Through these efforts, banks have mapped and identified important business services, assessed impact tolerances, mapped critical dependencies and rigorously tested various failure scenarios. Taken together, the information they’ve gathered should rank among their most powerful actionable datasets.
Bridging the theory/practice gap
But does all this constitute an operable capability that can be rapidly deployed to enable the bank to maintain services to customers and reassure markets and regulators?
Often, the answer falls short of a resounding ‘yes’. The reason? A heavy focus on regulatory compliance, as well as siloed behaviours across operational, cyber and technology ‘resilience’ teams. Practical theory and tick-box compliance do not drive operability. What’s needed instead is orchestration across all of these, with a ‘conductor’ taking responsibility for delivering true enterprise and ecosystem-wide operational resilience.
Why? Because a cyber event is rarely just about cybersecurity. While a breach or attack starts in the digital layer, it rapidly ripples through the whole business as an operational disruption that severely tests everything – and everyone.
Creating a living, breathing capability
What’s essential therefore is an approach that integrates all relevant functions, delivering the coordinated ability to act quickly to achieve an operating state that restores essential services, while the rest of the business recovers for whatever comes next.
This concept, the minimal viable company (MVC), represents a living, breathing capability designed to spring into action in the event of a crisis. As well as defining what critical services are, it sets out the optimal sequencing for their recovery across multiple scenarios, from ransomware demands to state-sponsored attacks on national infrastructure. While primarily determined by business imperatives, this should also take account of technology practicalities.
Four core layers underpinning operational resilience
Translated into a financial services context, the MVC integrates regulatory compliance with recovery and resolution planning to provide true operational resilience. There are four core layers to the MVC structure that every FS organisation should consider holistically.
What’s included in each of these will vary from business to business, but an effective MVC design in Financial Services will encompass all four:
- Customer services: Not just the services driving customer outcomes, but also the underlying dependencies on which they’re based (people, tech, premises, third-parties etc).
- Business functions: Providing vital support for customer services, including AML, fraud screening and clearing, along with crucial shared services like payroll, finance and regulatory reporting.
- Data sets: Integral to the effective operation of prioritised customer services and the wider business.
- Technology infrastructure: From network to middleware and on-prem servers to key tech provider partners, the technology needed to support all the blocks above.
Enabling disciplined, rapid recoveries
Perhaps most crucially, the development of an effective and dynamic MVC demands ecosystem-wide collaboration and informed leadership, with clearly defined priorities, roles and responsibilities. After all, leadership will rarely come under as much pressure as it will during a severe disruption.
Achieving all this requires significant preparation. Without that, it’s not possible to convert what would otherwise be weeks of improvised responses and intricate technical execution into a disciplined, rapid recovery effort.
We work closely with banks and FS organisations to help them define and build an MVC. Based on this experience, we’ve identified a number of key success factors:
- Resilience starts from the top-down
To avoid creating an unmanageable list of ‘critical’ services and functions, the executive team must set clear priorities and define what’s truly vital for survival and recovery. - Culture, ownership and collaboration are non-negotiable
Cross-functional teams with agreed roles and responsibilities, working together in a ‘no-fault’ empowered culture, achieve recovery faster than siloed functions driven by self-protection. Overall, business leaders set intent and priorities while technology teams deliver practical recovery. - Real-world thinking over theoretical frameworks
We repeatedly see how real-world incidents expose gaps and vulnerabilities missed by theoretical frameworks. In such a disruptive operating environment, continuous learning from real events and testing of potential impacts will prove invaluable. - Continuously learning, planning and adapting
Targeted, effective recoveries hinge on data-driven approaches – continuously refreshed to map evolving dependencies between business services, technology, people and third parties. - Understanding and managing partner risks
Every bank relies on an ecosystem of partners for a range of systems and services. To make sure they’ll be available in the event of a crisis, it’s essential to build strong relationships and agreements that define key roles and processes. At the same time, maintaining critical institutional knowledge and expertise in-house will continue to be indispensable.
Making resilience real
Every bank must have a robust operational resilience framework and a mature cyber recovery plan. But on their own, these won’t necessarily protect all key stakeholders from the impact of a crisis. It’s only when operations, technology and cybersecurity functions come together through an MVC that resilience becomes real. The consequences of not putting them together? A longer, slower and much more damaging road to recovery.
Find out more about how we are helping organisations ensure continuity through crisis
Contact us
Duncan Scott
Operational Resilience Leader - Banking, PwC United Kingdom
Tel: +44 (0)7894 393607
