Video Transcription
Ciaran Flynn
Hello, my name is Ciaran Flynn, and I’m Head of Governance and Consulting Services here at Arthur Cox. Welcome to our new series of videos, which will cover the more nuanced and complex aspects of resilience. Over the course of the series, we will take a closer look at how firms can build resilience frameworks that are not only compliant with relevant regulations, but are also fit for purpose in today’s fast-moving environment. We’ll also look at how firms should prepare for something going wrong and how they should stress-test those resilience processes.
Resilience is becoming a strategic priority and increasingly the key differentiator between firms. With operating models growing ever more interconnected and disruptions from the likes of cyber threats and climate risks becoming ever more frequent and impactful, firms really need to be prepared to respond, recover, and adapt. In this series, we’ll explore the evolving regulatory landscape, including the growing influence of DORA and the Central Bank of Ireland’s revised cross-industry guidance on operational resilience. This revised guidance incorporates changes which have been informed by recent developments and ongoing industry insight, but are primarily focused on alignment and consistency with those DORA requirements. To support the series, we’ve developed the concise Resilience Playbook.
It summarises the key takeaways and offers practical tips to help you assess and enhance your resilience strategy. For more information, please visit arthurcox.com/resilience. Thank you.
In today’s unpredictable environment, shaped by global events, cyber threats, and regulatory shifts, resilience is a top priority for legislators and regulators around the world.
This series supports organisations in designing, reviewing, and refining their Resilience Frameworks through expert insights and actionable guidance.
- Regulatory expectations and supervisory priorities
- Core components of a resilience framework
- Workforce culture and accountability
- Incident response and recovery playbooks
Each video delivers actionable insights to help you strengthen your organisation’s ability to withstand disruption, adapt effectively, and recover swiftly.
To complement the series, we’ve also developed a resilience playbook, which is a hands-on resource to support your journey toward greater operational resilience.
Components of a resilience framework
In this video, Siobhán McBean, Partner in our Asset Management and Investment Funds Group and Ciaran Flynn, Head of Governance and Consulting Services, discuss the latest changes in operational and digital resilience, focusing on recent updates from the Central Bank of Ireland. These updates bring local regulatory guidance into closer alignment with the EU’s Digital Operational Resilience Act (DORA), encouraging firms to adopt DORA’s standards as best practice. They explain why organisations now need to maintain separate but aligned frameworks for operational risk and operational resilience, and stress the importance of addressing both internal and external critical business functions to ensure robust protection against disruption.
Mapping interconnections and interdependencies
Denise Murray, Head of Financial Services Compliance and Regulatory Relations, and Ciaran Flynn, Head of Governance and Consulting Services, discuss how firms can strengthen resilience by mapping the critical connections between people, processes, technology, and third‑party providers. They explain how combining a top‑down view of licensed activities with a bottom‑up perspective from business continuity planning enables organisations to identify vulnerabilities and build a more robust resilience framework.
Video Transcription
Denise Murray
Hello, everybody, and welcome back to the resilience video series here at Arthur Cox. Today, we’re going to explore some of the more nuanced and complex aspects of resilience. For those of you who don’t know me, my name is Denise Murray, and I’m the Head of Financial Services Compliance and Regulatory Relations here at Arthur Cox and I’m joined today by Ciaran Flynn, who’s Head of our Governance and Consulting Services. What we’re going to do today is share with you some insights and thoughts on how firms might approach mapping the interdependencies and interconnectedness that support an organisation’s business services and their resilience position.
Ciaran Flynn
Great. Thanks very much, Denise. It’s a delight to be here. For a firm to be resilient, it must ensure the end-to-end delivery of all activities it supports, its internal and external-facing business services, and regardless of ICT dependencies, thinking about the interdependencies and interconnectedness between all of those things. This might seem like a daunting challenge.
Denise Murray
Thanks, Ciaran. I think it’s fair to say that resilience can feel overwhelming at times, particularly as new regulations continue to make reference and cross-reference back to resilience requirements but when we’re talking to firms and when I’m engaging with firms, we always talk about going back to basics. There’s no single prescribed requirement or starting point in terms of how you’re going to examine your regulations and your requirements in relation to resilience but what we do know is that the regulator, particularly the Central Bank of Ireland, takes an outcome-based approach. So that means firms have the flexibility to choose the identification method and methodology that suits their organisation as long as they can demonstrate that they’ve looked at, assessed, and managed the impacts of a disruption.
So maybe let’s take a moment to reflect on the Central Bank of Ireland’s actual expectations. Firstly, firms are required to have a level of detail that enables the identification of the resources and contributes to the delivery of each stage of the service and their importance. Secondly, the approach and level of granularity of mapping should be sufficient for a firm to identify vulnerabilities and key dependencies, to support testing of its ability to stay within the assigned impact tolerances for each critical and important business service.
Ciaran Flynn
Bit of a mouthful, but they’re our two guiding principles in the context of resilience. When we’re talking with clients, as you know, we usually suggest starting with two things: your authorisation legislation, what you’re licenced to do and your business continuity plans. That’s where you’ve already documented your department’s positions around issues that might impact your continuity. This gives a top-down and a bottom-up view of your operations, and that really positions you well then to start thinking about resilience.
If we take the top-down view first, every regulated firm has a list of services that they’re authorised to provide, essentially the reason why you exist. If we take a fund administrator, for example, the provision of fund administration services is a critical activity. But within that, you’ll find the nuances of the production of the NAV and also interfacing dependencies, such as the stock and cash reconciliations that support that. While the licenced activity gives you the starting point—the service—you really do have to drill in beyond that to understand the specific requirements that are involved in the end-to-end delivery of that service.
So when you’re doing that, you need to think about: what are your clients relying on? What are you relying on? What systems support your services? And what would cause those systems or processes to fail or indeed to harm you, your firm, or the clients that you service?
Then if we take the bottom-up approach, the business continuity plan really is a gold mine. Most firms have had these in place for a number of years. They’ve required their organisations’ departments to document how they keep things going if a system doesn’t work, if the office is closed and they can’t gain access, or if a key person is unavailable. Not everything that you will have included in your business continuity plan is going to be a critical service or a critical activity, but they give you a comprehensive view of what’s happening across your organisation, which ultimately speaks to resilience and bringing all that back into the regulations, then that’s going to allow you to think about the people, the processes, and the technology that supports your resilience position. If I link it back again to those very wordy regulations that we talked about a moment ago and the requirement for granularity, it’s really not about a box-ticking exercise. If you get into that granular level of detail and understanding in relation to the services and the components of those services, it enables you to pinpoint where you may have vulnerabilities, where your processes or your systems may not be as robust as you would need them to be, what controls you may need to put in place, and ultimately it will help you then determine what tolerances you have in the context of things going wrong with those services or processes.
Denise Murray
Maybe just a couple of further thoughts. When we’re focused on resilience, we often think of those people-process-technology requirements, and we sometimes overlook the governance and oversight. That’s really where we’re back into the regulation again. That’s important for firms operating, particularly under a delegated model or with lots of outsourcing relationships, third-party providers, the activities that take up a significant part of your day relate to the oversight of those activities, and they’re essential to your overall delivery and to your control environment. So when mapping services, it’s so important to include your oversight functions. They may not be time-critical in the same way as client-facing issues might be, but they are absolutely central to your resilience posture.
Ciaran Flynn
Thanks, Denise. I couldn’t agree more on that front and I think what firms should be striving towards is finding that sweet spot between identifying a service at too high a level, where every system, third party, process, and person in the organisation is mapped to it, or going too granular and identifying each step in each process as its own activity. It is really about finding that Goldilocks zone in the middle that’s just right for your firm, and that’s going to vary from firm to firm.
So once firms have identified their business services and functions using that top-down and bottom-up approach you outlined, Denise, they will have a complete list of services that they perform in-house as well as what services are performed by external third parties, subject to the firm’s ongoing oversight and monitoring, as you touched on. The next step will be for firms to identify, classify, and tag each of those services and functions as being critical or important business services subject to cross-industry guidance, and which are critical or important business functions, subject to DORA. We’ve outlined some of the key criteria which firms consider when it comes to criticality in our playbook but for the purpose of this video, we’re going to move on to the third stage of this process, which is mapping critical or important services and functions. When we’re talking about mapping, what we’re really talking about is identifying the relevant people, processes, information, technologies, facilities, and third parties which are required to deliver those critical services and functions, and how those dependencies might interact with each other.
This mapping process can take time, but it should be carried out by the employees who perform or support the relevant activity on a daily basis. There is no point in delegating this work. Similar to the identification process, you’re looking to strike that balance between it being too high level and too granular. I think Kraus-Reich remained that perfect example of an unknown vulnerability in this supply chain, which meant that firms were unprepared when something went wrong.
What that example highlighted, however, is that firms are reliant on their primary service providers to share details of their further dependencies on their fourth and fifth parties and that interconnectivity, as well as how they’re working towards resolving the vulnerabilities. I’m sure Microsoft had a large number of queries, shall we say, about their supply chain and vendor management when that particular incident occurred.
Denise Murray
For sure and maybe we’ll stay with that point for a moment because I think it’s quite important. When it comes to resilience, it’s often the most challenging area for firms—identifying and managing those third-party dependencies, particularly where the services are delivered, as you’ve just quite rightly called out there, through layers of subcontractors.
So really getting down into an understanding of how that’s being supported or how the service is being supported becomes even more complex for a firm that’s relatively a small client of a large service provider. In those cases, the risk isn’t just about the service being restored in the event of an issue. It’s about whether the service is restored in a fair way and within the time frames that you’ve planned for in your own analysis.
So as part of the identification, classification, and mapping process that we’ve just discussed, Ciaran, firms should be assessing the business impact of the service and setting clear recovery points and recovery times and objectives in that regard but if a critical service is outsourced, the firm is ultimately reliant on the provider to meet those objectives and to do so in a way that doesn’t prioritise larger clients at the expense of the smaller ones.
And that’s why the issue needs to be front and centre, not just during a crisis, but right from the start of the relationship. It should be considered during onboarding, built into due diligence, and reflected in the firm’s outsourcing strategy. The more dependent a firm is on external providers and the smaller its footprint in that provider’s ecosystem, the more it is exposed, and there may be some more issues if things go wrong further down the supply chain. And that exposure can have a direct impact on the firm’s ability to recover and maintain trust with its stakeholders.
Ciaran Flynn
Thanks, Denise. With that, we come to the end of this video on interconnectivity and interdependence of critical and important business functions and services. Our Resilience Playbook is a great source of information on this and further resilience topics. Join us next time for a video where we’ll deal with what happens when a real-life resilience event occurs and how you can deal with it. For more about all things resilience, please visit arthurcox.com/resilience
