Rules Based Order or Common Sense? – An Operational Resilience Perspective

Given the total chaos we have seen in just the first two weeks of 2026; (Venezuela, pub taxation, Tankers, pub taxation, Iran, pub taxation, Greenland, pub taxation, ICE,  pub taxation and Storm Goretti, it would be very tempting to write my first missive of the year by jumping on the bandwagon and warbling on about handling a crisis. At Aldbury after all, we believe we are pretty good at helping firms put their Crisis Management Teams in a strong position to do this.

I’m not going to jump on that bandwagon however. It’s too obvious and I’m sure there are other people writing about this even as I slave over my own keyboard.

I am instead, going to do something far more boring and hopefully more immediately useful for you than discuss how to prevent NATO imploding. (I do admit that saving your local pub is a key issue but that is out of my hands for the time being). I thought it might be quite useful to highlight some of the areas we are seeing regulators comment on when they are reviewing Self-Assessment documents and firms’ overall Operational Resilience programmes.

The story is repeating itself in firm after firm. Comments are in three main areas, they keep repeating themselves and interestingly, some of these comments are explicit in the rules while some are only implicit.

1. Third Party Oversight

2. Scenario testing

3. Mapping
   

Taking each of these in turn:

1.      Third Party Oversight

At outset, the regulators were very clear that firms needed to understand their full supply chain. That meant understanding 4^th and 5^th party providers. This doesn’t mean just paying lip service to the subject, it means really getting down into the nuts and bolts of how your providers work and how, in turn, they understand their own service providers. You can see the rabbit hole you could disappear into here. In most cases however, having a good understanding of how your providers understand their providers and ensuring they in turn are asking the same questions of their providers etc etc, should do the job. I do stress the “most cases” part of this. Sometimes, even if you have no direct contractual relationship with a 4^th party provider, you need to go in and visit them yourselves. My experience is that this is rarely a problem.

Asking questions is not enough. We have seen self-attestation by providers who are providing critical parts of Important Business Services. This isn’t good enough. You need to be on site and test the answers to your questions face to face. This isn’t about not trusting people with whom you may have had a long and successful relationship but more about the old due diligence mantra of ‘trust but verify”.

Ensuring you agreements with providers allow for this level of inspection is easier at outset of a relationship but frequently needs to be addressed.

A whole book could be written about this (and has been to be honest) but suffice to say that this is a significant issue, with onboarding and ongoing monitoring processes not being up to scratch in many firms.

2.      Scenario Testing

Taking your stress testing beyond the point at which Impact Tolerances are breached is uncomfortable but necessary. We have seen this explicitly mentioned as a gap by regulators when they have viewed firms testing history despite it not being directly stated in the rules.

You and all your stakeholders need to know how you are going to respond when it is all going to hell in a handcart and the brown smelly stuff has collided with the rotating air moving device.

This is surprisingly simple to do but does require overcoming the naysayers in your firm who say, “it couldn’t happen here because….”. In other words, you need to spend some time nailing down the scenarios and then put the Crisis Management Team under some real pressure.

In this world, “failing” a test, is actually a success and you should welcome it. It’s an old line but you always learn more out of your failures than your successes. Embrace failure!

3.      Mapping

This might sound mundane, but it forms the basis of regular negative commentary from the regulators.

Too many firms’ mapping doesn’t identify vulnerabilities, choke points and interconnections. We have seen simple lists of people, processes, technology, facilities and necessary information. This is what the rule book says you must have but it doesn’t support the identification of vulnerabilities, which in turn, supports the development of realistic and meaningful testing scenarios (also required by the rules but often missed).

At its most basic, we have seen this done on a spreadsheet. That’s a place to start but it is most certainly not a place to finish. We have also seen the “breath in, press button 1, breath out” style of process mapping. Not wrong, but not useful to give you a high enough view of the process to see the vulnerabilities.

This is a constant, recurring theme in regulators’ visits where we have seen the reports and been asked to help.

So, back to the title of this piece, rules based or common sense? You actually need to do both. You certainly can’t afford to ignore or miss out aspects of the rules but at the same time you need to employ common sense. The regulators, rightly in my view, have not codified everything in their rules. This means that you need to work out what you are trying to achieve and then work out how to do it to ensure the safety of your business and the continuity of the services you provide to your clients.

If this all sounds a bit heavy as we move on towards the middle of January, let Aldbury lighten the load for you. We understand what the regulators are trying to achieve, and we also make it our business to find out what your firm is trying to achieve as well. Putting this together, allows us to use our many decades of collective experience to help you.

Contact us via enquiries@aldburyinternational.com or by phone 020 3475 2953.