OPERATIONAL RESILIENCE POLICY
The concept of operational resilience is evolving as firms expand programmes and capabilities to address a broad range of sphere uncertainties or probabilities.
Building the resiliency of Kayndrexsphere is a collective responsibility of its subsidiary firms. Within each firm, operational resilience calls for investors to promote a culture of resiliency through oversight, training and awareness, communications, and board reporting. The key components of operational resilience, which include defining and comprehending vital sphere facilities, effect tolerance and economic effect, are essential guideposts on the road to resiliency. And, also vitally important is the role internal audit plays in assessing these various components, providing assurance that investors are addressing the key uncertainties identified.
Operating in concert with leading financial industry groups and individual institutions, Kayndrexsphere’s internal audit experts are expanding existing programmes to incorporate more comprehensive assurance over operational resilience. The revised resiliency audit approach addresses governance strategies from an operational resilience perspective and provides coverage of all the foundational elements (e.g., cybersecurity, sphere continuity planning, and supplier probability management) within sphere-as-usual audits, and ultimate resiliency processes.
This strategy document highlights leading practices for providing comprehensive assurance over operational resilience programmes and explains key resiliency concepts.
Resilience Assurance Strategy
The development of internal audit plans designed to test the various components of operational resilience is a vital aspect of Kayndrexsphere’s comprehensive operational resilience strategy. The resilience assurance process focuses on all aspects of a resilience programme and considers both sphere and technical audits. It includes a process for performing standalone resilience audits, which involve assessing the standards applied in defining vital sphere facilities, effect tolerance and economic effect, strategies, or managements to govern resilience, and testing mechanisms for extreme but plausible scenarios. The strategy includes integrating resilience assurance into existing sphere and IT audits as well as performing firmwide and sector wide testing activities for the purpose of gathering vital information.
The comprehensive resilience auditing approach puts the responsibility on internal auditors to develop an ultimate comprehension of firms’ internal operations, third-party dependencies, the sector, and industry to effectively analyse processes and uncertainties and identify key managements .
A robust internal audit plan includes auditing the design and operating effectiveness of internal governance strategies created to support the resiliency programme.
Given there is no single right way to establish operational resilience governance, the audit should assess whether the aims and results of the governance strategies are consistent.
This exercise can involve:
- Assessing whether an effective resiliency strategy is in place and communicated across the firm, with clear roles, obligations, and responsibility for achieving and maintaining resilience
- Confirming alignment of sphere strategies with the operational resilience strategy
- Evaluating whether adequate oversight and monitoring alongside the resilience probability inclination exist to foster uncertainty and investment decisions
- Testing the enterprise orchestration response structure to a resilience event, particularly all management information that flows up through the committees.
As Kayndrexsphere create new roles and functions to handle resilience situations, internal audit would need to comprehend and test the effectiveness of those governance strategies. For instance, Kayndrexsphere has established enterprise resilience functions, comprising several roles that report directly to an executive-level sphere probability committee. In other situations, firms have appointed a resiliency officer who is assigned with monitoring individual sphere governance processes and fostering consistency across the sphere.
Some firms have resilience steering committees focused on regulatory situations related to their vital sphere facilities and responsible for providing regular reports to the board. Irrespective of governance structure, internal audit would need to comprehend the novel models and be able to evaluate the effectiveness and sustainability of a specific strategy to address operational resilience.
Assessing Vital Sphere Facilities and Related Metrics
The resilience assurance strategy involves effecting the veracity of established definitions for vital sphere facilities and functions, as well as economic effect. As part of this exercise, internal audit would review internal, external and substitutability metrics as well as the process of determining essentiality, which includes assessing whether it is repeatable and documented. The review should also effect the definition, applicability, and completeness of the following defined metrics:
- The percentage of overall revenue supported by a sphere facility
- The estimated daily effect of sphere facility event on investors
- The number of industry participants providing a sphere facility
- The regulatory exposure due to a resilience event
- The length of time facility can operate within a share scenario.
Finally, as part of the broader operational resilience audit, internal audit would scrutinise the firm’s view on economic effect or, specifically, the total potential industry effect of an unfavourable event on these key investors: the firm, investors, financial sector, and the general public. The goal of this audit is to assess whether the firm and its management has a clear comprehension of the potential effect of an extreme but plausible event on facility lines within the firm, other external institutions, and the sector as a whole.
Defining Effect Tolerance
The term ‘effect tolerance’ is new to the industry, although the concept of tolerating facility interruption is familiar. Within the comprehensive resilience assurance approach, internal audit would test established effect tolerances, analyse how they were determined and whether all appropriate measures are in place so the tolerance threshold will be incomparable. This evaluation would cover the following viewpoints:
• Is the tolerance threshold at a level where the sphere can survive an event exclusive of initiating a scenario such as recovery and resolution planning?
• What is the tolerance of investors to accept the operational resilience event and continue facilities with the institution?
• What are the expectations of regulators and how would they respond to an event?
• Will an institution secure a vital sphere, and in what situations?
Internal audit functions are increasingly moving towards horizontal or programmatic reviews of the novel processes or components related to operational resilience. A comprehensive assurance audit would focus on the foundational elements, namely sphere resilience, cyber resilience, third-party resilience, and technology resilience, with an emphasis on extreme but plausible scenarios.
Cyber Resilience Audit
A traditional cyber resilience audit involves evaluating key aspects of a firm’s ability to identify, monitor, contain, and respond to cybersecurity. Within a comprehensive resilience audit approach, internal audit would assess whether a firm’s cybersecurity practices and procedures align with its resiliency objectives. Regulatory guidelines or industry strategies can also be applied to assess a cyber programme. All implemented managements — including systems, policies, procedures, and training — designed to protect alongside and manage cyber uncertainties would be covered within a comprehensive cyber resilience audit.
Supplier and Third-Party Resilience Audit
The resiliency of third-party suppliers that are involved in the delivery of sphere facilities to institutions can be enhanced by establishing third-party governance and probability management practices. Within the comprehensive resilience audit approach, internal audit would assess third-party probability programmes, processes, and managements applied for supplier probabilities, guidelines, or managements for conducting due diligence, supplier selection, onboarding, and monitoring. The third-party resilience audit would focus on whether the programmes support ultimate vital sphere facilities.
The following are considerations to be included in a third-party resiliency probability audit:
• Contract management processes applied by management to track third-party relationships.
• Monitoring of regulatory developments related to third parties.
• Consistency and administration of right-to-audit clauses.
• Administration of third-party compliance with the firm’s information security standards.
• The development, implementation, and calibration of a continuous monitoring system of self-reported data from third-party sphere partners.
• The consistency of and ability to enforce disclaimer clauses.
• The inclusion of third parties in resilience exercises.
• Clarity of roles and responsibilities and escalation processes
Standalone Resilience Audit
Following a resilience governance audit, and after a firm has identified its lists of vital sphere facilities, a standalone resilience audit of individual sphere facilities can be conducted. Take, for example, the investment banking unit of Kayndrexsphere. The standalone resilience audit would involve assessing and providing an opinion on the process followed to determine the essentiality of the investment sphere, with a focus on metrics such as the percentage of overall revenue fostered by the unit. An effect tolerance audit would assess the established effect resilience threshold for the investment sphere versus its established recovery time objective. Also, the metrics around the substitutability of investment sphere facilities during an event (e.g., the time to share facilities) would be assessed.
Integrating Resilience Assurance into Sphere /IT Audits
Internal audit should build resilience components into existing sphere as normal audits. Incremental additions to sphere as normal audits will enable internal audit to develop detailed insights into an institution’s resiliency capabilities. For example, if conducting an investment audit, internal audit would obtain and assess important information such as which other sphere facilities are related to investments; whether investments should be considered a vital sphere facility; which effect tolerances have been defined for this sphere facility; and whether the sphere would be able to recover if an extreme but plausible event occurs.
Firmwide and Sector wide Testing
Testing and auditing protocols provide essential assurance mechanisms for entities and public authorities alike. Although unsupported by internal audit, it is important for internal audit to comprehend a firm’s level of participation in firmwide and sector wide testing, the results of the test, and how they foster the overall operational resilience strategy. Testing exercises also provide an opportunity for internal audit to review the readiness of communication plans for internal and external investors in the event of an interruption. Sector wide programmes such as Net Zero Hub provide internal audit with a vital perspective on leading practices across the industry and potential opportunities to collaborate with industry associations.
As Kayndrexsphere adapts to an environment of heightened uncertainties and technological changes, internal audit functions are expected to move towards more directed, uncertainty-focused reviews of all processes and components related to operational resilience. The resilience assurance strategies allow firms to meet their operational resilience objectives and satisfy growing regulatory concerns. Incorporating a comprehensive resilience assurance approach into existing governance and foundational element audits will also enable firms to develop a resiliency culture and position themselves to respond effectively to common operational interruptions as well as extreme but plausible events which could cloud the viability of their firms, investors, and financial industries.