Skip to main content

Resilience Dividends:

How could we show that investing in resilience makes financial sense?

At a glance

 

  • Most organisations want to be resilient and appreciate that there are intrinsic benefits that come with being and being seen to be resilient. 
  • In Financial Services, most will recognise the regulatory imperative as a reason to invest in resilience programmes. However, when challenged to evidence the return on investment, many will struggle with quantification, meaning that resilience activities are sometimes funded with the goal of achieving compliance rather than with the aspiration of making resilience a core part of future business strategy. 
  • Yet, with more organisations placing strategic focus on resilience, it is relevant to think about how to quantify the benefits of investing in resilience and, conversely, the downsides that a lack of investment bring.
  • Here we explore four resilience ‘dividends’, which those with resilience responsibilities could use to support their strategic funding conversations. This should help to enrich the resilience dialogue so that it is not seen as a purely defensive, cost-saving endeavour, but also one that is progressive and value-creating. 
  • This is designed for those in Financial Services as they shape their resilience programmes beyond the SS1/21 and DORA deadlines early next year, though it could equally be applied to other industries and sectors.

Introduction


All organisations now face increased regulatory and governmental scrutiny over their resilience both to planned change and unexpected shocks. Within the UK’s Financial Services sector, an incremental wave of regulatory change has brought more rigour to firms’ resilience activities and stimulated a mindset shift around resilience1.  
Broadly speaking, these regulatory initiatives aim to minimise impact to customers, the firm and the sectors in which they operate when disruptions occur. This represents a different kind of thinking from Operational Risk (OR) because it operates on the principle that disruption will happen and therefore requires organisations to think in inevitability, rather than probability, terms.Regulatory frameworks, technical standards and academic research deviate in many respects, but coalesce around a set of common themes:

  • First, becoming more resilient is not just a nice to have, it is essential in today’s world;
  • Secondly, resilience is not just a defensive mechanism, which focusses on downside risk, but also a progressive approach which can support organisational strategy and contribute to long-term financial growth;
  • Thirdly, resilience supports growth and stability through the delivery of better outcomes, whether those are for customers, stakeholders, or society as a whole; 
  • Finally, resilience is not an objective that can be achieved on delegated authority. It requires the attention, understanding and endorsement of Boards and Executive teams. 

The investments that organisations need to make to meet the regulatory requirements for Operational  Resilience are significant. For example, one study indicates that firms might have earmarked €5-15 million for their DORA programme, but the estimates for full implementation may be five to ten times that range.2 
Given that organisations are persistently challenged on the allocation of resources and have limited funding, how can resilience teams support their investment cases and size their requests appropriately such that resilience is not just about compliance? Here we explore four potential dividends that could support the investment case and help to quantify the Return on Investment.

Let’s start with a hypothesis: if we become more operationally resilient, we could reduce our Operational Risk capital holding against our risks allowing us to free up funds to invest in growth initiatives
To test this, we need to understand the regulatory position. The PRA’s Operational Resilience policy (SS1/21) does not have an associated capital requirement. As such, it does not affect the PRA’s approach to operational risk capital policy or add additional considerations for firms when they make capital calculations3.  With this said, we have found that many organisations are still asking about the relationship between Operational Resilience and Pillar 2A so we explore the rationale and modelling in a bit more detail below.

What do we need to know and understand?

Under SS31/154  firm are required to hold capital to act as a buffer in the event of loss. Pillar 2A requires banks to hold extra prudential capital over and above the Pillar 1 amounts held for credit, market and operational risk, for instance against concentration risk, counterparty risk and interest rate risk in the banking book. The PRA undertakes an overall assessment of a firm’s operational risk informed by, amongst other factors, historical losses, a firm’s Internal Capital Adequacy Assessment Process (ICAAP) and conduct and non-conduct loss estimates. From that overall assessment, supervisory judgement is used to determine a firm-specific operational risk capital requirement. Thus, the overall capital holding assessment includes the PRA buffer (Pillar 2B) and the firm’s Internal Capital Guidance (ICG) (Pillar 2A). Pillar 2A is our target scope since this is risk-sensitive and based on an assessment of a firm’s own risk-weighted assets plus fixed add-ons.

So, we have a target scope: what’s the relationship with resilience?

Operational Resilience (SS1/21) is a regulatory framework designed to minimise operational losses and other impacts such as harm, market stability and the firm’s own safety and soundness through the use of preventative and responsive techniques that enable firms to anticipate, withstand and more quickly recover from planned and unexpected shocks. Over time, we should see that Operational Resilience is reducing the residual risk in our operational environment and reducing the impact of incidents through the delivery of services that are less likely to experience prolonged or severe disruption. Done well, net operational losses should be smaller because liability, staff, relocation, compliance, customer redress, communications and advisory costs should all be lower than had we not introduced resilience measures in the first place. With this in mind, would it be possible to make a case for reducing the capital amount held for operational losses under Pillar 2A, if it could be proven that resilience controls are reducing our risks?


We’d need to model it. Can we do that?

Theoretically, yes, and our teams have developed models that could do exactly this as part of our Operational Risk Capital engine, Capital Clarity5. However, we would need to accept a large number of assumptions and limitations. For example:

  1. The ability to prove that the OR capital we hold does indeed correlate to the same risks that OpRes controls are designed to address;
  2. The ability to reverse engineer Important Business Services (IBS) into our historical data to understand what our operational losses looked like in the past and whether these are greater or less than future loss events;
  3. Related to (2), good quality data relating to the performance of our IBS over a prolonged period of time;
  4. The ability to accurately model external costs of operational loss including inflationary influences on customer redress, staff, communication and advisory costs specifically as these relate to the portion of recovery activity that involves an IBS. This is a common problem for Operational Risk and so not insurmountable but an additional limitation to consider;
  5. Confidence in the level and quality of mapping undertaken such that assets that have not been on the critical path of an IBS present no risk to operational loss.

Given that, for the most part, much of this IBS data is only now becoming available, we don’t believe that many firms would be in a position to make the case for reducing their OR capital holding by citing improved operational resilience, even if the regulators factored this into the holding.

So, what can we say?

What we can say with a greater degree of confidence is that quantification of operational loss following major incidents is an increasing trend. We have seen that under the DORA, the EU ESAs are now encouraging (though not binding) firms to estimate the aggregated annual costs and losses caused by major ICT-related incidents6.  We think that this is a prudent step to follow for all incidents (not just ICT) and can help resilience professionals to quantify their funding requests and remediation spend. We can also say that firms that do not do Operational Resilience, or that do not do it well, can expect to see greater net operational losses and may even see the OR capital allocation increased. For this reason, Operational Resilience teams must be involved in a firm’s ICAAP scenario planning and testing activities to help build a comprehensive picture of risk exposure and to explore and validate contingencies.

Most organisations, and especially large, complex ones, tend to accumulate unnecessary overheads over time in the form of technical debt, end of life assets, unused buildings, and inefficiencies in use of supplier services to list just a few. With those overheads, there are often unseen vulnerabilities. In a recent report by the National Preparedness Commission looking at software risk and resilience, the cost to the UK economy of software failure was estimated to be between £8 and £14bn.7

Data consistently support this view: the organisational cost of inefficient or poor use of resources is huge. One McKinsey survey of 30 CIOs found that “more than 20% of their technical budget ostensibly dedicated to new products is diverted to resolving issues related to tech debt. Furthermore, they estimate that tech debt amounts to 20% to 40% of the value of their entire technology estate (before depreciation).”8  This is more than a question of poor code and a case of how speed to solution is prioritised over quality of outcome. Sometimes, urgency and temporary fixes are the right answer. But when these behaviours become endemic and aren’t reversed, organisations can end up with systems that are not just surplus to requirements but actually carry significant disruption and downtime risk as well.  

So how does resilience help?

A greater degree of mapping such as that performed for Important Business Services as part of Operational Resilience can help to rationalise BAU resources by identifying redundant, duplicative, EoL and poorly designed assets that may be driving large overheads. In the long-term, we see mapping as one of the most important resilience techniques that an organisation can deploy both to reduce risk and target efficiency, but it will require strategic investment to make it a sustainable endeavour because it is not a once and done activity. Continuous mapping is reliant on enabling auto-discovery of assets and accurately identifying and classifying assets in suitable repositories, which usually requires some level of investment, and this be considerable. However, once established, accurate business process and asset mapping can present multiple use cases and offer better visibility and traceability of assets across the enterprise and extended enterprise.

In some cases, efficiency savings can also be realised by upgrading to more modern resilience options. For example, closely located physical data centres present considerable geographical vulnerability against which diversification with cloud-hosted services can offer an alternative, and potentially more cost-effective, solution. Exploring, or indeed actually experiencing, different scenarios can also bring new perspectives on the use of assets. For instance, many organisations have chosen to rationalise or retire their work area recovery sites following the COVID-19 pandemic, thereby reducing overheads.9  Thus, firms should consider that an ancillary benefit of regular scenario testing or experience of actual scenarios might be the opportunity to adjust resilience provisioning thereby reducing risk exposure as well as realising savings.

If less resilient organisations are more likely to be in the headlines, then the inverse is also true. More resilient organisations experience fewer loss events and recover faster than less resilient ones. They are less likely to dominate the front pages of the press for all the wrong reasons.

Metrics that focus on the growth of the customer base and customer retention can support a picture of overall satisfaction in business performance, where customer satisfaction surveys can corroborate the idea that reliable, available and secure services are more likely to engender long-term loyalty. Simply put, customers are less likely to consume services from organisations that have higher frequency or higher severity disruptions. 

Many successful resilience programmes are now steering the narrative away from resilience as a purely defensive activity towards one that is progressive and part of an organisation’s differentiated customer experience. The techniques deployed as part of Operational Resilience can be used to optimise performance and deliver higher levels of availability and meet the ‘always on’ mentality that reflects changing consumer behaviours and appetite. 

Add to this that brand loyalty is less static than it has been historically and is less influenced by pricing and more by service quality. Given that there are now many mechanisms in place to make it easier for customers to change suppliers, whether those are banks, telecommunications, internet providers or utilities, we can expect to see a continuing and increasing trend of brand fluidity. Within this context, resilience should be considered an important part of an organisation’s strategy for customer retention, growth and maintaining market share. 

Shareholders and investors expect an organisation’s systems and services to be resilient. Research shows that even in the absence of a disaster, the co-benefits of investing in resilience include greater service reliability, higher levels of financial stability, improved business confidence, better connectedness with all shareholders and potential for long-term growth. Share price, and total return to shareholders is the ultimate measure of where value is created for most of our clients. Under the Capital Asset Pricing model (CAPM) there is a direct linkage between earnings volatility (the stock’s beta) and share price. If a firm can reduce either the unexpected losses that it experiences as a result of large sporadic shocks (and therefore the earning’s volatility) or the market’s perception of the strength of the controls around losses (i.e. reducing the stock’s beta), then the share price will perform better than a competitor in the same market who isn’t able to demonstrate those things. This creates a tangible, measurable, financial dividend.


At least some credit rating agencies take a firms’ operational resilience into account with S&P noting that weak operational resilience could undermine a FMI’s smooth functioning, dent stakeholder trust and, under extreme circumstances, make a FMI’s franchise or rating more vulnerable.10  On this basis, if a firm’s credit rating is downgraded, and investors feel that the debt is more at risk they may demand higher interest rates to compensate for the increased chance of losing the investment. On the other hand, if a firm’s credit rating improves in part due to its operational resilience, it could realise a measurable return in terms of increased investment.


An Oxford Metrica report published in 2020 demonstrates that firms recovering from crises fall into one of two categories: “winners” and “losers”.11  The data showed that all crises have immediate negative effects on value. However, ‘this initial loss is lower for “winners”. These lose less than 5% in value at first, in contrast to a loss of over 11% among “losers”. Furthermore, after approximately thirty trading days “winners” start to show sustained recovery in value. After 250 trading-days they even add a further 10% in value…By contrast, the “losers” suffered a 15% reduction in value.’ The key differentiator between winners and losers in this context is resilience. Winners were defined by management’s preparedness and responsiveness to the issue together with its transparency, communication and the credibility of follow-up actions. 

Key takeaways

 

  • Resilience has historically been seen as a defensive discipline aligned to compliance and risk management activities.
  • We believe that the mentality around resilience needs to change, and we are seeing clear evidence that it is. Resilience is not just about stopping bad things from happening, it is also about making good things happen.
  • This mindset is key when firms are sizing their investments in resilience not just because absence of resilience increases the risk of regulatory fines, but also because resilience can be a key part of overall business strategy and a core factor in enabling financial growth.
  • We hope that this article will prove useful to those who are seeking further funding for resilience programmes and activities and need to articulate to their Boards and stakeholders why investing in resilience makes financial sense.

___________________________________________________________________________________________

References:

1 Relevant international frameworks include the UK PRA/FCA Operational Resilience policy SS1/21 and SS2/21, EU Digital Operational Resilience Act, the BCBS Operational Resilience Principles, the MAS Guidelines on Business Continuity; OCC, FRS, FDIC Sound Practices to Strengthen Operational Resilience, APRA’s Prudential Standard CPS 230; HKMA SPM on Operational Resilience; and the UAE DFSA focus on Operational Efficiency and Resilience.

2 Europe and the race to get ready for DORA | McKinsey

3 PRA Rulebook SOP Operational Resilience 3.5

4 https://www.bankofengland.co.uk/-/media/boe/files/prudential-regulation/supervisory-statement/2023/ss3115-update-may-2023.pdf

5 https://www2.deloitte.com/uk/en/pages/risk/solutions/capital-clarity.html

6 JC_2023_68_-_CP_on_draft_GL_on_costs_and_losses.pdf (europa.eu)

7 https://nationalpreparednesscommission.uk/wp-content/uploads/2022/12/NPC_BCS_Software-Risk_-the-Elephant-in-the-Room_Dec-2022-Upload.pdf

8 https://www.mckinsey.com/capabilities/mckinsey-digital/our-insights/demystifying-digital-dark-matter-a-new-standard-to-tame-technical-debt

9 Though likely incurring others through remote working enablement.

10 Operational Resilience Is Key To Global FMIs’ Rating Strength | S&P Global Ratings (spglobal.com)

11 https://www.oxfordmetrica.com/public/CMS/Files/1769/OxfordMetricaPwCReputation.pdf

 

Did you find this useful?

Thanks for your feedback