COO Magazine Q3 2024
SMF24 Perspective: The COO’s regulatory obligation
Martha Fee
Armstrong Wolfe Advisor
Former SMF24 as COO EMEA & APAC, Northern Trust Asset Management
The aftermath of COVID-19 has emphasized the criticality of operational resilience in navigating the complexities of today’s world.
As regulatory expectations in the UK align with industry efforts, firms are urged to embed resilience into their DNA, from the boardroom to the front lines, to meet the March 31st 2025 deadline.
The overarching principle of operational resilience acknowledges the inevitability of disruptions and underscores the need for proactive preparedness and adaptive measures to safeguard critical business services.
Key principles of an operational resilience framework include board and senior management ownership, identification of critical services, setting impact tolerances, and continuous review and improvement. It’s essential to leverage existing frameworks such as Third-Party Risk Management, Change Management, and Business Continuity Planning to integrate operational resilience effectively.
It is clear from UK regulations that the COO and/or CIO with the SMF24 regulated function are accountable for the operational resilience approach, firms’ policy standards, and operational models. Equally, executives who own important business services and associated revenues are responsible for addressing vulnerabilities that could breach impact tolerances, necessitating a cohesive approach to governance and oversight.
However, assessing the effectiveness of operational resilience frameworks can be a challenge. Metrics such as program status, tolerance breaches, and vulnerability resolution are invaluable in tracking progress and enhancing resilience.
Drawing from my experience, I would advocate for a structured approach to metrics tracking, focusing on program status, tolerance breaches, and vulnerability resolution.
UK firms have until March 2025 and need to ensure items are being tracked and completed. Consider the following when developing metrics. Tolerance breaches are reportable to the regulator.
- Have you had any, and how many have you reported?
- Have important business services remained within their impact tolerance?
- Have you had any near misses?
Vulnerability tracking and resolution are crucial. What lessons have you learned and incorporated to enhance your firm’s resilience?
These draw upon my own experience as a COO and SMF 24 leveraged when creating structured metrics dashboards, which may resonate with others in the field.