Operational resilience is not a one-off, tick-box exercise. It is a continuous cycle of preparation, response and review, and firms should make use of every incident, near-miss or failure as an opportunity to learn and adapt. The implementation of a resilient framework will depend on the firm’s ability to identify what can be learned from these cycles and apply it to improve its systems and processes and strengthen its internal controls.
How can Firms Identify What Went Wrong?
In the post-incident phase, the most important objective is to identify and understand what went wrong. To achieve this, firms should seek to conduct a blameless analysis. This is a process designed to discover which systems or processes failed instead of seeking to attribute blame to an individual or a group of individuals. This type of analysis helps to determine whether the incident was caused by a known factor or a previously unidentified risk. Conducting a blameless analysis will involve the input from every department and everyone involved, and should be fully transparent. Firms will need to conduct a thorough root cause analysis to identify the underlying failures that resulted in the incident. Through this process, firms can identify exactly what went wrong, which is critical information needed to learn from the incident.
How can Firms Learn From What Went Wrong?
The root cause analysis will identify the underlying causes of the failure, and firms must then utilise this information to determine a clear action plan to avoid this kind of incident in the future. Firms should consider the following:
- Identify the Key Lessons: In every failure, there will be learning themes and lessons that can be applied to various parts of the business, as well as resolving issues in the area where the failure occurred
- Assign Clear Ownership: Assign accountability for each identified issue and outline a clear timescale for remediation
- Update Internal Processes: All improvements should be centrally logged and mapping exercises should be updated to reflect changes, creating and maintaining a single source of truth
- Engage with Regulators: Regulators and stakeholders should be updated as part of a commitment to transparency, and documented “lessons learned” should be shared
- Reconfigure Scenario Testing: Update dependency plans and incorporate the failure points into future scenario testing while updating the customer journey to identify new ways to improve critical processes for disruption
The ability to recover from failure and build a system of continuous improvement is a strong sign of a firm’s maturity and resilience. Regulators, clients and other stakeholders will expect to see clear evidence that firms have identified and remedied key points of failure. Learning from incidents can be a strategic opportunity for firms to demonstrate their responsiveness, strengthen their resilience by design principles and build a more robust and agile operation.
Future-proof your resilience strategy. Get in touch with our team today to build a culture of continuous improvement and accountability.
