Last week our resident operational resilience expert Mark Heywood spoke to Danske Bank’s SVP Business Services & Service Governance Craig Alexander about how regulatory compliance is influencing operational resilience for Disaster Recovery Journal’s webinar series.
Regulatory compliance and operational resilience with Danske and DRJ
With the reputational, experiential, and financial cost of failure on the rise, regulators are looking at organizations’ operational resilience measures with even more scrutiny and with the added threat of harsher sanctions - in short, regulators want to influence operational resilience programs more than they ever have before.
During the session, Craig shared his experiences with managing changing regulatory demands and operational risks, and some advice on how to build better resilience into your organization.
4 ways to improve regulatory compliance
1. Information is just as important as technology
Resilience starts with the data you can leverage because you can’t govern what you can’t see. Understanding how everything in the end-to-end process works and links together is crucial to managing not just individual products or services but the resilience of the whole ecosystem - for example, how IT relates to assets, people, buildings, vendors and the contracts that control them, the services that deliver to customers, and more.
To this end, having a knowledge base where people can self serve the information they need will streamline the whole regulatory and resilience process, as it will avoid the need to hunt down hidden information when it is asked for, removing the bureaucratic burden that people often feel is the hallmark of regulatory scrutiny. When information is readily available to those who need it, providing assurance to regulators no longer has to be a major project.
2. Resilience is everyone's job
Driving the right behavior across the organization is crucial to resilience. No one should think of reducing risk and ensuring resilience as someone else’s job - everyone is responsible.
One of the key findings from the 2014 “Dear Chairman II” exercise in response to a major outage at RBS in 2012 was that there was insufficient oversight of technology at a board level, so building this knowledge at every level of the organization is key. Resilience also needs to be built into solutions from day one, as it shouldn’t be seen as someone else’s job to make it resilient once it’s been deployed - resilience starts with development and operations and continues to the end of the service chain.
According to Craig, “We are developing a culture whereby everyone is a risk manager to some extent…and there’s been extensive development to make sure risk is built into everything we do, which we have embraced throughout the organization.”
3. You're only as strong as your weakest link
As shown by the Suez Canal incident in 2021, modern supply chains make us more nimble but also more vulnerable, as one incident can cause the whole system to fail. This can also be applied to end-to-end technology ecosystems or processes.
This is why it’s not just important to ensure resilience at every stage of the processes happening within your organization. You also need to ensure resilience in every business or external process you are connected to. A holistic approach is needed to understand the risk profiles of your up- and downstream suppliers, partners, and collaborators, and this goes both ways.
Craig says, “Regulators are not the only ones asking questions - counterparties and clients also need to know we are taking the resilience agenda seriously.”
4. Compliance is an enabler
Regulatory compliance and operational resilience can sometimes be viewed as blockers or onerous bureaucratic exercises when not properly managed or framed within the organization. But there are many positives - compliance drives quality and best practices, lowers your risk position, and improves the quality of service for your customers.
If you extend your compliance principles throughout the organization and involve everyone in ensuring resilience, there will be a greater understanding of the positive impacts of resilience and compliance, especially when everyone takes responsibility for it.
To find out more, watch the video of the full session below.