2020 has so far distinguished itself as a watershed moment. It has brought massive disruption and chaos to our daily lives and order of business; but it also brought major opportunities to build a “new normal” and test organizations’ resilience.
The ongoing pandemic has resulted in the initiation of Business Continuity measures into a quasi- Business as Usual (“BAU”) environment, including the adoption of modern technologies and remote working of key staff across some critical business operations. But how resilient will IT infrastructure, Operational Risk frameworks and other business effectiveness processes remain during this period?
COVID-19 gives organizations the opportunity to consider the robustness of their Operational Resilience response and recovery plans, which is vital in the financial service industry. Payments ecosystems are a key focus area as they enable economic activity by facilitating the exchange of funds for goods and services rendered. One particularly successful way of testing Operational Resilience across critical Payments operations is running “War Games” or “Simulation exercises”.
An Operational Resilience “war game” is an exercise whereby a realistic, real-time critical incident is simulated in remote working conditions. In a similar vein to the military, the idea of “wargaming” is to challenge an existing paradigm and expose blind spots by getting all parties involved in the exercise. As participants engage in the simulation, insights are unravelled. The end to end (“E2E”) impact is closely monitored, observations are noted, and lessons learned during the simulation are implemented into an organization's Operational Resilience framework.
Running the simulation in remote working conditions fully replicates the current BAU operations that most firms have moved to since the onset of COVID-19, where over 90% of staff in some cases are working from home.
To be valuable, an Operational Resilience “War Game” exercise should follow some key principles. We have distilled 5 critical steps to help you carry out a successful simulation.
1. Do NOT just focus on the robustness of Disaster Recovery & Business Continuity procedures
Business Continuity and Disaster Recovery are visible frameworks that most firms will have deployed as a first response to the COVID-19 outbreak. As useful as these frameworks are, they have historically focused on a narrow set of scenarios limited to Facilities management and the viability of the Business Continuity Plan (BCP) as a back-up to BAU operations in the event of critical failure. The scenarios required by Operational Resilience go much wider and require all aspects of the business operating model to be fully assessed. This includes your Corporate Governance model, Risk and Control Framework as well as third party/supplier management processes. Ensure that the scenario you are simulating provides full coverage for all these aspects to provide a sufficiently detailed view to better inform decision making.
2. Make sure that your simulation scenario is severe but plausible
Basing your simulation on a severe but plausible occurrence gives you the ability to set impact tolerances for your critical business service or process. When running the simulation, it also allows you to fully validate your existing business rules around customer impact and firm viability whilst considering the impacts of a geographically dispersed workforce.
3. Establish “rules of engagement” before you begin
Setting up rules of engagement ensures that all participants are clear on the objectives, scope and parameters of the simulation. In addition, it is critical that communication channels are established, with a clear purpose outlined for each. Tools such as conference calls, video conferencing and instant messaging are useful communication mediums that can be effectively utilized in a remote working environment. It is tempting to think that instant communication mediums will serve the purpose for rapid response and recovery. However, such tools are best used for quick, diagnostic communications on a one-to-one basis or as an audit trail for key steps during your simulation exercise.
4. The simulation is as much about the response and recovery process as the outcome
Operational Resilience goes beyond traditional prevention of critical incidents – more importantly, it is about the robustness of your response and recovery process. The thought process undertaken by staff at critical steps of the response and recovery process is as important as fully addressing the critical incident. The extent to which your existing procedures are sufficient in meeting the objective of a rapid, fully controlled and well-communicated response and recovery procedure is a key criterion to demonstrate that your organization is up to speed with Operational Resilience requirements. Factoring this into your simulation will give you a lot more insight on the effectiveness of your existing procedures.
5. Ensure both First- and Second-Line functions participate in the simulation
This is key as it ensures that all functions of the business involved in the critical business service or process are aware of the part they play in the response and recovery process during a critical incident. It also provides the opportunity for your business to leverage the full extent of its capabilities by increasing awareness of the impact of each teams’ actions on the entire process and identifying opportunities to improve the existing response and recovery plan. There is an increased focus on middle and back-office functions to ensure these can hold up under the current working environment. This must be done without degrading the customer experience, increasing the risk of regulatory breaches, and ensuring no systemic risks are introduced into the financial ecosystem.
The “war games” may have just begun, but they are here to stay, at least for the foreseeable future. RedCompass Labs has a strong track record of managing complex organisational changes and winning the support of operating divisions to embrace the changes necessary for future growth. Our consultants draw upon a wealth of experience and expertise in delivering change in challenging operational landscapes and are ready to work with you on your Operational Resilience initiatives, including “war games”. Feel free to get in contact if you wish to learn more.