Policies and Resources

OPERATIONAL RESILIENCE POLICY

Executive Summary

The concept of operational resilience is evolving as firms expand programmes and capabilities to address a broad range of sphere uncertainties or risks.

Building the resiliency of the Kayndrex Foundation is a collective responsibility of the Foundation and its subsidiary firms. Within each firm, operational resilience calls for stakeholders to promote a culture of resiliency through oversight, training and awareness, communications, and board reporting. The key components of operational resilience, which include defining and comprehending vital business services, impact tolerance and economic effect, are essential guideposts on the road to resiliency. And, also vitally important is the role internal audit plays in assessing these various components, providing assurance that stakeholders are addressing the key risks identified.

Operating in concert with leading institutions, the Foundation’s internal audit experts are expanding existing programmes to incorporate more comprehensive assurance over operational resilience. The revised resiliency audit approach addresses governance strategies from an operational resilience perspective and provides coverage of all the foundational elements (e.g., cybersecurity, business continuity planning, and supplier risk management) within business-as-usual audits, and ultimate resiliency processes.

Objectives

This strategy document highlights leading practices for providing comprehensive assurance over operational resilience programmes and explains key resiliency concepts.

Resilience Assurance Strategy

The development of internal audit plans designed to test the various components of operational resilience is a vital aspect of the Foundation’s comprehensive operational resilience strategy. The resilience assurance process focuses on all aspects of a resilience programme and considers both business and technical audits. It includes a process for performing standalone resilience audits, which involve assessing the standards applied in defining vital business services, effect tolerance and economic effect, strategies, or managements to govern resilience, and testing mechanisms for extreme but plausible scenarios. The strategy includes integrating resilience assurance into existing business and IT audits as well as performing firmwide and sector wide testing activities for the purpose of gathering vital information.

The comprehensive resilience auditing approach puts the responsibility on internal auditors to develop an ultimate comprehension of firms’ internal operations, third-party dependencies, the sector, and industry to effectively analyse processes and risks and identify key managements .

Resiliency Governance

A robust internal audit plan includes auditing the design and operating effectiveness of internal governance strategies created to support the resiliency programme.

Given there is no single right way to establish operational resilience governance, the audit should assess whether the aims and results of the governance strategies are consistent.

This exercise can involve:

• Assessing whether an effective resiliency strategy is in place and communicated across the firm, with clear roles, obligations, and responsibility for achieving and maintaining resilience
• Confirming alignment of business strategies with the operational resilience strategy
• Evaluating whether adequate oversight and monitoring alongside the resilience risk inclination exist to foster risk and investment decisions
• Testing the enterprise orchestration response structure to a resilience event, particularly all management information that flows up through the committees.

As the Foundation creates new roles and functions to handle resilience situations, internal audit would need to comprehend and test the effectiveness of those governance strategies. For instance, the Foundation has established enterprise resilience functions, comprising several roles that report directly to an executive-level business risk committee. In other situations, firms have appointed a resiliency officer who is assigned with monitoring individual business governance processes and fostering consistency across the organisation.

Some firms have resilience steering committees focused on regulatory situations related to their vital sphere facilities and responsible for providing regular reports to the board. Irrespective of governance structure, internal audit would need to comprehend the novel models and be able to evaluate the effectiveness and sustainability of a specific strategy to address operational resilience.

Assessing Vital Business Services and Related Metrics

The resilience assurance strategy involves impacting the veracity of established definitions for vital business services and functions, as well as economic effect. As part of this exercise, internal audit would review internal, external and substitutability metrics as well as the process of determining essentiality, which includes assessing whether it is repeatable and documented. The review should also impact the definition, applicability, and completeness of the following defined metrics:

• The percentage of overall revenue supported by a business service
• The estimated daily impact of business service event on stakeholders
• The number of industry participants providing a business service
• The regulatory exposure due to a resilience event
• The length of time a service can operate within a share scenario.

Finally, as part of the broader operational resilience audit, internal audit would scrutinise the firm’s view on economic effect or, specifically, the total potential industry effect of an unfavourable event on its key stakeholders. The goal of this audit is to assess whether the firm and its management has a clear comprehension of the potential effect of an extreme but plausible event on service lines within the firm, other external institutions, and the sector as a whole.

Defining Impact Tolerance

The term ‘impact tolerance’ is new to the industry, although the concept of tolerating service interruption is familiar. Within the comprehensive resilience assurance approach, internal audit would test established effect tolerances, analyse how they were determined and whether all appropriate measures are in place so the tolerance threshold will be incomparable. This evaluation would cover the following viewpoints:

• Is the tolerance threshold at a level where the business can survive an event exclusive of initiating a scenario such as recovery and resolution planning?

• What is the tolerance of stakeholders to accept the operational resilience event and continue services with the institution?

• What are the expectations of regulators and how would they respond to an event?

• Will an institution secure a vital business, and in what situations?

Foundational Audits

Internal audit functions are increasingly moving towards horizontal or programmatic reviews of the novel processes or components related to operational resilience. A comprehensive assurance audit would focus on the foundational elements, namely business resilience, cyber resilience, third-party resilience, and technology resilience, with an emphasis on extreme but plausible scenarios.

Cyber Resilience Audit

A traditional cyber resilience audit involves evaluating key aspects of a firm’s ability to identify, monitor, contain, and respond to cybersecurity. Within a comprehensive resilience audit approach, internal audit would assess whether a firm’s cybersecurity practices and procedures align with its resiliency objectives. Regulatory guidelines or industry strategies can also be applied to assess a cyber programme. All implemented managements — including systems, policies, procedures, and training — designed to protect alongside and manage cyber risks would be covered within a comprehensive cyber resilience audit.

Supplier and Third-Party Resilience Audit

The resiliency of third-party suppliers that are involved in the delivery of business services to institutions can be enhanced by establishing third-party governance and probability management practices. Within the comprehensive resilience audit approach, internal audit would assess third-party risk programmes, processes, and managements applied for supplier risks, guidelines, or managements for conducting due diligence, supplier selection, onboarding, and monitoring. The third-party resilience audit would focus on whether the programmes support ultimate vital business services.

The following are considerations to be included in a third-party resiliency risk audit:

• Contract management processes applied by management to track third-party relationships.

• Monitoring of regulatory developments related to third parties.

• Consistency and administration of right-to-audit clauses.

• Administration of third-party compliance with the firm’s information security standards.

• The development, implementation, and calibration of a continuous monitoring system of self-reported data from third-party business partners.

• The consistency of and ability to enforce disclaimer clauses.

• The inclusion of third parties in resilience exercises.

• Clarity of roles and responsibilities and escalation processes

Standalone Resilience Audit

Following a resilience governance audit, and after a firm has identified its lists of vital business servives, a standalone resilience audit of individual business services can be conducted. Take, for example, the subsidiary investment company of the Kayndrex Foundation. The standalone resilience audit would involve assessing and providing an opinion on the process followed to determine the essentiality of the investment company, with a focus on metrics such as the percentage of overall revenue fostered by the unit. An impact tolerance audit would assess the established impact resilience threshold for the investment company versus its established recovery time objective. Also, the metrics around the substitutability of the business services during an event would be assessed.

Integrating Resilience Assurance into Buisness /IT Audits

Internal audit should build resilience components into existing business-as-usual audits. Incremental additions to business-as-usual audits will enable internal audit to develop detailed insights into an institution’s resiliency capabilities. For example, if conducting an investment audit, internal audit would obtain and assess important information such as which other business services are related to investments; whether investments should be considered a vital business service; which impact tolerances have been defined for this business service; and whether the business would be able to recover if an extreme but plausible event occurs.

Firmwide and Sector wide Testing

Testing and auditing protocols provide essential assurance mechanisms for entities and public authorities alike. Although unsupported by internal audit, it is important for internal audit to comprehend a firm’s level of participation in firmwide and sector wide testing, the results of the test, and how they foster the overall operational resilience strategy. Testing exercises also provide an opportunity for internal audit to review the readiness of communication plans for internal and external investors in the event of an interruption. Sector wide programmes such as Net Zero Hub provide internal audit with a vital perspective on leading practices across the industry and potential opportunities to collaborate with industry associations.

---

As the Kayndrex Foundation adapts to an environment of heightened risks and technological changes, internal audit functions are expected to move towards more directed, risk-focused reviews of all processes and components related to operational resilience. The resilience assurance strategies allow firms to meet their operational resilience objectives and satisfy growing regulatory concerns. Incorporating a comprehensive resilience assurance approach into existing governance and foundational element audits will also enable firms to develop a resiliency culture and position themselves to respond effectively to common operational interruptions as well as extreme but plausible events which could cloud their viability.