Operational Resilience Approach

Operational resilience is becoming ever more important to Credit Unions. With UK banks being hit by more than one security or IT issue, that potentially stops payments, every day it is understandable why the regulators are focusing on this issue.  We look at some of the key areas where the key aspects of operational resilience:

Mentality

The recent joint discussion paper from the regulators advocated a mentality of ‘when’ not ‘if’ you will be subject to a business continuity issue.  With 43% of UK businesses and 1 in 5 charities suffering a cyber attack in 2018 it is only a matter of time until most business are impacted. Your whole approach to business continuity and operational resilience should therefore be based on coping when it does impact you.

Board

The regulators expect the Board to set the tone from the top for operational resilience. In addition, there should be regular reporting to the Board on operational resilience so the Board can oversee the Credit Union’s actions in this area.

Service Mapping

The regulators joint paper emphasised a service based approach. Organisations should look at the services that they provide and map out the service including the key risks. The critical services should be identified and prioritised. For the critical services you then need to look at what your tolerance areas are. This is an update on the traditional outage time that used to be used where organisations looked at just the maximum time that the system would be unavailable. This is still an important component of your tolerance but there will be other aspects such as reputation, financial impact and impact on the member that all need to be taking into account. The service mapping and review of resilience also needs to take into account suppliers who are critical to your service.

Security Culture

The FCA have stated that cyber is a people risk enabled by technology. In many cases cyber attacks are only possible by mistakes made by individuals. Firms should introduce a cyber awareness programme. Staff need to be aware of the risks and the training staff require will depend on the individual.  There needs to be testing of systems in place. The Credit Union should also be ensuring its three lines of defense are set up for cyber risks.

 

Credit Unions will need to work with their internal auditors, IT and software companies to help ensure they have  sufficient operational resilience systems in place. Other bodies such as the Scottish Business Resilience Centre or the London Digital Security Centre can also offer support to organisations in their area.