Mike Tyson once said, “Everyone has a plan until they get punched in the mouth.”
Operational resilience, in this analogy, is your company’s ability to prepare for, sustain, and recover from said punches in the mouth.
It should be at the forefront of every board execs mind, and if it wasn’t this time last year, it certainly is now.
We explain what it is, and ask Simon Cowling, our Chief Technical Officer, ‘Who’s responsible for operational resilience?’, ‘How can companies test it?’ and ‘Do people need to worry?’.
So, let’s start from the top. What is operational resilience?
In a nutshell, it’s a company’s ability to respond quickly to changing environments. This could mean the resilience of systems and processes, and more often, the company’s ability to keep it’s doors open and business operating in the face of a disruptive event (like a pandemic). Charlotte Gerken, the executive director of the Bank of England, said in a speech on operational resilience, “We want firms to plan on the assumption that any part of their infrastructure could be impacted, whatever the reason.” Gerken notes that firms who had managed to survive the crisis, had already established the processes to respond where and when risks materialised.
It might be prudent to then ask, well who’s responsible? Or do people just outsource this kind of stuff these days?
Cowling tells us, “There shouldn’t ever be one individual or division responsible for operational resilience, and it’s certainly not fair to put it all at the door of the poor IT department! Yes, execs are ultimately responsible, but it should be something that runs through the whole organisation – a cultural thing – company-wide accountability.” He says that some have called for operational resilience to be outsourced, but that only introduces another layer of compliance, and slows any required process.
Does this mean companies should be running ‘disaster scenarios’?
“The industry would be far better served by increasing openness and transparency – so, yes, getting better at running disaster scenarios is paramount! Some companies do schedule them in in all good faith, but then end up postponing them… sometimes indefinitely.”
Cowling tells us that ensuring your prepared for a worst case scenario means, when it does occur the distruption will be limited. He explains how SchemeServe is somewhat obsessed with running distaster scenarios, both for themselves and their clients… and it was this, alongside their 20 year legacy of remote working, that really helped them thrive in the pandemic.
He continues, “We all know that running disaster scenarios, is not a tickbox exercise. If you’re conducting them, and finding nothing wrong, you’re not doing it right! Your aim in running these scenarios is this; find the holes, fix them, and do this regularly and ongoingly.”
Has Covid at least provided an opportunity for companies to test the processes they have in place?
“I think the first lockdown was a bit of a nightmare for a lot of companies (understatement of the year perhaps!), not helped by software providers’ models being unable to give users more control.”
He tells us that companies with software on physical servers, stranded in unmanned offices, had a massive impact on brokers, MGAs and their clients. Unless you’re big enough to host your own software, on your own servers, you will never be secure or resilient enough. You’ll be running the same infrastructure but with a smaller budget, fewer people and less overall resource. And if you can’t physically access the server (offices on fire for example, or a pandemic!), then you’ve got a massive shambles on the horizon.
He continues, “People have finally realised that running it in the cloud makes far more sense. And you can see the proof of this in SchemeServe! To build resilience, companies need to think cloud-based.”
Insurers are also asking for far more data now as part of their operational resilience, for the same reason. Cowling tells us how clients, using SchemeServe, can theoretically have data in real time, but certainly most of them are now are asking for it daily as standard, to give them greater insight and again, more control.
So, what’s the best way to accurately test a provider’s resilience?
“Ideally, the company and the software provider would be both asking questions of each other. But first they need to start asking the right ones. Questions that companies send as part of their RFI to software providers needs reviewing. A lot of the time companies don’t even ask what the providers’ impact tolerances are, and other questions are simply obsolete in the modern age – there’s little point asking if the software requires passwords, for example! The first thing to ensure, is that we’re asking the right questions.”
Any last key takeaways?
“Imagine the worst, and test your resilience … before the next apocalypse!”
For a more in-depth article, Simon has also contributed to the Insurance Post article ‘Intelligence: Operational resilience – Regulators raise the bar for crisis response’.