Episode 26: Regulation or value creation - How to shape your resilience programme?

Full transcript

Bobbie Ramsden-Knowles:Hi everyone, and thanks so much for joining us today for this episode of Emerge Stronger through Disruption. My name’s Bobbie Ramsden-Knowles, I’m the co-leader of PwC’s Global Centre for Crisis & Resilience (or GCCR for short), and I’m coming to you today from our office in London. And today I’m joined also by Dave Stainback - my GCCR co-leader - great to be with you today, Dave. 

Dave Stainback:Thanks, Bobbie. Great to do this discussion with you today, as always. It's certainly been a very busy time for organisations with resilience, crisis response and complexity all continuing. It feels like every podcast that we do, there's a greater sense of urgency from the business community around the need to improve resilience, and its focus on resilience going forward. 

Bobbie:Yeah, absolutely agree, Dave, which is why I'm really pleased to be back here today doing this podcast. And for those of you who are regular listeners will know that the aim of the podcast is to explore challenges businesses are facing in this environment of constant crisis and change, and to discuss how successful business leaders can emerge stronger through that disruption.

So in this episode, Dave and I are going to explore the increasing global regulation around resilience is starting to rapidly take shape and discuss what it means for organizations and how you might tackle it. 

Dave:That's right Bobbie. So between the DORA, the Critical Entities Resilience Directive (CERD), the UK Financial Services Operational Resilience Policy and all of the emerging US focus on operational resilience regulations increasing, I know many of those that I speak to are interested in how they can and should approach this holistically, and I was actually at a Board session last week and I was asked this exact question. So let's get right into it.

Bobbie:Yeah. Perfect. Brilliant. Now there's quite a lot to cover. So what I'm going to do is summarise some of the key regulations that we see are being talked a lot about by organisations. So let's start with a summary of some of the key regulations and what they require of organisations. Now many people will be familiar with the Operational Resilience Policy in the UK, which requires financial institutions to identify what we call important business services, and they have to set impact tolerances, conduct mapping of these services and scenario tests, and also, importantly, establish governance and communication strategies to manage operational risks effectively.

And this all has to be done by March 2025, so not long to go. Now, we then have the Digital Operations Resilience Act (DORA), which Dave, you mentioned, which is a European framework that focuses on embedding a more robust and resilient approach to delivering digital capabilities and again, primarily focused on financial entities and organisations deemed critical third party providers.

So this is where we're seeing organisations in the technology space who now also have to meet the DORA compliance. And the framework shifts the focus from guaranteeing firms financial soundness to also ensuring that they can maintain resilient operations through severe operational disruption caused by things like cybersecurity and information and communication technology (ICT) issues. Now, over in Australia, we've seen very recently that the Prudential Regulation Authority has introduced CPS 230, which aims to strengthen the way operational risk is managed by, again, the financial services sector there.

But it goes beyond any other operational resilience regulation by addressing operational risk, business continuity and, importantly, third party risk management. So those with operations in Australia have to bring together these disciplines of business continuity, risk and compliance. So a lot to do, again, in a short space of time. And for those in other sectors, I would say they should be tracking the Critical Entities Resilience Directive (CERD).

It covers 11 sectors, including but not limited to energy, transport, financial market infrastructure and health. And in October 2024, we're going to see member states adopt, publish and also apply measures. And then in July 2026, the member states identified as critical entities, they will only have ten months to comply with that regulation. So not a lot of time to do quite a lot of preparedness and work around that.

And then we go to the US and operational resilience has been moving fast up the list of regulatory priorities as well. So for example, we've seen regulators like the Office of the Comptroller of the Currency (OCC) expecting financial institutions to remain operationally resilient, and its Sound Practices to Strengthen Operational Resilience, published in 2020, is seeking to provide firms as ways to strengthen that OpRes.

But in recent months we've also seen the acting Comptroller stated in multiple appearances, interestingly, that they are considering what changes to make to the operational resilience framework. And I think that is a clear signal that this is now a priority area of focus coming. Another one is the Proposal on Operational Resilience by the Commodity Futures Trading Commission (CFTC or Commission). And this requires organisations to establish an Operational Resilience Framework (ORF) to manage and monitor Operational Risk.

So look, there's a lot there. But hopefully what it gives you a sense of is that there is a lot of regulation coming, and we're seeing regulation relating to operational resilience coming across all markets, and it's not just impacting financial services. And I think these regulations reflect a global trend now towards strengthening the operational resilience of finance institutions and also other critical industries to ensure that they can maintain stability and also continue to provide those essential services that, in the face of increasing risk and other operational disruptions, they have to maintain.

Dave:Bobbie, great summary. Clearly, there's a ton of activity in the regulatory space around resilience. And so what I'll just hit on is a couple of things that jump out to me as, as maybe some common themes across them. I think first of all, there's clearly a move away from likelihood of events and more of a focus on impact, specifically a need to really identify what is acceptable level of impact for both you and importantly, for your stakeholders as well.

Next, regulators are placing the expectation on industry to provide assurance that they can continue to provide their services during a disruptive event. Also, understanding the services you deliver as an organisation, i.e. mapping them and their dependencies, is becoming incredibly critical. And we'll touch on this in a little bit as well. And then next, it's the fact that data is so important here.

This involves tracking and maintaining a ton of data. So there's an important role for technology in both maintaining and integrating all of this resilience data that you're capturing so that you can use it to drive better informed decision making, but also so that you can report appropriately to these various regulations that may be coming down the line here.

And then lastly, I think the key here is that the vast majority of the regulatory landscape today is focused on financial services, but you're starting to see that expand and sort of seep into other industries like technology and telecom through some of these financial services regulations, as well as through things like CERD, like you just talked about. So, you know, in our view, you and I talk about this a lot, but we believe that this shift to other industries is going to come sooner rather than later, particularly in other critical infrastructure sectors like healthcare, energy and transportation.

And when you look at some of the recent cyber incidents in the healthcare sector that impacted hundreds of companies within that industry ecosystem, you can see why this is going to be a regulatory focus in the near term. 

Bobbie:Exactly Dave. So while some industries and sectors may feel that as they're not regulated yet, they don't need to worry about operational resilience, I think our advice is you need to get ahead of the regulation; there is no doubt going to impact you at some point.

So Dave, you mentioned that you were at a Board meeting recently where they asked your view on how do they approach this increase in regulation strategically, rather than necessarily just reacting when a new regulation is introduced? Can you perhaps share what was that conversation like? What were the main points that came out of it? 

Dave:Yeah. So I think we're getting this question quite a lot.

And clearly now we're seeing it come from Boards as they're starting to focus on the importance of resilience, just with all of the disruption they're seeing around their industries. And I think it's really critical - if we take the Critical Entities Resilience Directive as an example, this is just the latest iteration of a rapidly expanding regulatory push towards resilience in the EU.

And it's really because there's this broad acknowledgment that the types of threats and hazards that we face are more diverse, and they're happening more frequently, and frankly, they're more complex than they've ever been. And that creates an obligation on the business as well as the industry as a whole, to develop the ability to respond and adapt in the face of disruption.

And therefore, there's an opportunity for organisations that are operating, particularly in regulated and critical infrastructure industries, to take a strategic approach to resilience that not only protects value, but also generates a competitive advantage by identifying operational efficiencies and capitalising on disruption when it actually takes place. So I would actually advise that organisations start putting in place an enterprise wide resilience strategy and program.

Now, before or they're caught off guard by potential resilience regulation down the line, because this will not only protect and enhance value today, it can also give them a competitive advantage. And then when regulation does come down the line, you'll be ready for it. 

Bobbie:So I think we can both agree that given everything we've just said, the resilience regulatory environment is only going to increase and likely become more complex because you've got lots of different regulation coming in, hitting industries at slightly different times.

On that basis, I think there are probably a couple of really key no regrets actions organisations should consider whether they are under a resilience regulation or not, and you've started to lay that out just then, Dave. I wonder if before we finished the podcast today, if we perhaps give our listeners a couple of no regrets actions that they might want to take away back into their organisations, so that they can start to really consider. Perhaps I start.

So I think for me, you've got to have the right governance in place to break down what we see so frequently in silos in an organisation. And actually, if you start to, as you say, put that enterprise resilience framework in place and you start to break down these silos, actually when regulation comes, you'll be in a much stronger position because it allows you to start to bring together risk and resilience under, for example, one joint committee and use this forum to really start to align your different capabilities around enterprise risk management and business continuity, crisis management, supply chain, etc. and cyber with the aim of driving resilience top down, I think the second point is defining criticality. And this again needs to happen top down. And I think this is really important because you don't need to make everything in your organisation resilient. But if you are starting to do that now and actually define what are the critical services you deliver, what are the dependencies that enable you to deliver that service?

What impact is acceptable to our stakeholders actually getting ahead and starting to do that work? When you are covered by some type of resilience regulation, I think you'll be in a much stronger spot if you've done that work already. Dave, what would be your top two no regrets, actions or recommendations that organisation plans should take away from this session today?

Dave:Yeah, so I think I'll actually probably pick up right where you left off, right? I think you had some great points there. And for me, picking it up there, it's that you really need to map out how your organisation operates to drive resilience top down. You need to understand the services that you deliver. What processes support those services, how they interact with one another, and then really all of the detailed dependencies of each process, the people that technology, the third parties, etc. that allow us to actually execute on those processes, that's the only way we can see if and where we have potential resilience gaps.

And you would be very surprised as to how many organisations really have not done that mapping yet to begin to even move down the path to figure that out. So that is a critical step to pick up on. The last thing that I would say is it's time to make the jump to a holistic resilience technology platform. We are past the point of being able to manage resilience with shared folders and word documents.

You need a technology platform that can allow you to visualise your dependencies, maintain your analysis and recovery strategies really in real time, and then respond with confidence. This approach also shifts you from taking a legacy compliance focus to check the box type of a programme to one that's actually strategic and allows you to better meet any regulations as they do emerge.

So with that, I think that's really a great place to wrap up today. Thanks so much, Bobbie, for a great discussion. As always, it feels like we've only scratched the surface here, so perhaps we could come back this fall, perhaps to have a follow up session on this topic.

Bobbie:Agreed, Dave. There is so much to get into when it comes to resilience regulation.

As you said, this discussion is only just the beginning of us starting to explore this. But in upcoming episodes of Emerge Stronger through Disruption, we'll continue to tackle the topics that keep our business leaders up at night. As ever, we would love to hear ideas from listeners about topics you'd like us to address, so please get in touch with both Dave and me via LinkedIn.

And in the meantime, remember to subscribe to Emerge Stronger wherever you get your podcasts. Thanks for listening. We'll see you next time.

© 2024 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.