The balancing act – resilience and agility must go hand in hand

By Toby Sibley, Claudia Pellegrino

In a recent poll with UK Finance, over 90 percent of respondents believed that their organisation is struggling to keep pace with change. Less than 40 percent of respondents thought that their organisation will be well placed to manage the need to be both flexible and resilient in the future.

The finance sector currently lacks the capacity to meet current challenges and will be more stretched in the future as customer and regulatory pressure will drive firms to be more resilient. For example, the Financial Conduct Authority’s (FCA) policy on Operational Resilience requires firms to protect the most important services they offer to customers and markets by March 2025.

The finance industry must continue to prove itself capable of rising to the combined challenge of keeping pace with market demands and implementing new regulation. The starting point is to recognise that these twin capabilities are both complementary and add huge business benefits for firms that get it right. Given that many firms find their current operating environment to be tempestuous we believe that firms that can bounce back and quickly adapt will emerge as future winners.

To thrive through a combination of managing resilient and agile responses to disruption, firms must:

Use agile principles and roles to deliver resilience-enhancing initiatives

Firms have used agile change management to respond to technology disruptions and changes in customer expectations, rather than to deal with unexpected shocks which imperil their operational resilience.

We believe that principles from the Agile Manifesto (a document outlining the value and principles for agile software development) such as ‘customer collaboration’ can help prepare for operational disruption if adopted to deliver resilience-enhancing initiatives. To do so, firms can:

Engage the customer (or key stakeholders) when capturing and implementing resilience regulatory requirements. This could mean bringing in second line compliance units to represent the regulator in agile ceremonies such as Sprint Review and Refinement. The second line units can provide feedback, help clarify requirements and add compliance objectives into the acceptance criteria.

Introduce roles such as Operational Resilience Champion to support the delivery of regulatory initiatives. This means tasking the resilience champion to shape and articulate the resilience vision and set the resilience framework in which teams work. This is a similar role to the system architect, which is popular in some scaled agile frameworks (e.g. SAFe), and it is used to define a shared architectural vision.

Adopt agile business design to identify Important Business Services

New value stream (VS) operating models are becoming increasingly popular within financial services. They allow organisations to organise resources around the steps needed to deliver customer value. Examples for financial service firms may include ‘providing customers with access & management of their pension’.

This agile business design technique can be used to respond to regulatory requirements. The new policy has confirmed that firms must identify business services that, if disrupted, would cause most harm to their consumers or market integrity – referred to as Important Business Services (IBS). IBSs will be set to remain within agreed impact tolerance. Examples may include ‘administration of pension with a tolerance of 12h’.

To identify IBSs, firms should take similar steps as for VS, whilst following the guidance provided by the regulator on the matter. Organisations should:

  • Look at their organisation’s purpose and draw out their IBSs considering the factors provided by the regulator in the consultation papers
  • Prioritise the services by the impact of disruption to customers and the UK financial system
  • Identify the resources necessary to deliver each service, as prescribed in the consultation papers, and organise them around the services: this way when disruption occurs, organisations can implement responses faster.

Ultimately, firms can align VSs to their IBSs. For example, a VS aligned to an IBS could be described as: ‘providing customers with access to their pensions through the channel of their choice, with no disruption of more than 12h’. This way, organisations combine the business with the risk side, and align resources to ensure end to end innovation.

In particular, this practice can support firm’s organisational resilience - the FCA policy states that “Firms that had mapped their important business services ahead of the pandemic found themselves in a much stronger position”.

Embed risk management within agile governance

Firms have invested time and money into building operational risk management processes to help minimise disruption. The operational risk reporting pack is a staple of many board meetings. Yet, many of our clients report that they struggle to drive changes that successfully balance operational resilience with the need to adapt quickly.

We believe that risk management practices should be embedded within agile governance. Agile can meet the needs of risk management practices of regular planning, clearly defined roles and responsibility, adequate funding and appropriate resource allocation. Recognised agile frameworks have by nature well-defined roles, encourage bi-weekly planning at team level, and promote estimating capacity regularly to ensure appropriate resource allocation. To successfully embed risk management into agile governance organisations should:

  • Invite the business representatives to daily scrums, first line risk teams to team-level planning and retros, and second line teams to ‘big room planning’ and demos.
  • Encourage senior stakeholders to manage operational risks through day to day communication in daily stand-ups and fixed escalation points in scrum of scrums.
  • Use ‘Agile Risk burndowns’ in issue and project tracking tools (e.g. JIRA) to track how risks are mitigated or closed alongside other items on the backlog. To do so, regulatory objectives and risks need to be classified as epics in the backlog, so that progress against their attainment or mitigation can be tracked and visualised.

Using agile to create resilient companies will be a challenge for senior leaders to master in order to manage disruption going forward. Doing so will not just enable them to respond to regulatory demands, but to adapt to future uncertainty and thrive in a fast-changing world.

About the authors

Toby Sibley PA security architecture expert
Claudia Pellegrino PA business design expert

Explore more

Contact the team

We look forward to hearing from you.

Get actionable insight straight to your inbox via our monthly newsletter.