SlideShare a Scribd company logo
1 of 14
Download to read offline
Page 1 of 14
How Financial Firms Blaze a Trail
To New, More Predictive
Operational Resilience Capabilities
A transcript of a discussion on new ways that businesses in the financial sector are avoiding and
mitigating the damage from today’s myriad business threats.
Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: ServiceNow and EY.
Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions and you’re
listening to BriefingsDirect.
The last few years have certainly highlighted the need for businesses of all kinds to build up
their operational resilience. With a rising tide of pandemic waves, high-level cybersecurity
incidents, frequent technology failures, and a host of natural disasters -- there’s been plenty to
protect against.
As businesses become more digital and dependent upon end-to-end ecosystems of connected
services, the responsibility for protecting critical business processes has clearly shifted. It’s no
longer just a task for IT and security managers but has become top-of-mind for line-of-business
owners, too.
Stay with us now as we explore new ways that those responsible for business processes
specifically in the financial sector are successfully leading the path to avoiding and mitigating
the impact and damage from these myriad threats.
To learn more about the latest in rapidly beefing-up
operational resilience by bellwether finance companies,
please join me in welcoming Steve Yon, Executive Director
of the EY ServiceNow Practice. Welcome, Steve.
Steve Yon: Thanks, I’m happy to be here.
Gardner: We’re also here with Sean Culbert, Financial
Services Principal at EY. Good to have you with us, Sean.
Sean Culbert: Good afternoon, Dana.
Gardner: Sean, how have the risks modern digital
businesses face changed over the past decade? Why are
financial firms at the vanguard of identifying and heading off
these pervasive risks?
Culbert: The category of financial firms forms a broad scope of types. The risks for a consumer
bank, for example, are going to be different than the risks for an investment bank or from a
broker-dealer. But they all have some common threads. Those include the expectation to be
always-on, at the edge, and able to get to your data in a reliable and secure way.
Yon
Page 2 of 14
There’s also the need for integration across the ecosystem. Unlike product sets before, such as
in retail brokerage or insurance, customers expect to be brought together in one cohesive
services view. That includes more integration points and more application types.
This all needs to be on the edge and always-on, even as it includes, increasingly, reliance on
third-party providers. They need to walk in step with the financial institutions in a way that they
can ensure reliability. In certain cases, there’s a learning curve involved, and we’re still coming
up that curve.
It remains a shifting set of expectations to the edge. It’s different by category, but the themes of
integrated product lines -- and being able to move across those product lines and integrate with
third-parties – has certainly created complexity.
Gardner: Steve, when you’re a bank or a financial institution that finds itself in the headlines for
bad things, that is immediately damaging for your reputation and your brands. How are banks
and other financial organizations trying to be rapid in their response in order to keep out of the
headlines?
In interconnected, system-wide security, we trust
Yon: It’s not just about having the wrong headline on the front cover of American Banker. As
Sean said, the taxonomy of all these services is becoming interrelated. The suppliers tend to
leverage the same services.
Products and services tend to cross different firms. The complexity of the financial institution
space right now is high. If something starts to falter -- because everything is interconnected -- it
could have a systemic effect, which is what we saw several years ago that brought about Dodd-
Frank regulations.
So having a good understanding of how to measure and get telemetry on that complex makeup
is important, especially in financial institutions. It’s about trust. You need to have confidence in
where your money is and how things are going. There’s a certain expectation that must happen.
You must deal with that despite mounting complexity. The notion of resiliency is critical to a
brand promise -- or customers are going to leave.
One, you should contain your own issues. But
the Fed is going to worry about it if it becomes
broad because of the nature of how these
firms are tied together. It’s increasingly
important -- not only from a brand perspective
of maintaining trust and confidence with your
clients -- but also from a systemic nature; of
what it could do to the economy if you don’t
have good reads on what’s going on with
support of your critical business services.
Gardner: Sean, the words operational resilience come with a regulatory overtone. But how do
you define it?
It’s increasingly important – not only from
a brand perspective of maintaining trust
and confidence with your clients – but
also from a systemic nature; of what it
could do to the economy if you don’t have
good reads on what’s going on with
support of your critical business services.
Page 3 of 14
Scaling the operational resilience pyramid
Culbert: We begin with the notion of a service.
Resilience is measured, monitored, and managed
around the availability, scalability, reliability, and security
of that service. Understanding what the service is from
an end-to-end perspective, how it enters and exits the
institution, is the center to our universe.
Around that we have inbound threats to operational
resilience. From the threat side, you want the capability
to withstand a robust set of inbound threats. And for us,
one of the important things that has changed in the last
10 years is the sophistication and complexity of the
threats. And the prevalence of them, quite frankly.
If you look at the four major threat categories we work
with -- weather, cyber, geopolitical, and pandemics --
pick any one of those and there has been a significant change in those categories. We have
COVID, we have proliferation of very sophisticated cyberattacks that weren’t around 10 years
ago, often due to leaks from government institutions. Geopolitically, we’re all aware of tensions,
and weather events have become more prevalent. It’s a wide scope of inbound threats.
And on the outbound side, businesses need the capability to not only report on those things, but
to make decisions about how to prevent them. There’s a hierarchy in operational resilience. Can
you remediate it? Can you fix it? Then, once it’s been detected, how can minimize the damage.
At the top of the pyramid, can you prevent it before it hits?
So, there’s been a broad scope of
threats against a broader scope of
service assets that need to be
managed with remediation. That
was the heritage, but now it’s more
about detection and prevention.
Gardner: And to be proactive and preventative, operational resilience must be inclusive across
the organization. It’s not just one group of people in a back office somewhere. The responsibility
has shifted to more people -- and with a different level of ownership.
What’s changed over the past decade in terms of who’s responsible and how you foster a
culture of operational resiliency?
Bearing the responsibility for services
Culbert: The anchor point is the service. And services are processes: It’s technology, facilities,
third parties, and people. The hard-working people in each one of those silos all have their own
view of the world -- but the services are owned by the business. What we’ve seen in recognition
of that is that the responsibility for sustaining those services falls with the first line of business
[the line of business interacting with consumers and vendors at the transaction level].
Culbert
There’s been a broad scope of threats against a
broader scope of service assets that need to be
managed with remediation. That was the heritage,
but now it’s more about detection and prevention.
Page 4 of 14
Yon: There are a couple of ways to look at it. One, as Sean was talking about, the lines of
defense and the evolution of risk has been divvied up. The responsibilities have had line-of-sight
ownership over certain sets of accountabilities. But you also have triangulation from others
needing to inspect and audit those things as well.
The time is right for the new type of solution that we’re talking about now. One, because the
nature of the world has gotten more complex. Two, the technology has caught up with those
requirements.
The move within the tech stack has been to become more utility-based, service-oriented, and
objectified. The capability to get signals on how everything is operating, and its status within that
universe of tech, has become a lot easier. And with the technology now being able to integrate
across platforms and operate at the service level -- versus at the component level – it provides a
view that would have been very hard to synthesize just a few years ago.
What we’re seeing is a big shot in the arm to the power of what a typical risk resilience
compliance team can be exposed to. They can manage their responsibilities at a much greater
level.
Before they would have had to develop business continuity strategies and plans to know what to
do in the event of a fault or a disruption. And when those things come out, the three-ring
binders, the war room gets assembled and people start to figure out what to do. They start
running the playbook.
The problem with that is that while they’re running the playbook, the fault has occurred, the
destruction has happened, and the clock is ticking for all those impacts. The second-order
consequences of the problem are starting to amass with respect to value destruction, brand
reputational destruction, as well as whatever customer impacts there might be.
But now, because of technology and moving toward Internet of things (IoT) thinking across
assets, people, facilities, and third-party services, technology can self-declare their state. That
data can be synthesized to say, “Okay, I can start to pick up a signal that’s telling me that a fault
is inbound.” Or something looks like it’s falling out of the control thresholds that they have.
That tech now gives me the capability to
get out in front of something. That would be
almost unheard-of years ago. The nexus of
tech, need, and complexity are all hitting
right now. That means we’re moving and
pivoting to a new type of solution rising out
of the field.
Gardner: You know, many times we’ve seen such trends happen first in finance and then
percolate out to the rest of the economy. What’s happened recently with banking supervision,
regulations, and principles of operational resilience?
Financial sector leads the way
Yon: There are similar forms of pressure coming from all regulatory-intense industries. Finance
is a key one, but there’s also power, utilities, oil, and gas. The trend is happening primarily first
in regulatory-intensive industries.
The nexus of tech, need, and complexity
are all hitting right now. That means we’re
moving and pivoting to a new type of
solution rising out of the field.
Page 5 of 14
Culbert: A couple years ago, the Bank of England and the Prudential Regulation Authority
(PRA) put out a consultation paper that was probably most prescriptive out of the UK. We have
the equivalent over here in the US around expectations for operational resiliency. And that just
made its way into policy or law. For the most part, on a principles basis, we all share a common
philosophy in terms of what’s prudent.
A lot of the major institutions, the ones we deal with, have looked at those major tenets in these
policies and have said they will be practiced. And there are four fundamental areas that the
institutions must focus on.
One is, can it declare and describe its critical business services? Does it have threshold
parameters logic assigned to those services so that it knows how far it can go before it sustains
damage across several different categories? Are the assets that support those services known
and mapped? Are they in a place where we can point to them and point to the health of them? If
there’s an incident, can they collaborate around the sustaining of those assets?
As I said earlier, those assets generally fall
into small categories: people, facilities, third
parties, and technology. And, finally, do you
have the tools in place to keep those
services within those tolerance parameters
and have other alerting systems to let you
know which of the assets may well be failing
you, if the services are at risk.
That’s a lay-person, high-level description of the Bank of England policy on operational risks for
today’s Financial Management Information Systems (FMIS). Thematically most of the
institutions are focusing on those four areas, along with having credible and actionable testing
schemes to simulate disruptions on the inbound side.
In the US, Dodd-Frank mandated that institutions declare which of those services could disrupt
critical operations and, if those operations were disrupted, could they in turn disrupt the general
economy. The operational resilience rules and regulations fall back on that. So, now that you
know what they are, can you risk-rate them based on the priorities of the bank and its
counterparties? Can you manage them correctly? That’s the letter-of-the-law-type regulation
here. In Japan, it’s more credential-based regulation like the Bank of England. It all falls into
those common categories.
Gardner: Now that we understand the stakes and imperatives, we also know that the speed of
business has only increased. So has the speed of expectations for end consumers. The need to
cut time to discovery of the problems and to find root causes also must be as fast as possible.
How should banks and other financial institutions get out in front of this? How do we help
organizations move faster to their adoption, transform digitally, and be more resilient to head off
problems fast?
Preventative focus increases solution speed
Yon: Once there’s clarity around the shift in the goals, knowing it’s not good enough to just be
able to know what to do in the event of a fault or a potential disruption, the expectation becomes
Do you have the tools in place to keep
those services within those tolerance
parameters and have other alerting systems
to let you know which of the assets may well
be failing you, if the services are at risk.
Page 6 of 14
the proof to regulatory bodies and to your clients that they should trust you. You must prove that
you can withstand and absorb that potential disruption without impact to anybody else
downstream. Once people get their head around the nature of the expectation-shifting to being
a lot more preventative versus reactive, the speeds and feeds by which they’re managing those
things become a lot easier to deal with.
Back when I was running the technology at a super-regional bank, you’d get the phone call at 3
a.m. that a critical business service was down. You’d have the tech phone call that people are
trying to figure out what happened because they started to notice at the help desk that a number
of clients and customers were complaining. The clock had been ticking before 3 a.m. when I got
the call. And so, by now, by that time, those clients are upset.
Yet we were spending our time trying to figure out what happened and where. What’s the
overall impact? Are there other second-order impacts because of the nature of the issue? Are
other services disrupted as well? Again, it gets back to the complexity factor. There are
interrelationships between the various components that make up any service. Those services
are shared because that’s how it is. People lean on those things -- and that’s the risk you take.
Before, the lack of speed literally killed because you had to figure a lot of those things out while
the clock was ticking and the impact was going on. But now, you’re allowing yourself time to
figure things out. That’s what we call a decision-support system. You want to alert ahead of time
to ensure that you understand the true blast area of what the potential destruction is going to be.
Secondly, can I spin up the right level of communications so that everybody who could be
affected knows about it? And thirdly, can I now get the right people on the call -- versus hunting
and pecking to determine who has a problem on the fly at 3 a.m.?
The nature of having speed is when you deal
with an issue by buying time for firms to deal
with the thing intelligently versus in a shotgun
approach and without truly understanding the
nature of the impact until the next day.
Gardner: Sean, it sounds like operation resiliency is something that never stops. It’s an ongoing
process. That’s what buys you the time because you’re always trying to anticipate. Is that the
right way to look at it?
Culbert: It absolutely is the way to look at it. A time objective may be specific to the type of
service, and obviously it’s going to be different from a consumer bank to a broker-dealer. You
will have a time objective attached to a service, but is that a critical service that, if disrupted,
could further disrupt critical operations that could then disrupt the real economy? That’s come
into focus in the last 10 years. It has forced people to think through: If you were if a broker-
dealer and you couldn’t meet your hedge fund positions, or if you were a consumer bank and
you couldn’t get folks their paychecks, does that put people in financial peril?
These involve very different processes and have very different outcomes. But each has a
tolerance of filling in the blank time. So now it’s just more of a matter of being accountable for
those times. There are two things: There’s the customer expectation that you won’t reach those
tolerances and be able to meet the time objective to meet the customers’ needs.
And the second is that technology has made it more manageable as the domino or contagion
effect of one service tipping over another one. So now it’s not just, “Is your service ready to go
within its objective of half an hour?” It’s about the knock-on effect to other services as well.
The nature of having speed is when you
deal with an issue by buying time for
firms to deal with the thing intelligently
versus in a shotgun approach.
Page 7 of 14
So, it’s become a lot more correlated, and it’s become regional. Something that might be a
critical service in one business, might not be in another -- or in one region, might not be in
another. So, it’s become more of a multidimensional management problem in terms of
categorically specific time objectives against specific geographies, and against the specific
regulations that overhang the whole thing.
Gardner: Steve, you mentioned earlier about taking the call at 3 a.m. It seems to me that we
have a different way of looking at this now -- not just taking the call but making the call. What’s
the difference between taking the call and making the call? How does that help us prepare for
better operation resiliency?
Make the call, so you don’t have to take the call
Yon: It’s a fun way of looking a day in the life of your chief resiliency officer or chief risk officer
(CRO) and how it could go when something bad happens. So, you could take the call from the
CEO or someone from the board as they wonder why something is failing. What are you going
to do about it?
You’re caught on your heels trying to figure out
what was going on, versus making the call to the
CEO or the board member to let them know, “Hey,
these were the potential disruptions that the firm
was facing today. And this is how we weathered
through it without incident and without damaging
service operations or suffering service operations
that would have been unacceptable.”
We like to think of it as not only trying to prevent the impact to the clients but also from the
possibility of a systemic problem. It could potentially increase the lifespan of a CRO by showing
they can be responsible for the firm’s up-time, versus just answer questions post-disruption. It
provides a little bit of levity but it’s also a truth that there are more than just the consequences to
the clients, but also to those people responsible for that function within the firm.
Gardner: Many leading-edge organizations have been doing digital transformation for some
time. We’re certainly in the thick of digital transformation now after the COVID requirements of
doing everything digitally rather than in person.
But when it comes to finance and the services that we’re describing -- the interconnections in
the interdependencies -- there are cyber resiliency requirements that cut across organizational
boundaries. Having a moat around your organization, for example, is no longer enough.
What is it about the way that ServiceNow and EY are coming together that helps make
operational resiliency an ongoing process possible?
Digital transformation opens access to assets
Yon: There are two components. You need to ask yourself, “What needs to be true for the
outcome that we’re talking about to be valid?” From a supply-side, what needs to be true is, “Do
I have good signal and telemetry across all the components and assets of resources that would
pose a threat or a cause for a threat to happen from a down service?”
You’re caught on your heels trying
to figure out what was going on,
versus making the call to the CEO
… to let them know “Hey, these
were the potential disruptions that
the firm was facing today, and this
is how we weathered through it.
Page 8 of 14
With the move to digital transformation, more assets and resources that compose any
organization are now able to be accessed. That means the state of any particular asset, in
terms of its preferential operating model, are going to be known. I need to have that data and
that’s what digital transformation provides.
Secondly, I need a platform that has wide integration capabilities and that has workflow at its
core. Can I perform business logic and conditional synthesis to interpret the signals that are
coming from all these different systems?
That’s what’s great about ServiceNow -- there hasn’t been anything that it hasn’t been able to
integrate with. Then it comes down to, “Okay, do I understand the nature of what it is I’m truly
looking for as a business service and how it’s constructed?” Once I do that, I’m able to capture
that control, if you will, determine its threshold, see that there’s a trigger, and then drive the
workflows to get something done.
For a hypothetical example, we’ve had an event so that we’re losing the trading floor in city A,
therefore I know that I need to bring city B and its employees online and to make them active so
I can get that up and running. ServiceNow can drive that all automatically, within the Now
Platform itself, or drive a human to provide the approvals or notifications to drive the workflows
as part of your business continuity plan (BCP) going forward. You will know what to do by being
able to detect and interpret the signals, and then based on that, act on it.
That’s what ServiceNow brings to make the solution complete. I need to know what that service
construction is and what it means within the firm itself. And that’s where EY comes to the table,
and I’ll ask Sean to talk about that.
Culbert: ServiceNow brings to the table what we need to scale and integrate in a logical and
straightforward way. Without having workflows that are cross-silo and cross-product at scale --
and with solid integration of capabilities – this just won’t happen.
When we start talking about the signals from everywhere against all the services -- it’s a sprawl.
From an implementation perspective, it feels like it’s not implementable.
The regulatory burden requires focus on what’s most important, and why it’s most important to
the market, the balance sheet, and the customers. And that’s not for the 300 services, but for
the one or two dozen services that are important. Knowing that gives us a big step forward by
being able to scope out the ServiceNow implementation.
And from there, we can determine what dimensions
associated with that service we should be capturing
on a real-time basis. To progress from remediation
to detection on to prevention, we must be judicious
of what signals we’re tracking. We must be correct.
We have the requirement and obligation to declare and describe what is critical using a scalable
and integrable technology, which is ServiceNow. That’s the big step forward.
Yon: The Now platform also helps us to be fast. If you look under the hood of most firms, you’ll
find ServiceNow is already there. You’ll see that there’s already been work done in the risk
management area. They already know the concepts and what it means to deal with policies and
controls, as well as the triggers and simulations. They have IT and other assets under
management, and they know what a configuration management database (CMDB) is.
To progress from remediation to
detection on to prevention, we must
be judicious of what signals we’re
tracking. We must be correct.
Page 9 of 14
These are all accelerants that not only provide scale to get something done but provide speed
because so many of these assets and service components are already identified. Then it’s just a
matter of associating them correctly and calibrating it to what’s really important so you don’t end
up with a science fair integration project.
Gardner: What I’m still struggling to thread together is how the EY ServiceNow alliance
operational resiliency solution becomes proactive as an early warning system. Explain to me
how you’re able to implement this solution in such a way that you’re going to get those signals
before the crisis reaches a crescendo.
Tracking and recognizing a potential fault
Yon: Let’s first talk about EY and how it comes with an understanding from the industry of what
good looks like with respect to what a critical business service needs to be. We’re able to hone
down to talking about payments or trading. This maps the deconstruction of that service, which
we also bring as an accelerant.
We know what it looks like -- all the different resources, assets, and procedures that make that
critical service active. Then, within ServiceNow, it manages and exposes those assets. We can
associate those things in the tool relatively quickly. We can identify the signal that we’re looking
to calibrate on.
Then, based on what ServiceNow knows how to do, I can put a control parameter on this
service or component within the threshold. It then gives me an indication whether something
might be approaching a fault condition. We basically look at all the different governance, risk
management, and compliance (GRC) leading indicators and put telemetry around those things
when, for example, it looks like my trading volume is starting to drop off.
Long before it drops to zero, is there something
going on elsewhere? It delivers up all the signals
about the possible dimensions that can indicate
something is not operating per its normal expected
behavior. That data is then captured, synthesized,
and displayed either within ServiceNow or it is
automated to start running its own tests to
determine what’s valid.
But at the very least, the people responsible are alerted that something looks amiss. It’s not
operating within the control thresholds already set up within ServiceNow against those assets.
This gives people time to then say, “Okay, am I looking at a potential problem here? Or am I just
looking at a blip and it’s nothing to worry about?”
Gardner: It sounds like there’s an ongoing learning process and a data-gathering process. Are
we building a constant mode of learning and automation of workflows? Do we do get a whole
greater than the sum of the parts after a while?
Culbert: The answer is yes and yes. There’s learning and there’s automation. We bring to the
table some highly effective regulatory risk models. There’s a five-pillar model that we’ve used
where market and regulatory intelligence feeds risk management, surveillance, analysis, and
ultimately policy enforcement.
That data is then captured,
synthesized, and displayed either
with ServiceNow or it is automated
to start running its own tests to
determine what’s valid.
Page 10 of 14
And how the five pillars work together within ServiceNow -- it works together within the business
processes within the organization. That’s where we get that intelligence feeding, risk feeding,
surveillance analysis, and enforcement. That workflow is the differentiator, to allow rapid
understanding of whether it’s an immediate risk or concentrating risk.
And obviously, no one is going to be 100 percent perfect, but having context and perspective on
the origin of the risk helps determine whether it’s a new risk -- something that’s going to create a
lot of volatility – or whether it’s something the institution has faced before.
We rationalize that risk -- and, more importantly, rationalize the lack of a risk – to know at the
onset if it’s a false positive. It’s an essential market and regulatory intelligence mechanism. Are
they feeding us only the stuff that’s really important?
Our risk models tell us that. That risk model usually takes on a couple of different flavors. One
flavor is similar to a FICO score. So, have you seen the risk? Have you seen it before? It is
characterizable by the words coming from it and its management in the past.
And then some models are more akin to a bar calculator. What kind of volatility is this risk going
to bring to the bank? Is it somebody that’s recreationally trying to get into the bank, or is it a
state actor?
Once the false-positive gets escalated and disposed of -- if it’s, in fact, a false positive – are we
able to plug it into something robust enough to surveil for where that risk is headed? That’s the
only way to get out in front of it.
The next phase of the analysis says, “Okay, who should we talk to about this? How do we
communicate that this is bigger than a red box, much bigger than a red box, a real crisis-type
risk? What form does that communication take? Is it a full-blown crisis management
communication? Is it a standing management communication or protocol?”
And then ultimately, this goes to ServiceNow,
so we take that affected function and very
quickly understand the health or the
resiliency of other impacted functions. We
use our own propriety model. It’s a military
model used for nuclear power plants, and it
helps to shift from primary states to
alternative states, as well as to contingency
and emergency states.
At the end, the person who oversees policy enforcement must gain the tools to understand
where they should be fixing the primary state issue or moving on from it. They must know to
step aside or shift into an emergency state.
From our perspective, it is constant learning. But there are fundamental pillars that these events
flow through that deliver the problem to the right person and give that person options for
minimizing the risk.
Gardner: Steve, do we have any examples or use cases that illustrate how alerting the right
people with the right skills at the right time is an essential part of resuming critical business
services or heading off the damage?
We use our own propriety model. It’s a
military model used for nuclear power
plants, and it helps to shift from primary
states to alternative states, as well as to
contingency and emergency states.
Page 11 of 14
Rule out retirement risks
Yon: Without naming names, we have a client within Europe, the Middle East and Africa
(EMEA) we can look at. One of the things the pandemic brought to light is the need to know our
posture to continuing to operate the way we want. Getting back to integration and integrability,
where are we going to get a lot of that information for personnel from? Workday, their human
resources (HR) system of record, of course.
Now, they had a critical business service owner who was going to be retiring. That sounds
great. That’s wonderful to hear. But one of the valid things for this critical business service to be
considered operating in its normal state is to check for an owner. Who will cut through the
issues and process and lead going forward?
If there isn’t an owner identified for the service, I would be considered at risk for this service. It
may not be capable of maintaining its continuity. So, here’s a simple use case where someone
could be looking at a trigger from Workday that asks if this leadership person is still in the role
and active.
Is there a control around identifying if they are going to become inactive within x number of
months’ time? If so, get on that because the regulators will look at these processes potentially
being out of control.
There’s a simple use case that has nothing
to do with technology but shows the
integrability of ServiceNow into another
system of record. It turns ServiceNow into a
decision-support platform that drives the
right actions and orchestrates timely actions
-- not only to detect a disruption but anything
else considered valid as a future risk. Such alerts give the time to get it taken care of before a
fault happens.
Gardner: The EY ServiceNow alliance operational resilience solution is under the covers but it’s
powering leaders’ ability to be out in front of problems. How does the solution enable various
levels of leadership personas, even though they might not even know it’s this solution they’re
reacting to?
Leadership roles evolve
Culbert: That’s a great question. For the last six to seven years, we’ve all heard about the shift
from the second to the first line of primary ownership in the private sector. I’ve heard many
occasions for our first line business manager saying, “You know, if it is my job, first I need to
know what the scope of my responsibilities are and the tools to do my job.” And that persona of
the frontline manager having good data, that’s not a false positive. It’s not eating at his or her
ability to make money. It’s providing them with options of where to go to minimize the issue.
The personas are clearly evolving. It was difficult for risk managers to move solidly into the first
line without these types of tools. And there were interim management levels, too. Someone who
sat between the first and the second line -- level 1.5. or line 1.5. And it’s clearly pushing into the
first line. How do they know their own scope as relates to the risk to the services?
It turns ServiceNow into a decision-
support platform that drives the right
actions and orchestrates timely actions –
not only to detect a disruption but anything
else considered valid as a future risk.
Page 12 of 14
Now there’s a tool that these personas can use to be not only be responsible for risk but
responsive as well. And that’s a big thing in terms of the solution design. With ServiceNow over
the last several years, if the base data is correctly managed, then being able to reconfigure the
data and recalibrate the threshold logic to accommodate a certain persona is not a coding
exercise. It’s a no-code step forward to say, “Okay, this is now the new role and scope, and that
role and scope will be enabled in this way.” And this power is going to direct the latest signals
and options.
But it’s all about the definition of a service. Do we all agree
end-to-end what it is, and the definition of the persona? Do
we all understand who’s accountable and who’s
responsible? Those two things are coming together with a
new set of tools that are right and correct.
Yon: Just to go back to the call at 3 a.m., that was a tech call. But typically, what happens is
there’s also going to be the business call. So, one of the issues we’re also solving with
ServiceNow is in one system we manage the nature of information irrespective of what your
persona is. You have a view of risk that can be tailored to what it is that you care about. And all
the data is congruent back and forth.
It becomes a lot more efficient and accurate for firms to manage the nature of understanding on
what things are when it’s not just the tech community talking. The business community wants to
know what’s happening – and what’s next? And then someone can translate in between. This is
a real-time way for all those personas to become a line around the nature of the issue with
respect to their perspective.
Gardner: I really look forward to the next in our series of discussions around operational
resilience because we’re going to learn more about the May announcement of this solution.
But as we close out today’s discussion, let’s look to the future. We mentioned earlier that almost
any highly regulated industry will be facing similar requirements. Where does this go next?
It seems to me that the more things like machine learning (ML) and artificial intelligence (AI)
analyze the many sources of data, they will make it even more powerful. What should we look
for in terms of even more powerful implementations?
AI to add power to the equation
Culbert: When you set up the framework correctly, you can
apply AI to the thinning out of false positives and for tagging
certain events as credible risk events or not credible risk
events. AI can also to be used to direct these signals to the
right decision makers. But instead of taking the human
analyst out of the equation, AI is going to help us. You can’t
do it without that framework.
Yon: When you enable these different sets of data coming in for AI, you start to say, “Okay,
what do I want the picture to look like in my ability to simulate these things?” It all goes up,
especially using ServiceNow.
But back to the comment on complexity and the fact that suppliers don’t just supply one client,
they connect to many. As this starts to take hold in the regulated industries -- and it becomes
Do we all understand
who’s accountable and
who’s responsible?
Instead of taking the
human analyst out of
the equation, AI is going
to help us.
Page 13 of 14
more of an expectation for a supplier to be able to operate this way and provide these signals,
integration points, telemetry, and transparency that people expect -- anybody else trying to lever
into this is going to get the lift and the benefit from suppliers who realize that the nature of
playing in this game just went up. Those benefits become available to a much broader
landscape of industries and for those suppliers.
Gardner: When we put two and two together, we come up with a greater sum. We’re going to
be able to deal rapidly with the known knowns, as well as be better prepared for the unknown
unknowns. So that’s an important characteristic for a much brighter future -- even if we hit
another unfortunate series of risk-filled years such as we’ve just suffered.
I’m afraid we’ll have to leave it there. You’ve been listening to a sponsored BriefingsDirect
discussion on the need for businesses to build up their operational resilience.
And we’ve learned how those responsible for business processes in the financial sector
specifically are successfully leading the charge to avoid and mitigate the impact and damage
from myriad business threats. These new imperatives to achieve operation resilience are sure to
spread soon in the global economy.
So please join me in thanking our guests, Steve Yon, Executive Director of the EY ServiceNow
Practice. Thank you so much, Steve.
Yon: Thank you.
Gardner: And we’ve also been with Sean Culbert, Financial Services Principal at EY. Thank
you so much.
Culbert: Thanks, Dana.
Gardner: And a big thank you as well to our audience for joining this BriefingsDirect operational
resilience innovation discussion. I’m Dana Gardner, Principal Analyst at Interarbor Solutions,
your host throughout this series of ServiceNow- and EY-sponsored BriefingsDirect interviews.
Thanks again for listening. Please pass this along to your business community, and do come
back next time.
Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: ServiceNow and EY.
A transcript of a discussion on new ways that businesses in the financial sector are avoiding and
mitigating the damage from today’s myriad business threats. Copyright Interarbor Solutions, LLC, 2005-
2021. All rights reserved.
You may also be interested in:
• How to gain advanced cyber resilience and recovery across the IT ops and SecOps divide
• The future of work is happening now thanks to Digital Workplace Services
• How security designed with cloud migrations in mind improves an enterprise’s risk posture top to
bottom
• Securing APIs demands tracing and machine learning that analyze behaviors to head off attacks
• Creating business advantage with technology-enabled flexible work
• How Unisys and Microsoft team up to ease complex cloud adoption for governments and
enterprises
• Disaster recovery to cyber recovery -- What is the new best future state?
Page 14 of 14
• How an agile focus for Enterprise Architects builds competitive advantage for digital
transformation
• Rethinking employee well-being means innovative new support for the digital work-life balance

More Related Content

What's hot

Learn More About Advances in Identity Management and It's Role in Reducing Cy...
Learn More About Advances in Identity Management and It's Role in Reducing Cy...Learn More About Advances in Identity Management and It's Role in Reducing Cy...
Learn More About Advances in Identity Management and It's Role in Reducing Cy...Dana Gardner
 
How HPE Pointnext Tech Care Changes the Game for Delivering Enhanced IT Solut...
How HPE Pointnext Tech Care Changes the Game for Delivering Enhanced IT Solut...How HPE Pointnext Tech Care Changes the Game for Delivering Enhanced IT Solut...
How HPE Pointnext Tech Care Changes the Game for Delivering Enhanced IT Solut...Dana Gardner
 
Strengthening Operational Resilience in Financial Services by Migrating to Go...
Strengthening Operational Resilience in Financial Services by Migrating to Go...Strengthening Operational Resilience in Financial Services by Migrating to Go...
Strengthening Operational Resilience in Financial Services by Migrating to Go...run_frictionless
 
How More Industries Can Cultivate A Culture of Operational Resilience
How More Industries Can Cultivate A Culture of Operational ResilienceHow More Industries Can Cultivate A Culture of Operational Resilience
How More Industries Can Cultivate A Culture of Operational ResilienceDana Gardner
 
How Unisys and Microsoft Team Up To Ease Complex Cloud Adoption For Governmen...
How Unisys and Microsoft Team Up To Ease Complex Cloud Adoption For Governmen...How Unisys and Microsoft Team Up To Ease Complex Cloud Adoption For Governmen...
How Unisys and Microsoft Team Up To Ease Complex Cloud Adoption For Governmen...Dana Gardner
 
Work from Anywhere: The Secret to Unlocking Once-Hidden Productivity and Crea...
Work from Anywhere: The Secret to Unlocking Once-Hidden Productivity and Crea...Work from Anywhere: The Secret to Unlocking Once-Hidden Productivity and Crea...
Work from Anywhere: The Secret to Unlocking Once-Hidden Productivity and Crea...Dana Gardner
 
Nottingham Trent University Elevates Big Data’s Role to Improving Student Re...
Nottingham Trent University Elevates Big Data’s Role  to Improving Student Re...Nottingham Trent University Elevates Big Data’s Role  to Improving Student Re...
Nottingham Trent University Elevates Big Data’s Role to Improving Student Re...Dana Gardner
 
Rolta AdvizeX Experts on Hastening Time to Value for Big Data Analytics in He...
Rolta AdvizeX Experts on Hastening Time to Value for Big Data Analytics in He...Rolta AdvizeX Experts on Hastening Time to Value for Big Data Analytics in He...
Rolta AdvizeX Experts on Hastening Time to Value for Big Data Analytics in He...Dana Gardner
 
The Evolution of Data Center Infrastructure Has Now Ushered in The Era of Dat...
The Evolution of Data Center Infrastructure Has Now Ushered in The Era of Dat...The Evolution of Data Center Infrastructure Has Now Ushered in The Era of Dat...
The Evolution of Data Center Infrastructure Has Now Ushered in The Era of Dat...Dana Gardner
 
Redcentric Uses Advanced Configuration Database to Bring into Focus Massive M...
Redcentric Uses Advanced Configuration Database to Bring into Focus Massive M...Redcentric Uses Advanced Configuration Database to Bring into Focus Massive M...
Redcentric Uses Advanced Configuration Database to Bring into Focus Massive M...Dana Gardner
 
Enterprise Mobile and Client Management Demands a Rethinking of Work, Play an...
Enterprise Mobile and Client Management Demands a Rethinking of Work, Play an...Enterprise Mobile and Client Management Demands a Rethinking of Work, Play an...
Enterprise Mobile and Client Management Demands a Rethinking of Work, Play an...Dana Gardner
 
Spirent Leverages Big Data to Keep User Experience Quality a Winning Factor f...
Spirent Leverages Big Data to Keep User Experience Quality a Winning Factor f...Spirent Leverages Big Data to Keep User Experience Quality a Winning Factor f...
Spirent Leverages Big Data to Keep User Experience Quality a Winning Factor f...Dana Gardner
 
The Open Group Marks 25 Years of Working Together To Make Successful Standards
The Open Group Marks 25 Years of Working Together To Make Successful StandardsThe Open Group Marks 25 Years of Working Together To Make Successful Standards
The Open Group Marks 25 Years of Working Together To Make Successful StandardsDana Gardner
 
Tag-Team of Workshops Provides Proven Path of Data Center Transformation, Ass...
Tag-Team of Workshops Provides Proven Path of Data Center Transformation, Ass...Tag-Team of Workshops Provides Proven Path of Data Center Transformation, Ass...
Tag-Team of Workshops Provides Proven Path of Data Center Transformation, Ass...Dana Gardner
 
IT Support Gains Automation and Intelligence to Bring Self-Service to Both Le...
IT Support Gains Automation and Intelligence to Bring Self-Service to Both Le...IT Support Gains Automation and Intelligence to Bring Self-Service to Both Le...
IT Support Gains Automation and Intelligence to Bring Self-Service to Both Le...Dana Gardner
 
Procurement in 2016—The Supply Chain Goes Digital
Procurement in 2016—The Supply Chain Goes DigitalProcurement in 2016—The Supply Chain Goes Digital
Procurement in 2016—The Supply Chain Goes DigitalDana Gardner
 
The UNIX Evolution: An Innovative History reaches a 20-Year Milestone
The UNIX Evolution: An Innovative History reaches a 20-Year MilestoneThe UNIX Evolution: An Innovative History reaches a 20-Year Milestone
The UNIX Evolution: An Innovative History reaches a 20-Year MilestoneDana Gardner
 
T-Shaped: The New Breed of IT Professional
T-Shaped: The New Breed of IT ProfessionalT-Shaped: The New Breed of IT Professional
T-Shaped: The New Breed of IT ProfessionalHaluk Demirkan
 
How Modern Operational Services Leads to More Self-Managing, Self-Healing, an...
How Modern Operational Services Leads to More Self-Managing, Self-Healing, an...How Modern Operational Services Leads to More Self-Managing, Self-Healing, an...
How Modern Operational Services Leads to More Self-Managing, Self-Healing, an...Dana Gardner
 

What's hot (20)

Learn More About Advances in Identity Management and It's Role in Reducing Cy...
Learn More About Advances in Identity Management and It's Role in Reducing Cy...Learn More About Advances in Identity Management and It's Role in Reducing Cy...
Learn More About Advances in Identity Management and It's Role in Reducing Cy...
 
How HPE Pointnext Tech Care Changes the Game for Delivering Enhanced IT Solut...
How HPE Pointnext Tech Care Changes the Game for Delivering Enhanced IT Solut...How HPE Pointnext Tech Care Changes the Game for Delivering Enhanced IT Solut...
How HPE Pointnext Tech Care Changes the Game for Delivering Enhanced IT Solut...
 
Strengthening Operational Resilience in Financial Services by Migrating to Go...
Strengthening Operational Resilience in Financial Services by Migrating to Go...Strengthening Operational Resilience in Financial Services by Migrating to Go...
Strengthening Operational Resilience in Financial Services by Migrating to Go...
 
How More Industries Can Cultivate A Culture of Operational Resilience
How More Industries Can Cultivate A Culture of Operational ResilienceHow More Industries Can Cultivate A Culture of Operational Resilience
How More Industries Can Cultivate A Culture of Operational Resilience
 
How Unisys and Microsoft Team Up To Ease Complex Cloud Adoption For Governmen...
How Unisys and Microsoft Team Up To Ease Complex Cloud Adoption For Governmen...How Unisys and Microsoft Team Up To Ease Complex Cloud Adoption For Governmen...
How Unisys and Microsoft Team Up To Ease Complex Cloud Adoption For Governmen...
 
Work from Anywhere: The Secret to Unlocking Once-Hidden Productivity and Crea...
Work from Anywhere: The Secret to Unlocking Once-Hidden Productivity and Crea...Work from Anywhere: The Secret to Unlocking Once-Hidden Productivity and Crea...
Work from Anywhere: The Secret to Unlocking Once-Hidden Productivity and Crea...
 
Nottingham Trent University Elevates Big Data’s Role to Improving Student Re...
Nottingham Trent University Elevates Big Data’s Role  to Improving Student Re...Nottingham Trent University Elevates Big Data’s Role  to Improving Student Re...
Nottingham Trent University Elevates Big Data’s Role to Improving Student Re...
 
Rolta AdvizeX Experts on Hastening Time to Value for Big Data Analytics in He...
Rolta AdvizeX Experts on Hastening Time to Value for Big Data Analytics in He...Rolta AdvizeX Experts on Hastening Time to Value for Big Data Analytics in He...
Rolta AdvizeX Experts on Hastening Time to Value for Big Data Analytics in He...
 
The Evolution of Data Center Infrastructure Has Now Ushered in The Era of Dat...
The Evolution of Data Center Infrastructure Has Now Ushered in The Era of Dat...The Evolution of Data Center Infrastructure Has Now Ushered in The Era of Dat...
The Evolution of Data Center Infrastructure Has Now Ushered in The Era of Dat...
 
Redcentric Uses Advanced Configuration Database to Bring into Focus Massive M...
Redcentric Uses Advanced Configuration Database to Bring into Focus Massive M...Redcentric Uses Advanced Configuration Database to Bring into Focus Massive M...
Redcentric Uses Advanced Configuration Database to Bring into Focus Massive M...
 
Enterprise Mobile and Client Management Demands a Rethinking of Work, Play an...
Enterprise Mobile and Client Management Demands a Rethinking of Work, Play an...Enterprise Mobile and Client Management Demands a Rethinking of Work, Play an...
Enterprise Mobile and Client Management Demands a Rethinking of Work, Play an...
 
Spirent Leverages Big Data to Keep User Experience Quality a Winning Factor f...
Spirent Leverages Big Data to Keep User Experience Quality a Winning Factor f...Spirent Leverages Big Data to Keep User Experience Quality a Winning Factor f...
Spirent Leverages Big Data to Keep User Experience Quality a Winning Factor f...
 
The Open Group Marks 25 Years of Working Together To Make Successful Standards
The Open Group Marks 25 Years of Working Together To Make Successful StandardsThe Open Group Marks 25 Years of Working Together To Make Successful Standards
The Open Group Marks 25 Years of Working Together To Make Successful Standards
 
Tag-Team of Workshops Provides Proven Path of Data Center Transformation, Ass...
Tag-Team of Workshops Provides Proven Path of Data Center Transformation, Ass...Tag-Team of Workshops Provides Proven Path of Data Center Transformation, Ass...
Tag-Team of Workshops Provides Proven Path of Data Center Transformation, Ass...
 
IT Support Gains Automation and Intelligence to Bring Self-Service to Both Le...
IT Support Gains Automation and Intelligence to Bring Self-Service to Both Le...IT Support Gains Automation and Intelligence to Bring Self-Service to Both Le...
IT Support Gains Automation and Intelligence to Bring Self-Service to Both Le...
 
Procurement in 2016—The Supply Chain Goes Digital
Procurement in 2016—The Supply Chain Goes DigitalProcurement in 2016—The Supply Chain Goes Digital
Procurement in 2016—The Supply Chain Goes Digital
 
The UNIX Evolution: An Innovative History reaches a 20-Year Milestone
The UNIX Evolution: An Innovative History reaches a 20-Year MilestoneThe UNIX Evolution: An Innovative History reaches a 20-Year Milestone
The UNIX Evolution: An Innovative History reaches a 20-Year Milestone
 
T-Shaped: The New Breed of IT Professional
T-Shaped: The New Breed of IT ProfessionalT-Shaped: The New Breed of IT Professional
T-Shaped: The New Breed of IT Professional
 
How Modern Operational Services Leads to More Self-Managing, Self-Healing, an...
How Modern Operational Services Leads to More Self-Managing, Self-Healing, an...How Modern Operational Services Leads to More Self-Managing, Self-Healing, an...
How Modern Operational Services Leads to More Self-Managing, Self-Healing, an...
 
GCI0906_S_Challenge Outsourcing
GCI0906_S_Challenge OutsourcingGCI0906_S_Challenge Outsourcing
GCI0906_S_Challenge Outsourcing
 

Similar to How Financial Firms Blaze a Trail To New, More Predictive Operational Resilience Capabilities

The Cellular Service Provider Market
The Cellular Service Provider MarketThe Cellular Service Provider Market
The Cellular Service Provider MarketMelissa Ward
 
Brunswick Intelligence - Building reputational resilience to cyber attack
Brunswick Intelligence - Building reputational resilience to cyber attackBrunswick Intelligence - Building reputational resilience to cyber attack
Brunswick Intelligence - Building reputational resilience to cyber attackBrunswick Group
 
InsurTech briefing Q2 2017
InsurTech briefing Q2 2017InsurTech briefing Q2 2017
InsurTech briefing Q2 2017FinTechMag
 
McKinsey-Coronavirus impact on service organizations-Weathering the storm.pdf
McKinsey-Coronavirus impact on service organizations-Weathering the storm.pdfMcKinsey-Coronavirus impact on service organizations-Weathering the storm.pdf
McKinsey-Coronavirus impact on service organizations-Weathering the storm.pdfReadAndGain
 
Strategic Management And Business Model Essay
Strategic Management And Business Model EssayStrategic Management And Business Model Essay
Strategic Management And Business Model EssayGinger Martin
 
Provide a MEMO.docx
Provide a MEMO.docxProvide a MEMO.docx
Provide a MEMO.docxwrite30
 
Laurel Group Thought Leaders Print 0213
Laurel Group Thought Leaders Print 0213Laurel Group Thought Leaders Print 0213
Laurel Group Thought Leaders Print 0213Davis Blair
 
Navigating The Cyber-Security Vortex : 4 leadership imperatives
Navigating The Cyber-Security Vortex : 4 leadership imperativesNavigating The Cyber-Security Vortex : 4 leadership imperatives
Navigating The Cyber-Security Vortex : 4 leadership imperativesCharles Forte
 
RM_Nov14_Zurich_Special
RM_Nov14_Zurich_SpecialRM_Nov14_Zurich_Special
RM_Nov14_Zurich_SpecialTed Donovan
 
Disruption in Wealth Management
Disruption in Wealth ManagementDisruption in Wealth Management
Disruption in Wealth ManagementGreg Simmons
 
ContinuitySA Client Chronicles 1st Quarter 2013 Newsletter
ContinuitySA Client Chronicles 1st Quarter 2013 NewsletterContinuitySA Client Chronicles 1st Quarter 2013 Newsletter
ContinuitySA Client Chronicles 1st Quarter 2013 NewsletterCindy Bodenstein
 
Digital Disruption of the Insurance Industry
Digital Disruption of the Insurance IndustryDigital Disruption of the Insurance Industry
Digital Disruption of the Insurance IndustryStephan Linnenbank RM CPE
 
Life insurance whitepaper
Life insurance whitepaperLife insurance whitepaper
Life insurance whitepaperZoe Scally
 
Right-Sizing the Security and Information Assurance for Companies, a Core-ver...
Right-Sizing the Security and Information Assurance for Companies, a Core-ver...Right-Sizing the Security and Information Assurance for Companies, a Core-ver...
Right-Sizing the Security and Information Assurance for Companies, a Core-ver...Dana Gardner
 
AR - Applying Big Data to Risk Management
AR - Applying Big Data to Risk ManagementAR - Applying Big Data to Risk Management
AR - Applying Big Data to Risk ManagementValentine Seivert
 

Similar to How Financial Firms Blaze a Trail To New, More Predictive Operational Resilience Capabilities (20)

The Cellular Service Provider Market
The Cellular Service Provider MarketThe Cellular Service Provider Market
The Cellular Service Provider Market
 
Brunswick Intelligence - Building reputational resilience to cyber attack
Brunswick Intelligence - Building reputational resilience to cyber attackBrunswick Intelligence - Building reputational resilience to cyber attack
Brunswick Intelligence - Building reputational resilience to cyber attack
 
InsurTech briefing Q2 2017
InsurTech briefing Q2 2017InsurTech briefing Q2 2017
InsurTech briefing Q2 2017
 
McKinsey-Coronavirus impact on service organizations-Weathering the storm.pdf
McKinsey-Coronavirus impact on service organizations-Weathering the storm.pdfMcKinsey-Coronavirus impact on service organizations-Weathering the storm.pdf
McKinsey-Coronavirus impact on service organizations-Weathering the storm.pdf
 
Strategic Management And Business Model Essay
Strategic Management And Business Model EssayStrategic Management And Business Model Essay
Strategic Management And Business Model Essay
 
Provide a MEMO.docx
Provide a MEMO.docxProvide a MEMO.docx
Provide a MEMO.docx
 
Laurel Group Thought Leaders Print 0213
Laurel Group Thought Leaders Print 0213Laurel Group Thought Leaders Print 0213
Laurel Group Thought Leaders Print 0213
 
Digital Insurance
Digital InsuranceDigital Insurance
Digital Insurance
 
Case Study Questions On Risk Management
Case Study Questions On Risk ManagementCase Study Questions On Risk Management
Case Study Questions On Risk Management
 
Navigating The Cyber-Security Vortex : 4 leadership imperatives
Navigating The Cyber-Security Vortex : 4 leadership imperativesNavigating The Cyber-Security Vortex : 4 leadership imperatives
Navigating The Cyber-Security Vortex : 4 leadership imperatives
 
How Cyber Resilient are we?
How Cyber Resilient are we?How Cyber Resilient are we?
How Cyber Resilient are we?
 
RM_Nov14_Zurich_Special
RM_Nov14_Zurich_SpecialRM_Nov14_Zurich_Special
RM_Nov14_Zurich_Special
 
CroweHorwath
CroweHorwathCroweHorwath
CroweHorwath
 
Disruption in Wealth Management
Disruption in Wealth ManagementDisruption in Wealth Management
Disruption in Wealth Management
 
ContinuitySA Client Chronicles 1st Quarter 2013 Newsletter
ContinuitySA Client Chronicles 1st Quarter 2013 NewsletterContinuitySA Client Chronicles 1st Quarter 2013 Newsletter
ContinuitySA Client Chronicles 1st Quarter 2013 Newsletter
 
Digital Disruption of the Insurance Industry
Digital Disruption of the Insurance IndustryDigital Disruption of the Insurance Industry
Digital Disruption of the Insurance Industry
 
Digital Disruption of the Insurance sector
Digital Disruption of the Insurance sectorDigital Disruption of the Insurance sector
Digital Disruption of the Insurance sector
 
Life insurance whitepaper
Life insurance whitepaperLife insurance whitepaper
Life insurance whitepaper
 
Right-Sizing the Security and Information Assurance for Companies, a Core-ver...
Right-Sizing the Security and Information Assurance for Companies, a Core-ver...Right-Sizing the Security and Information Assurance for Companies, a Core-ver...
Right-Sizing the Security and Information Assurance for Companies, a Core-ver...
 
AR - Applying Big Data to Risk Management
AR - Applying Big Data to Risk ManagementAR - Applying Big Data to Risk Management
AR - Applying Big Data to Risk Management
 

Recently uploaded

20140402 - Smart house demo kit
20140402 - Smart house demo kit20140402 - Smart house demo kit
20140402 - Smart house demo kitJamie (Taka) Wang
 
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - TechWebinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - TechProduct School
 
Oracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptxOracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptxSatishbabu Gunukula
 
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024Alkin Tezuysal
 
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENTSIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENTxtailishbaloch
 
Keep Your Finger on the Pulse of Your Building's Performance with IES Live
Keep Your Finger on the Pulse of Your Building's Performance with IES LiveKeep Your Finger on the Pulse of Your Building's Performance with IES Live
Keep Your Finger on the Pulse of Your Building's Performance with IES LiveIES VE
 
Introduction - IPLOOK NETWORKS CO., LTD.
Introduction - IPLOOK NETWORKS CO., LTD.Introduction - IPLOOK NETWORKS CO., LTD.
Introduction - IPLOOK NETWORKS CO., LTD.IPLOOK Networks
 
EMEA What is ThousandEyes? Webinar
EMEA What is ThousandEyes? WebinarEMEA What is ThousandEyes? Webinar
EMEA What is ThousandEyes? WebinarThousandEyes
 
Top 10 Squarespace Development Companies
Top 10 Squarespace Development CompaniesTop 10 Squarespace Development Companies
Top 10 Squarespace Development CompaniesTopCSSGallery
 
TrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie WorldTrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie WorldTrustArc
 
Flow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First FrameFlow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First FrameKapil Thakar
 
LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0DanBrown980551
 
The New Cloud World Order Is FinOps (Slideshow)
The New Cloud World Order Is FinOps (Slideshow)The New Cloud World Order Is FinOps (Slideshow)
The New Cloud World Order Is FinOps (Slideshow)codyslingerland1
 
UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4DianaGray10
 
Planetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile BrochurePlanetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile BrochurePlanetek Italia Srl
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightSafe Software
 
2024.03.12 Cost drivers of cultivated meat production.pdf
2024.03.12 Cost drivers of cultivated meat production.pdf2024.03.12 Cost drivers of cultivated meat production.pdf
2024.03.12 Cost drivers of cultivated meat production.pdfThe Good Food Institute
 
IT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced ComputingIT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced ComputingMAGNIntelligence
 
Stobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through TokenizationStobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through TokenizationStobox
 

Recently uploaded (20)

20140402 - Smart house demo kit
20140402 - Smart house demo kit20140402 - Smart house demo kit
20140402 - Smart house demo kit
 
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - TechWebinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
Webinar: The Art of Prioritizing Your Product Roadmap by AWS Sr PM - Tech
 
Oracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptxOracle Database 23c Security New Features.pptx
Oracle Database 23c Security New Features.pptx
 
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
Design and Modeling for MySQL SCALE 21X Pasadena, CA Mar 2024
 
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENTSIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
SIM INFORMATION SYSTEM: REVOLUTIONIZING DATA MANAGEMENT
 
Keep Your Finger on the Pulse of Your Building's Performance with IES Live
Keep Your Finger on the Pulse of Your Building's Performance with IES LiveKeep Your Finger on the Pulse of Your Building's Performance with IES Live
Keep Your Finger on the Pulse of Your Building's Performance with IES Live
 
Introduction - IPLOOK NETWORKS CO., LTD.
Introduction - IPLOOK NETWORKS CO., LTD.Introduction - IPLOOK NETWORKS CO., LTD.
Introduction - IPLOOK NETWORKS CO., LTD.
 
EMEA What is ThousandEyes? Webinar
EMEA What is ThousandEyes? WebinarEMEA What is ThousandEyes? Webinar
EMEA What is ThousandEyes? Webinar
 
Top 10 Squarespace Development Companies
Top 10 Squarespace Development CompaniesTop 10 Squarespace Development Companies
Top 10 Squarespace Development Companies
 
TrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie WorldTrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie World
 
Flow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First FrameFlow Control | Block Size | ST Min | First Frame
Flow Control | Block Size | ST Min | First Frame
 
LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0LF Energy Webinar - Unveiling OpenEEMeter 4.0
LF Energy Webinar - Unveiling OpenEEMeter 4.0
 
The New Cloud World Order Is FinOps (Slideshow)
The New Cloud World Order Is FinOps (Slideshow)The New Cloud World Order Is FinOps (Slideshow)
The New Cloud World Order Is FinOps (Slideshow)
 
SheDev 2024
SheDev 2024SheDev 2024
SheDev 2024
 
UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4UiPath Studio Web workshop series - Day 4
UiPath Studio Web workshop series - Day 4
 
Planetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile BrochurePlanetek Italia Srl - Corporate Profile Brochure
Planetek Italia Srl - Corporate Profile Brochure
 
The Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and InsightThe Zero-ETL Approach: Enhancing Data Agility and Insight
The Zero-ETL Approach: Enhancing Data Agility and Insight
 
2024.03.12 Cost drivers of cultivated meat production.pdf
2024.03.12 Cost drivers of cultivated meat production.pdf2024.03.12 Cost drivers of cultivated meat production.pdf
2024.03.12 Cost drivers of cultivated meat production.pdf
 
IT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced ComputingIT Service Management (ITSM) Best Practices for Advanced Computing
IT Service Management (ITSM) Best Practices for Advanced Computing
 
Stobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through TokenizationStobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
Stobox 4: Revolutionizing Investment in Real-World Assets Through Tokenization
 

How Financial Firms Blaze a Trail To New, More Predictive Operational Resilience Capabilities

  • 1. Page 1 of 14 How Financial Firms Blaze a Trail To New, More Predictive Operational Resilience Capabilities A transcript of a discussion on new ways that businesses in the financial sector are avoiding and mitigating the damage from today’s myriad business threats. Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: ServiceNow and EY. Dana Gardner: Hi, this is Dana Gardner, Principal Analyst at Interarbor Solutions and you’re listening to BriefingsDirect. The last few years have certainly highlighted the need for businesses of all kinds to build up their operational resilience. With a rising tide of pandemic waves, high-level cybersecurity incidents, frequent technology failures, and a host of natural disasters -- there’s been plenty to protect against. As businesses become more digital and dependent upon end-to-end ecosystems of connected services, the responsibility for protecting critical business processes has clearly shifted. It’s no longer just a task for IT and security managers but has become top-of-mind for line-of-business owners, too. Stay with us now as we explore new ways that those responsible for business processes specifically in the financial sector are successfully leading the path to avoiding and mitigating the impact and damage from these myriad threats. To learn more about the latest in rapidly beefing-up operational resilience by bellwether finance companies, please join me in welcoming Steve Yon, Executive Director of the EY ServiceNow Practice. Welcome, Steve. Steve Yon: Thanks, I’m happy to be here. Gardner: We’re also here with Sean Culbert, Financial Services Principal at EY. Good to have you with us, Sean. Sean Culbert: Good afternoon, Dana. Gardner: Sean, how have the risks modern digital businesses face changed over the past decade? Why are financial firms at the vanguard of identifying and heading off these pervasive risks? Culbert: The category of financial firms forms a broad scope of types. The risks for a consumer bank, for example, are going to be different than the risks for an investment bank or from a broker-dealer. But they all have some common threads. Those include the expectation to be always-on, at the edge, and able to get to your data in a reliable and secure way. Yon
  • 2. Page 2 of 14 There’s also the need for integration across the ecosystem. Unlike product sets before, such as in retail brokerage or insurance, customers expect to be brought together in one cohesive services view. That includes more integration points and more application types. This all needs to be on the edge and always-on, even as it includes, increasingly, reliance on third-party providers. They need to walk in step with the financial institutions in a way that they can ensure reliability. In certain cases, there’s a learning curve involved, and we’re still coming up that curve. It remains a shifting set of expectations to the edge. It’s different by category, but the themes of integrated product lines -- and being able to move across those product lines and integrate with third-parties – has certainly created complexity. Gardner: Steve, when you’re a bank or a financial institution that finds itself in the headlines for bad things, that is immediately damaging for your reputation and your brands. How are banks and other financial organizations trying to be rapid in their response in order to keep out of the headlines? In interconnected, system-wide security, we trust Yon: It’s not just about having the wrong headline on the front cover of American Banker. As Sean said, the taxonomy of all these services is becoming interrelated. The suppliers tend to leverage the same services. Products and services tend to cross different firms. The complexity of the financial institution space right now is high. If something starts to falter -- because everything is interconnected -- it could have a systemic effect, which is what we saw several years ago that brought about Dodd- Frank regulations. So having a good understanding of how to measure and get telemetry on that complex makeup is important, especially in financial institutions. It’s about trust. You need to have confidence in where your money is and how things are going. There’s a certain expectation that must happen. You must deal with that despite mounting complexity. The notion of resiliency is critical to a brand promise -- or customers are going to leave. One, you should contain your own issues. But the Fed is going to worry about it if it becomes broad because of the nature of how these firms are tied together. It’s increasingly important -- not only from a brand perspective of maintaining trust and confidence with your clients -- but also from a systemic nature; of what it could do to the economy if you don’t have good reads on what’s going on with support of your critical business services. Gardner: Sean, the words operational resilience come with a regulatory overtone. But how do you define it? It’s increasingly important – not only from a brand perspective of maintaining trust and confidence with your clients – but also from a systemic nature; of what it could do to the economy if you don’t have good reads on what’s going on with support of your critical business services.
  • 3. Page 3 of 14 Scaling the operational resilience pyramid Culbert: We begin with the notion of a service. Resilience is measured, monitored, and managed around the availability, scalability, reliability, and security of that service. Understanding what the service is from an end-to-end perspective, how it enters and exits the institution, is the center to our universe. Around that we have inbound threats to operational resilience. From the threat side, you want the capability to withstand a robust set of inbound threats. And for us, one of the important things that has changed in the last 10 years is the sophistication and complexity of the threats. And the prevalence of them, quite frankly. If you look at the four major threat categories we work with -- weather, cyber, geopolitical, and pandemics -- pick any one of those and there has been a significant change in those categories. We have COVID, we have proliferation of very sophisticated cyberattacks that weren’t around 10 years ago, often due to leaks from government institutions. Geopolitically, we’re all aware of tensions, and weather events have become more prevalent. It’s a wide scope of inbound threats. And on the outbound side, businesses need the capability to not only report on those things, but to make decisions about how to prevent them. There’s a hierarchy in operational resilience. Can you remediate it? Can you fix it? Then, once it’s been detected, how can minimize the damage. At the top of the pyramid, can you prevent it before it hits? So, there’s been a broad scope of threats against a broader scope of service assets that need to be managed with remediation. That was the heritage, but now it’s more about detection and prevention. Gardner: And to be proactive and preventative, operational resilience must be inclusive across the organization. It’s not just one group of people in a back office somewhere. The responsibility has shifted to more people -- and with a different level of ownership. What’s changed over the past decade in terms of who’s responsible and how you foster a culture of operational resiliency? Bearing the responsibility for services Culbert: The anchor point is the service. And services are processes: It’s technology, facilities, third parties, and people. The hard-working people in each one of those silos all have their own view of the world -- but the services are owned by the business. What we’ve seen in recognition of that is that the responsibility for sustaining those services falls with the first line of business [the line of business interacting with consumers and vendors at the transaction level]. Culbert There’s been a broad scope of threats against a broader scope of service assets that need to be managed with remediation. That was the heritage, but now it’s more about detection and prevention.
  • 4. Page 4 of 14 Yon: There are a couple of ways to look at it. One, as Sean was talking about, the lines of defense and the evolution of risk has been divvied up. The responsibilities have had line-of-sight ownership over certain sets of accountabilities. But you also have triangulation from others needing to inspect and audit those things as well. The time is right for the new type of solution that we’re talking about now. One, because the nature of the world has gotten more complex. Two, the technology has caught up with those requirements. The move within the tech stack has been to become more utility-based, service-oriented, and objectified. The capability to get signals on how everything is operating, and its status within that universe of tech, has become a lot easier. And with the technology now being able to integrate across platforms and operate at the service level -- versus at the component level – it provides a view that would have been very hard to synthesize just a few years ago. What we’re seeing is a big shot in the arm to the power of what a typical risk resilience compliance team can be exposed to. They can manage their responsibilities at a much greater level. Before they would have had to develop business continuity strategies and plans to know what to do in the event of a fault or a disruption. And when those things come out, the three-ring binders, the war room gets assembled and people start to figure out what to do. They start running the playbook. The problem with that is that while they’re running the playbook, the fault has occurred, the destruction has happened, and the clock is ticking for all those impacts. The second-order consequences of the problem are starting to amass with respect to value destruction, brand reputational destruction, as well as whatever customer impacts there might be. But now, because of technology and moving toward Internet of things (IoT) thinking across assets, people, facilities, and third-party services, technology can self-declare their state. That data can be synthesized to say, “Okay, I can start to pick up a signal that’s telling me that a fault is inbound.” Or something looks like it’s falling out of the control thresholds that they have. That tech now gives me the capability to get out in front of something. That would be almost unheard-of years ago. The nexus of tech, need, and complexity are all hitting right now. That means we’re moving and pivoting to a new type of solution rising out of the field. Gardner: You know, many times we’ve seen such trends happen first in finance and then percolate out to the rest of the economy. What’s happened recently with banking supervision, regulations, and principles of operational resilience? Financial sector leads the way Yon: There are similar forms of pressure coming from all regulatory-intense industries. Finance is a key one, but there’s also power, utilities, oil, and gas. The trend is happening primarily first in regulatory-intensive industries. The nexus of tech, need, and complexity are all hitting right now. That means we’re moving and pivoting to a new type of solution rising out of the field.
  • 5. Page 5 of 14 Culbert: A couple years ago, the Bank of England and the Prudential Regulation Authority (PRA) put out a consultation paper that was probably most prescriptive out of the UK. We have the equivalent over here in the US around expectations for operational resiliency. And that just made its way into policy or law. For the most part, on a principles basis, we all share a common philosophy in terms of what’s prudent. A lot of the major institutions, the ones we deal with, have looked at those major tenets in these policies and have said they will be practiced. And there are four fundamental areas that the institutions must focus on. One is, can it declare and describe its critical business services? Does it have threshold parameters logic assigned to those services so that it knows how far it can go before it sustains damage across several different categories? Are the assets that support those services known and mapped? Are they in a place where we can point to them and point to the health of them? If there’s an incident, can they collaborate around the sustaining of those assets? As I said earlier, those assets generally fall into small categories: people, facilities, third parties, and technology. And, finally, do you have the tools in place to keep those services within those tolerance parameters and have other alerting systems to let you know which of the assets may well be failing you, if the services are at risk. That’s a lay-person, high-level description of the Bank of England policy on operational risks for today’s Financial Management Information Systems (FMIS). Thematically most of the institutions are focusing on those four areas, along with having credible and actionable testing schemes to simulate disruptions on the inbound side. In the US, Dodd-Frank mandated that institutions declare which of those services could disrupt critical operations and, if those operations were disrupted, could they in turn disrupt the general economy. The operational resilience rules and regulations fall back on that. So, now that you know what they are, can you risk-rate them based on the priorities of the bank and its counterparties? Can you manage them correctly? That’s the letter-of-the-law-type regulation here. In Japan, it’s more credential-based regulation like the Bank of England. It all falls into those common categories. Gardner: Now that we understand the stakes and imperatives, we also know that the speed of business has only increased. So has the speed of expectations for end consumers. The need to cut time to discovery of the problems and to find root causes also must be as fast as possible. How should banks and other financial institutions get out in front of this? How do we help organizations move faster to their adoption, transform digitally, and be more resilient to head off problems fast? Preventative focus increases solution speed Yon: Once there’s clarity around the shift in the goals, knowing it’s not good enough to just be able to know what to do in the event of a fault or a potential disruption, the expectation becomes Do you have the tools in place to keep those services within those tolerance parameters and have other alerting systems to let you know which of the assets may well be failing you, if the services are at risk.
  • 6. Page 6 of 14 the proof to regulatory bodies and to your clients that they should trust you. You must prove that you can withstand and absorb that potential disruption without impact to anybody else downstream. Once people get their head around the nature of the expectation-shifting to being a lot more preventative versus reactive, the speeds and feeds by which they’re managing those things become a lot easier to deal with. Back when I was running the technology at a super-regional bank, you’d get the phone call at 3 a.m. that a critical business service was down. You’d have the tech phone call that people are trying to figure out what happened because they started to notice at the help desk that a number of clients and customers were complaining. The clock had been ticking before 3 a.m. when I got the call. And so, by now, by that time, those clients are upset. Yet we were spending our time trying to figure out what happened and where. What’s the overall impact? Are there other second-order impacts because of the nature of the issue? Are other services disrupted as well? Again, it gets back to the complexity factor. There are interrelationships between the various components that make up any service. Those services are shared because that’s how it is. People lean on those things -- and that’s the risk you take. Before, the lack of speed literally killed because you had to figure a lot of those things out while the clock was ticking and the impact was going on. But now, you’re allowing yourself time to figure things out. That’s what we call a decision-support system. You want to alert ahead of time to ensure that you understand the true blast area of what the potential destruction is going to be. Secondly, can I spin up the right level of communications so that everybody who could be affected knows about it? And thirdly, can I now get the right people on the call -- versus hunting and pecking to determine who has a problem on the fly at 3 a.m.? The nature of having speed is when you deal with an issue by buying time for firms to deal with the thing intelligently versus in a shotgun approach and without truly understanding the nature of the impact until the next day. Gardner: Sean, it sounds like operation resiliency is something that never stops. It’s an ongoing process. That’s what buys you the time because you’re always trying to anticipate. Is that the right way to look at it? Culbert: It absolutely is the way to look at it. A time objective may be specific to the type of service, and obviously it’s going to be different from a consumer bank to a broker-dealer. You will have a time objective attached to a service, but is that a critical service that, if disrupted, could further disrupt critical operations that could then disrupt the real economy? That’s come into focus in the last 10 years. It has forced people to think through: If you were if a broker- dealer and you couldn’t meet your hedge fund positions, or if you were a consumer bank and you couldn’t get folks their paychecks, does that put people in financial peril? These involve very different processes and have very different outcomes. But each has a tolerance of filling in the blank time. So now it’s just more of a matter of being accountable for those times. There are two things: There’s the customer expectation that you won’t reach those tolerances and be able to meet the time objective to meet the customers’ needs. And the second is that technology has made it more manageable as the domino or contagion effect of one service tipping over another one. So now it’s not just, “Is your service ready to go within its objective of half an hour?” It’s about the knock-on effect to other services as well. The nature of having speed is when you deal with an issue by buying time for firms to deal with the thing intelligently versus in a shotgun approach.
  • 7. Page 7 of 14 So, it’s become a lot more correlated, and it’s become regional. Something that might be a critical service in one business, might not be in another -- or in one region, might not be in another. So, it’s become more of a multidimensional management problem in terms of categorically specific time objectives against specific geographies, and against the specific regulations that overhang the whole thing. Gardner: Steve, you mentioned earlier about taking the call at 3 a.m. It seems to me that we have a different way of looking at this now -- not just taking the call but making the call. What’s the difference between taking the call and making the call? How does that help us prepare for better operation resiliency? Make the call, so you don’t have to take the call Yon: It’s a fun way of looking a day in the life of your chief resiliency officer or chief risk officer (CRO) and how it could go when something bad happens. So, you could take the call from the CEO or someone from the board as they wonder why something is failing. What are you going to do about it? You’re caught on your heels trying to figure out what was going on, versus making the call to the CEO or the board member to let them know, “Hey, these were the potential disruptions that the firm was facing today. And this is how we weathered through it without incident and without damaging service operations or suffering service operations that would have been unacceptable.” We like to think of it as not only trying to prevent the impact to the clients but also from the possibility of a systemic problem. It could potentially increase the lifespan of a CRO by showing they can be responsible for the firm’s up-time, versus just answer questions post-disruption. It provides a little bit of levity but it’s also a truth that there are more than just the consequences to the clients, but also to those people responsible for that function within the firm. Gardner: Many leading-edge organizations have been doing digital transformation for some time. We’re certainly in the thick of digital transformation now after the COVID requirements of doing everything digitally rather than in person. But when it comes to finance and the services that we’re describing -- the interconnections in the interdependencies -- there are cyber resiliency requirements that cut across organizational boundaries. Having a moat around your organization, for example, is no longer enough. What is it about the way that ServiceNow and EY are coming together that helps make operational resiliency an ongoing process possible? Digital transformation opens access to assets Yon: There are two components. You need to ask yourself, “What needs to be true for the outcome that we’re talking about to be valid?” From a supply-side, what needs to be true is, “Do I have good signal and telemetry across all the components and assets of resources that would pose a threat or a cause for a threat to happen from a down service?” You’re caught on your heels trying to figure out what was going on, versus making the call to the CEO … to let them know “Hey, these were the potential disruptions that the firm was facing today, and this is how we weathered through it.
  • 8. Page 8 of 14 With the move to digital transformation, more assets and resources that compose any organization are now able to be accessed. That means the state of any particular asset, in terms of its preferential operating model, are going to be known. I need to have that data and that’s what digital transformation provides. Secondly, I need a platform that has wide integration capabilities and that has workflow at its core. Can I perform business logic and conditional synthesis to interpret the signals that are coming from all these different systems? That’s what’s great about ServiceNow -- there hasn’t been anything that it hasn’t been able to integrate with. Then it comes down to, “Okay, do I understand the nature of what it is I’m truly looking for as a business service and how it’s constructed?” Once I do that, I’m able to capture that control, if you will, determine its threshold, see that there’s a trigger, and then drive the workflows to get something done. For a hypothetical example, we’ve had an event so that we’re losing the trading floor in city A, therefore I know that I need to bring city B and its employees online and to make them active so I can get that up and running. ServiceNow can drive that all automatically, within the Now Platform itself, or drive a human to provide the approvals or notifications to drive the workflows as part of your business continuity plan (BCP) going forward. You will know what to do by being able to detect and interpret the signals, and then based on that, act on it. That’s what ServiceNow brings to make the solution complete. I need to know what that service construction is and what it means within the firm itself. And that’s where EY comes to the table, and I’ll ask Sean to talk about that. Culbert: ServiceNow brings to the table what we need to scale and integrate in a logical and straightforward way. Without having workflows that are cross-silo and cross-product at scale -- and with solid integration of capabilities – this just won’t happen. When we start talking about the signals from everywhere against all the services -- it’s a sprawl. From an implementation perspective, it feels like it’s not implementable. The regulatory burden requires focus on what’s most important, and why it’s most important to the market, the balance sheet, and the customers. And that’s not for the 300 services, but for the one or two dozen services that are important. Knowing that gives us a big step forward by being able to scope out the ServiceNow implementation. And from there, we can determine what dimensions associated with that service we should be capturing on a real-time basis. To progress from remediation to detection on to prevention, we must be judicious of what signals we’re tracking. We must be correct. We have the requirement and obligation to declare and describe what is critical using a scalable and integrable technology, which is ServiceNow. That’s the big step forward. Yon: The Now platform also helps us to be fast. If you look under the hood of most firms, you’ll find ServiceNow is already there. You’ll see that there’s already been work done in the risk management area. They already know the concepts and what it means to deal with policies and controls, as well as the triggers and simulations. They have IT and other assets under management, and they know what a configuration management database (CMDB) is. To progress from remediation to detection on to prevention, we must be judicious of what signals we’re tracking. We must be correct.
  • 9. Page 9 of 14 These are all accelerants that not only provide scale to get something done but provide speed because so many of these assets and service components are already identified. Then it’s just a matter of associating them correctly and calibrating it to what’s really important so you don’t end up with a science fair integration project. Gardner: What I’m still struggling to thread together is how the EY ServiceNow alliance operational resiliency solution becomes proactive as an early warning system. Explain to me how you’re able to implement this solution in such a way that you’re going to get those signals before the crisis reaches a crescendo. Tracking and recognizing a potential fault Yon: Let’s first talk about EY and how it comes with an understanding from the industry of what good looks like with respect to what a critical business service needs to be. We’re able to hone down to talking about payments or trading. This maps the deconstruction of that service, which we also bring as an accelerant. We know what it looks like -- all the different resources, assets, and procedures that make that critical service active. Then, within ServiceNow, it manages and exposes those assets. We can associate those things in the tool relatively quickly. We can identify the signal that we’re looking to calibrate on. Then, based on what ServiceNow knows how to do, I can put a control parameter on this service or component within the threshold. It then gives me an indication whether something might be approaching a fault condition. We basically look at all the different governance, risk management, and compliance (GRC) leading indicators and put telemetry around those things when, for example, it looks like my trading volume is starting to drop off. Long before it drops to zero, is there something going on elsewhere? It delivers up all the signals about the possible dimensions that can indicate something is not operating per its normal expected behavior. That data is then captured, synthesized, and displayed either within ServiceNow or it is automated to start running its own tests to determine what’s valid. But at the very least, the people responsible are alerted that something looks amiss. It’s not operating within the control thresholds already set up within ServiceNow against those assets. This gives people time to then say, “Okay, am I looking at a potential problem here? Or am I just looking at a blip and it’s nothing to worry about?” Gardner: It sounds like there’s an ongoing learning process and a data-gathering process. Are we building a constant mode of learning and automation of workflows? Do we do get a whole greater than the sum of the parts after a while? Culbert: The answer is yes and yes. There’s learning and there’s automation. We bring to the table some highly effective regulatory risk models. There’s a five-pillar model that we’ve used where market and regulatory intelligence feeds risk management, surveillance, analysis, and ultimately policy enforcement. That data is then captured, synthesized, and displayed either with ServiceNow or it is automated to start running its own tests to determine what’s valid.
  • 10. Page 10 of 14 And how the five pillars work together within ServiceNow -- it works together within the business processes within the organization. That’s where we get that intelligence feeding, risk feeding, surveillance analysis, and enforcement. That workflow is the differentiator, to allow rapid understanding of whether it’s an immediate risk or concentrating risk. And obviously, no one is going to be 100 percent perfect, but having context and perspective on the origin of the risk helps determine whether it’s a new risk -- something that’s going to create a lot of volatility – or whether it’s something the institution has faced before. We rationalize that risk -- and, more importantly, rationalize the lack of a risk – to know at the onset if it’s a false positive. It’s an essential market and regulatory intelligence mechanism. Are they feeding us only the stuff that’s really important? Our risk models tell us that. That risk model usually takes on a couple of different flavors. One flavor is similar to a FICO score. So, have you seen the risk? Have you seen it before? It is characterizable by the words coming from it and its management in the past. And then some models are more akin to a bar calculator. What kind of volatility is this risk going to bring to the bank? Is it somebody that’s recreationally trying to get into the bank, or is it a state actor? Once the false-positive gets escalated and disposed of -- if it’s, in fact, a false positive – are we able to plug it into something robust enough to surveil for where that risk is headed? That’s the only way to get out in front of it. The next phase of the analysis says, “Okay, who should we talk to about this? How do we communicate that this is bigger than a red box, much bigger than a red box, a real crisis-type risk? What form does that communication take? Is it a full-blown crisis management communication? Is it a standing management communication or protocol?” And then ultimately, this goes to ServiceNow, so we take that affected function and very quickly understand the health or the resiliency of other impacted functions. We use our own propriety model. It’s a military model used for nuclear power plants, and it helps to shift from primary states to alternative states, as well as to contingency and emergency states. At the end, the person who oversees policy enforcement must gain the tools to understand where they should be fixing the primary state issue or moving on from it. They must know to step aside or shift into an emergency state. From our perspective, it is constant learning. But there are fundamental pillars that these events flow through that deliver the problem to the right person and give that person options for minimizing the risk. Gardner: Steve, do we have any examples or use cases that illustrate how alerting the right people with the right skills at the right time is an essential part of resuming critical business services or heading off the damage? We use our own propriety model. It’s a military model used for nuclear power plants, and it helps to shift from primary states to alternative states, as well as to contingency and emergency states.
  • 11. Page 11 of 14 Rule out retirement risks Yon: Without naming names, we have a client within Europe, the Middle East and Africa (EMEA) we can look at. One of the things the pandemic brought to light is the need to know our posture to continuing to operate the way we want. Getting back to integration and integrability, where are we going to get a lot of that information for personnel from? Workday, their human resources (HR) system of record, of course. Now, they had a critical business service owner who was going to be retiring. That sounds great. That’s wonderful to hear. But one of the valid things for this critical business service to be considered operating in its normal state is to check for an owner. Who will cut through the issues and process and lead going forward? If there isn’t an owner identified for the service, I would be considered at risk for this service. It may not be capable of maintaining its continuity. So, here’s a simple use case where someone could be looking at a trigger from Workday that asks if this leadership person is still in the role and active. Is there a control around identifying if they are going to become inactive within x number of months’ time? If so, get on that because the regulators will look at these processes potentially being out of control. There’s a simple use case that has nothing to do with technology but shows the integrability of ServiceNow into another system of record. It turns ServiceNow into a decision-support platform that drives the right actions and orchestrates timely actions -- not only to detect a disruption but anything else considered valid as a future risk. Such alerts give the time to get it taken care of before a fault happens. Gardner: The EY ServiceNow alliance operational resilience solution is under the covers but it’s powering leaders’ ability to be out in front of problems. How does the solution enable various levels of leadership personas, even though they might not even know it’s this solution they’re reacting to? Leadership roles evolve Culbert: That’s a great question. For the last six to seven years, we’ve all heard about the shift from the second to the first line of primary ownership in the private sector. I’ve heard many occasions for our first line business manager saying, “You know, if it is my job, first I need to know what the scope of my responsibilities are and the tools to do my job.” And that persona of the frontline manager having good data, that’s not a false positive. It’s not eating at his or her ability to make money. It’s providing them with options of where to go to minimize the issue. The personas are clearly evolving. It was difficult for risk managers to move solidly into the first line without these types of tools. And there were interim management levels, too. Someone who sat between the first and the second line -- level 1.5. or line 1.5. And it’s clearly pushing into the first line. How do they know their own scope as relates to the risk to the services? It turns ServiceNow into a decision- support platform that drives the right actions and orchestrates timely actions – not only to detect a disruption but anything else considered valid as a future risk.
  • 12. Page 12 of 14 Now there’s a tool that these personas can use to be not only be responsible for risk but responsive as well. And that’s a big thing in terms of the solution design. With ServiceNow over the last several years, if the base data is correctly managed, then being able to reconfigure the data and recalibrate the threshold logic to accommodate a certain persona is not a coding exercise. It’s a no-code step forward to say, “Okay, this is now the new role and scope, and that role and scope will be enabled in this way.” And this power is going to direct the latest signals and options. But it’s all about the definition of a service. Do we all agree end-to-end what it is, and the definition of the persona? Do we all understand who’s accountable and who’s responsible? Those two things are coming together with a new set of tools that are right and correct. Yon: Just to go back to the call at 3 a.m., that was a tech call. But typically, what happens is there’s also going to be the business call. So, one of the issues we’re also solving with ServiceNow is in one system we manage the nature of information irrespective of what your persona is. You have a view of risk that can be tailored to what it is that you care about. And all the data is congruent back and forth. It becomes a lot more efficient and accurate for firms to manage the nature of understanding on what things are when it’s not just the tech community talking. The business community wants to know what’s happening – and what’s next? And then someone can translate in between. This is a real-time way for all those personas to become a line around the nature of the issue with respect to their perspective. Gardner: I really look forward to the next in our series of discussions around operational resilience because we’re going to learn more about the May announcement of this solution. But as we close out today’s discussion, let’s look to the future. We mentioned earlier that almost any highly regulated industry will be facing similar requirements. Where does this go next? It seems to me that the more things like machine learning (ML) and artificial intelligence (AI) analyze the many sources of data, they will make it even more powerful. What should we look for in terms of even more powerful implementations? AI to add power to the equation Culbert: When you set up the framework correctly, you can apply AI to the thinning out of false positives and for tagging certain events as credible risk events or not credible risk events. AI can also to be used to direct these signals to the right decision makers. But instead of taking the human analyst out of the equation, AI is going to help us. You can’t do it without that framework. Yon: When you enable these different sets of data coming in for AI, you start to say, “Okay, what do I want the picture to look like in my ability to simulate these things?” It all goes up, especially using ServiceNow. But back to the comment on complexity and the fact that suppliers don’t just supply one client, they connect to many. As this starts to take hold in the regulated industries -- and it becomes Do we all understand who’s accountable and who’s responsible? Instead of taking the human analyst out of the equation, AI is going to help us.
  • 13. Page 13 of 14 more of an expectation for a supplier to be able to operate this way and provide these signals, integration points, telemetry, and transparency that people expect -- anybody else trying to lever into this is going to get the lift and the benefit from suppliers who realize that the nature of playing in this game just went up. Those benefits become available to a much broader landscape of industries and for those suppliers. Gardner: When we put two and two together, we come up with a greater sum. We’re going to be able to deal rapidly with the known knowns, as well as be better prepared for the unknown unknowns. So that’s an important characteristic for a much brighter future -- even if we hit another unfortunate series of risk-filled years such as we’ve just suffered. I’m afraid we’ll have to leave it there. You’ve been listening to a sponsored BriefingsDirect discussion on the need for businesses to build up their operational resilience. And we’ve learned how those responsible for business processes in the financial sector specifically are successfully leading the charge to avoid and mitigate the impact and damage from myriad business threats. These new imperatives to achieve operation resilience are sure to spread soon in the global economy. So please join me in thanking our guests, Steve Yon, Executive Director of the EY ServiceNow Practice. Thank you so much, Steve. Yon: Thank you. Gardner: And we’ve also been with Sean Culbert, Financial Services Principal at EY. Thank you so much. Culbert: Thanks, Dana. Gardner: And a big thank you as well to our audience for joining this BriefingsDirect operational resilience innovation discussion. I’m Dana Gardner, Principal Analyst at Interarbor Solutions, your host throughout this series of ServiceNow- and EY-sponsored BriefingsDirect interviews. Thanks again for listening. Please pass this along to your business community, and do come back next time. Listen to the podcast. Find it on iTunes. Download the transcript. Sponsor: ServiceNow and EY. A transcript of a discussion on new ways that businesses in the financial sector are avoiding and mitigating the damage from today’s myriad business threats. Copyright Interarbor Solutions, LLC, 2005- 2021. All rights reserved. You may also be interested in: • How to gain advanced cyber resilience and recovery across the IT ops and SecOps divide • The future of work is happening now thanks to Digital Workplace Services • How security designed with cloud migrations in mind improves an enterprise’s risk posture top to bottom • Securing APIs demands tracing and machine learning that analyze behaviors to head off attacks • Creating business advantage with technology-enabled flexible work • How Unisys and Microsoft team up to ease complex cloud adoption for governments and enterprises • Disaster recovery to cyber recovery -- What is the new best future state?
  • 14. Page 14 of 14 • How an agile focus for Enterprise Architects builds competitive advantage for digital transformation • Rethinking employee well-being means innovative new support for the digital work-life balance