asia Pacific region have the added dimension of WTO and a minimal history of risk management to overcome. However they have the opportunity, in many cases, to leapfrog the traditional Wall St firms who have the baggage of cumbersome legacy systems.

Operational risk can help firms identify hazards; operational resilience can help to ensure that firms survive them.