Can you tolerate being punched in the face?
24 September 2019
Do you have any appetite for being punched in the face?
Almost certainly not!
These are two subtly different questions which in simple terms may help to explain one of the main concepts in the regulatory discussion paper on operational resilience. They may sound like an unusual way of describing prospective financial services regulation but we hear time and again that impact tolerances are not yet understood and are confused with risk appetite, so we have been thinking outside the box(ing).
Let’s bring some context to the scenario, and consider the life of a boxer. Of course, they don’t want to be punched in the face and therefore they have a zero appetite for it. But they do expect it to happen and can reasonably expect to withstand the force of one punch. There will be some immediate pain and they will try to shake off the effects, but they are still standing.
They may even be able to withstand a second punch. They would expect the impact of that to be greater. They may sway a little, but they can still remain upright and functional.
The third punch knocks them out cold.
Using this analogy we would say that their impact tolerance is two hits, but three would breach their tolerance. It’s inevitable that they will be punched (they are a boxer after all!) but they can continue boxing up to the point that they have had three direct hits to the head. In spite of all this their appetite still remains at zero.
So for firms out there, how many ‘punches’ (or operational incidents) can you tolerate? How do you test yourselves to see how you can stay within these thresholds? What programme do you have in place across the disciplines of technology, people, premises and third parties to improve your resilience?
Of course there are circumstances which may change a firm’s tolerance, changes to the ‘severe but plausible’ scenario if you will. For example, how powerful are the hits and which parts of the business are they aimed at? How much time is between them? And how good is the defence against them?
A firm may define different impact tolerances to different business services, setting them higher or lower to reflect the impact they would cause if they were breached. These limits are an important signal of the firm’s resilience. When that limit is breached the business service will fall, meaning they stop being operational or able to compete.
With an understanding of their tolerances, firms then need to work out how to stay within them during difficult times. While ultimately the boxer holds themselves accountable for doing this, they have a team of experts around them (trainer, strength coach, psychologist, nutritionist) who help to identify weaknesses in their resilience, and find ways in which to strengthen it. They also test themselves regularly with sparring partners to monitor progress against their objectives and to test how they respond to the unexpected. Up to a point, it’s no different for businesses.
Publication of the regulatory consultation paper on operational resilience is imminent. The concept of setting impact tolerances for firms’ most important business services, introduced in the discussion paper, will be integral to this. Firms should not shy away from what can seem like a difficult question. There is a logical sequence of activities that can be undertaken to set tolerances, stress test them and monitor against them. PwC has been tackling this topic with firms across the financial sector and we will publish our approach to this challenge soon. In the meantime, we strongly encourage firms to start the groundwork by being clear on what important business services you operate.