PA Consulting: Resilience and agility must go hand in hand

Written by Toby Sibley, security and operational resilience expert and Claudia Pellegrino, PA business design expert

With regulators increasing their scrutiny on financial services’ stability and ability to provide services to people, businesses and the wider economy, operational resilience has become a major focus area. But as COVID-19 proved, resilience alone is no longer enough to survive disruption; it was agile organisations who were best able to adapt to the uncertainty of the new normal.

Firms need both resilience and agility to survive. They must ingeniously combine agile and resilient ways of working into their operating model, and the way they adapt. This has been a challenge for decades, with organisations often hamstrung by a misguided belief that agility and resilience cannot work together. We believe the two to be complementary.

To thrive through a combination of managing resilient and agile responses to disruption, firms must:

Use agile principles and roles to deliver resilience-enhancing initiatives

Firms have used agile change management to respond to technology disruptions and changes in customer expectations, rather than to deal with unexpected shocks which imperil their operational resilience.

We believe that principles from the Agile Manifesto (a document outlining the value and principles for agile software development) such as ‘customer collaboration’ can help prepare for operational disruption if adopted to deliver resilience-enhancing initiatives. To do so, firms can:

Engage the customer (or key stakeholders) when capturing and implementing resilience regulatory requirements. This could mean bringing in second line compliance units to represent the regulator in agile ceremonies such as Sprint Review and Refinement. The second line units can provide feedback, help clarify requirements and add compliance objectives into the acceptance criteria.

RELATED: PA Consulting: The UK Ventilator Challenge

Introduce roles such as Operational Resilience Champion to support the delivery of regulatory initiatives. This means tasking the resilience champion to shape and articulate the resilience vision. and set the resilience framework in which teams work. This is a similar role to the system architect, which is popular in some scaled agile frameworks (e.g. SAFe), and it is used to define a shared architectural vision. 

Adopt agile business design to identify Important Business Services

New value stream (VS) operating models are becoming increasingly popular within financial services. They allow organisations to organise resources around the steps needed to deliver customer value. Examples for financial service firms may include ‘providing customers with access & management of their pension’.

This agile business design technique can be used to respond to regulatory requirements. For instance, following a recent FCA Consultation paper, firms will be asked to identify business services that, if disrupted, would cause most harm to their consumers or market integrity – referred to as Important Business Services (IBS). IBSs will be set to remain within agreed impact tolerance. Examples may include ‘administration of pension with a tolerance of 12h’.

RELATED: Aflac's Keith Farley: 'Belfast is resilient, reinventive and adaptable'

To identify IBSs, firms should take similar steps as for VS, whilst following the guidance provided by the regulator on the matter. Organisations should:

• Look at their organisation’s purpose and draw out their IBSs considering the factors provided by the regulator in the consultation papers
• Prioritise the services by the impact of disruption to customers and the UK financial system
• Identify the resources necessary to deliver each service, as prescribed in the consultation papers, and organise them around the services: this way when disruption occurs, organisations can implement responses faster.

Ultimately, firms can align VSs to their IBSs. For example, a VS aligned to an IBS could be described as: ‘providing customers with access to their pensions through the channel of their choice, with no disruption of more than 12h’. This way, organisations combine the business with the risk side, and align resources to address both innovation and resilience.

Embed risk management within agile governance

Firms have invested time and money into building operational risk management processes to help minimise disruption. The operational risk reporting pack is a staple of many board meetings. Yet, many of our clients report that they struggle to drive changes that successfully balance operational resilience with the need to adapt quickly.

RELATED: Coronavirus: What does the ‘new normal’ mean for how we work?

We believe that risk management practices should be embedded within agile governance. Agile can meet the needs of risk management practices of regular planning, clearly defined roles and responsibility, adequate funding and appropriate resource allocation. Recognised agile frameworks have by nature well-defined roles, encourage bi-weekly planning at team level, and promote estimating capacity regularly to ensure appropriate resource allocation. To successfully embed risk management into agile governance organisations should:

• Invite the business representatives to daily scrums, first line risk teams to team-level planning and retros, and second line teams to ‘big room planning’ and demos.
• Encourage senior stakeholders to manage operational risks through day to day communication in daily stand-ups and fixed escalation points in scrum of scrums.
• Use ‘Agile Risk burndowns’ in issue and project tracking tools (e.g. JIRA) to track how risks are mitigated or closed alongside other items on the backlog. To do so, regulatory objectives and risks need to be classified as epics in the backlog, so that progress against their attainment or mitigation can be tracked and visualised.

Using agile to create resilient companies will be a challenge for senior leaders to master in order to manage disruption going forward. Doing so will not just enable them to respond to regulatory demands, but to adapt to future uncertainty and thrive in a fast-changing world.