There’s never a good time for a critical incident to occur. But what many large financial service sector businesses have shown us, critical incidents can and will happen—despite your best efforts to prevent them from doing so.

Take TSB for example. The company had to pay £32.7m in redress to customers who couldn’t access their banking services following technical issues caused by their upgrade programme. And were fined £48.56m for their operational resilience failings following a review by the FCA which found they had not taken sufficient measures to prevent these failings from happening.

With critical incidents potentially striking at any moment, the key to recovering and responding to these is to prepare and remain vigilant. Here we explore the top 10 questions to ask yourself to ensure you can bounce-back efficiently and effectively from any incident.

How do you know if your business is ready for a critical incident?

You need to consider whether you have the strategies, resources, and support in place to survive critical incidents, as and when they occur. Here are 10 key questions to ask yourself to make sure that you do:

Have we identified our most critical assets that impact service delivery?

To minimise disruption as much as possible, you need to identify and prioritise what your most critical assets are. These are the assets that will be most impacted if something goes wrong. For insurers, this could for instance be data, a contact centre, or a claims function as a critical source of value creation. However, other things to consider could include physical headquarters, cloud technology, infrastructure, and software.

Does the organisation understand the dependencies of important business services on these assets?

Once you’ve identified your most critical assets, including those outsourced, it’s important that everyone within your organisation understands how these assets feed into the business services you offer and carry out. For example, mapping and prioritising how your data facilitates your insurance policy administration and claims handling services.

Who is accountable for managing, monitoring, and reporting on resilience?

For optimal protection, it’s crucial that you have people responsible to manage, monitor, and report on your resilience strategy’s effectiveness. This will ensure as an organisation, you’re doing everything you can from both a ‘top down’ and ‘bottom up’ viewpoint to respond to circumstances as they evolve, to protect yourselves against a critical incident.

What impact could a critical incident have on customers?

A critical incident isn’t just disruptive to your organisation, but also your customers. This is why it’s crucial to think about how to limit any impacts to your customer from threats and incidents. Some of the knock-on effects to your customers could include them not being able to access an important financial service, or their personal details being stolen by hackers—meaning a breach of GDPR.

How is risk appetite reflected in impact tolerance thresholds?

Your risk appetite refers to the amount and type of risk that an organisation is willing to pursue or retain to meet your strategic objectives. While your impact tolerance threshold is your established maximum threshold disruption limit at which you could continue to provide important business services following a severe but plausible disruption, whether that’s the sale of insurance policies, providing customer service, or delivering on your claims promises. Therefore, it’s important you strike the right balance between risk appetite and impact tolerance thresholds and ensure you’re still taking the risks you need and want to, while still delivering your customer outcomes.

Which scenarios are outside of our defined impact tolerances?

When putting together your operational resilience plan, it’s imperative that you’ve run scenario testing to see just how resilient your strategy is and your ability to remain within impact tolerance thresholds. So, you should also know which scenarios would cause too much disruption to your critical business services and put your business at risk. These need to be shared widely within your company to ensure everybody is taking the necessary measures to prevent taking unnecessary risks.

How does our approach to resilience change the way we manage different departments and outsourced functions?

Operational resilience requires lots of little changes, according to how well your strategy is performing and what factors have shifted to change your response. But it’s important that you’re thinking about how this will change the way you manage aspects like your operational model, the technology you rely on, and your critical third parties. Failing to do so can put you at an increased risk of a critical incident.

How frequently are we testing our response and recovery capabilities?

Your operational resilience strategy will never be complete. It requires continuous reviewing and updating, and of course, testing. It’s important those who manage the lines of defence are setting regular incremental testing periods to make any changes and report on how your organisation is faring.

How are we communicating our operational resilience processes and procedures?

When everybody knows their duties, and the role they play in protecting the organisation from critical incidents—and more importantly, how to react efficiently and effectively, you will have a more solid strategy. A key component of your communication plan is with the regulator, and/or your outsourced service provider, both during the planning phase and following a critical incident.

As well as this, you need to think of a way to keep communications internally and with stakeholders consistent and clear. Some organisations find using templates the best way of ensuring messages are conveyed in exactly the same way as everybody.

Are we taking the opportunities to learn?

When a critical incident or near miss occurs, it’s important that your organisation is taking the opportunity to learn from it. This doesn’t mean scalding yourselves for not doing enough but through cross business teams identifying what worked well, and what can be improved upon to both prevent a recurrence or mitigate its effects on your business. This can encourage collaboration within your teams which is a key contributor to any successful operational resilience strategy.

Protect your insurance business by creating an operational resilience strategy that, at its foundations, takes the above 10 questions into consideration and you will be ticking the necessary boxes for a strategy that enables efficient prevention, response, and recovery.

Unsure of the answers to any of the above? We can help. Davies can provide you with the expert knowledge and support so you can develop and implement an operational resilience strategy you have confidence in.

Relevant Content

To learn more about why ignoring significant financial risks, such as: regulatory fines, revenue damage, and increased costs could threaten an organisation’s long-term survival, download our white paper.

Neil Strickland
Business Development Director – Insurance
neil.strickland@davies-group.com
https://www.linkedin.com/in/neil-strickland/

David Ilett​
Consulting Director
david.ilett@davies-group.com
https://www.linkedin.com/in/davidilett/