We’ve all heard it: every department insists its services are the most important. Sometimes, business priorities clash with IT's perspective, and the documented design and procedures might not reflect the reality of an important system. Fingers get pointed (often becoming an IT vs. business issue), but ultimately, the onus falls on the business to take the lead, perhaps with some assistance from other departments.
Operational resilience is a multifaceted concept and encompasses a wide array of elements, including business processes, architecture, operations, supplier risks, and information and cyber security. While cybersecurity often takes the spotlight due to its visibility, a myopic focus on it neglects other crucial aspects. Even significant investments in cybersecurity will not guarantee operational resilience if underlying issues like poor lifecycle management, technology debt or flawed designs persist and increase operational risk.
In my last blog, we covered exit strategies and how they enhance organisations’ operational resilience, allowing them to handle operational and concentration risk effectively and ensure business continuity. Now, let’s examine how important business services fit into the equation.
Why do we need regulatory definitions?
First, we should remember that while the concept of important business services emerged from financial regulations, it doesn’t end there. The importance of building operational resilience applies broadly to businesses in all sectors, requiring some adaptation based on specific industry needs.
The Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) outline the concept of an "important business service" in Policy Statements PS21/3 and PS6/21.
The FCA definition centres on services that “cause intolerable levels of harm to any one or more of the firm’s clients or pose a risk to the soundness, stability or resilience of the UK financial system or the orderly operation of the financial markets.” (“FCA 2021 14 - FCA Handbook”)
The PRA defines it as a service that "poses a risk to a firm's safety and soundness or… the financial stability of the UK."
The FCA has given firms until 31st March 2025 to be able to operate within their impact tolerances. If you’re a firm to which these rules apply, that means:
- Performing mapping and testing so that you can remain within impact tolerances for each important business service.
- Making the necessary investments to enable you to operate consistently within your impact tolerance.
Self-assessment and taking ownership
Regulators provide the framework, expecting organisations to analyse their needs and create plans to ensure they can deliver important services within acceptable limits, even in challenging scenarios.
While technology is often the first thought when discussing operational resilience, regulators hold boards accountable for identifying important business services, acceptable disruption levels (impact tolerances), and self-assessment. This identification forms the basis for further collaboration between business and IT functions.
How to identify important business services
Identifying important business services is a straightforward process:
- Engage the right stakeholders.
- Present thorough analyses for discussion.
- Establish a foundation for stakeholder buy-in and decisions.
From the Banking perspective, existing industry standard capability models such as those described in the Banking Industry Architecture Network (BIAN) can be used as a canvas to highlight many views around operational resilience – including important business services, risks, gaps, and so on.
Building Practical Solutions
At NTT DATA, we recognise the complexity of operational resilience and each business aspect it encompasses. Our framework, in conjunction with workshops, can provide tools and approaches, including templated assessments, to identify important services, evaluate their current state, and pinpoint potential gaps. This initial step is crucial for building a strong foundation for further progress. We can assist you at any stage, translating regulations into practical steps and helping you to align operational resilience with your business value and customer propositions.
Drawing from our experiences in the Banking and Financial Services sector, as strategists, architects, and implementors, we’ve designed a practical framework to help organisations tackle operational resilience challenges, regardless of their current stage. To discuss this further or find out about our legacy modernisation initiatives, book a meeting with us.