As events show, the phrase ‘expect the unexpected’ is good advice. Over the past few years, there have been many events which we could not easily predict, yet in hindsight seemed inevitable – from large scale cyber attacks, data outages and supplier process failures, to disrupted commutes, terror incidents and extreme natural disasters. While there is no link between these occurrences, they typically have one thing in common. They have all, to varying degrees, disrupted financial services firms’ ability to provide their customers with an expected level of service
The financial ecosystem is becoming more complex with greater outsourcing, more use of cloud computing and fintechs operating at more points within the value chain, all increasing the opportunities for disruption to services at the same time as enhanced expectations from customers and regulators alike Operational resilience is the response to this. The underlying assumption behind operational resilience is that events will occur and that the response needs to be planned and managed once the inevitable happens. It is no longer a question of ‘if’ but ‘when’. It differs from operational risk in assuming that events will happen and require a response rather than measuring control effectiveness and quantifying potential losses. It is more focused on the broad impact on customers and financial stability than continuity of business (CoB) and operational continuity in resolution (OCIR).
Operational resilience should not be seen as a one-off exercise but rather a consideration that should be embedded in how a firm operates, and in all decision-making. The analysis needs to be refreshed regularly and the response to potential events rehearsed on a frequent basis. It would also be wrong to assume that operational resilience revolves primarily around cyber threats; most service disruptions are caused by internal problems such as the issues around the TSB data migration in 2018 following its sale from Lloyds to Sabadell. The chart below shows the number of disruptions reported to the FCA in 2017 and 2018 by type.
While the responsibility for a firm’s resilience framework rests, under the UK Senior Managers and Certification Regime (SM&CR), with the SMF24 Chief Operations Function, the ultimate responsibility lies with boards and senior managers and they should be familiar with and sign off the approach as part of the annual self-certification process.
For most firms, many of the elements required to ensure operational resilience already exist to some degree. What has changed is that UK financial regulators have, following an extensive consultation exercise, defined the steps that they expect firms they regulate to undertake to ensure that their operations are resilient.
Both the UK FCA and PRA published final consultation papers on the topic in December 2019, stating that they expect to publish formal regulations mandating these steps in late 2020 for implementation over the following three years. While the principle of proportionality will apply, this is more evident in the sense of urgency expected and the impact tolerances placed on a firm’s business operations rather than omitting any element.
There are three distinct phases to operational resilience:
Preparing for the inevitable. This drives the bulk of the task and involves really understanding the underlying dynamics of key business processes, their vulnerabilities and then testing how they respond to simulated events. The step by step approach taken by the regulators breaks this down into a logical series of actions.
2. Managing the response.
The success or otherwise in responding to an event will be determined by the thoroughness of the steps taken beforehand around training, governance, communications and setting up the physical/informational arrangements to manage the response.
3. Learning lessons.
Processes and procedures need to be reviewed in light of events that have impacted the firm or other organizations to ensure that the approach to resilience is still sound and that the firm can stay within its impact tolerances.
PREPARING FOR THE INEVITABLE
Identification of important business services. The starting point is identifying the important business services which a firm delivers to its customers and, by extension in some circumstances, the marke. These are specific, viewed from a customer perspective and include items like making an annuity payment, making correspondent banking payments, providing account balances, selling or buying equities, customer authentication (that is the gateway to providing further services) and the suchlike. They are not internal systems such as
a general ledger, HR database or business lines such as mortgages or foreign exchange, nor are they internal systems such as the HR salary system.
Definition of impact tolerances. For each important business service, a measurable level of disruption should be defined within firms as the maximum that is tolerable to customers who use the service.
The Impact tolerances should be in terms of the impact on clients and also the broader market, if relevant. Impact tolerances should take into account relevant factors such as the number of customers effected and financial loss to them, duration of the disruption, data integrity, substitutability, time of day, impact on market stability etc
Mapping.
To be able to understand the potential points of disruption to a process it first needs to be mapped. Parameters such as timing should be added to the information flows between the components of the processes that deliver all a firm’s important business services. There is a careful balance to be drawn between going into too greater detail and capturing the points in a process that potentially could cause
Disruption. There is no need to include the mapping documentation into the annual self-certification.
Third-party service providers.
With the developments in the provision of financial services and how financial companies are structured leading to increased use of suppliers in key processes, FMIs, fintechs, cloud computing, there is a growing recognition that resilience extends beyond the traditional boundaries of a firm. There is also
Will Packard, Managing Principal, James Arnett, Partner Owen Jelf, Partner - CAPCO
See What’s Next in Tech With the Fast Forward Newsletter
Tweets From @varindiamag
Nothing to see here - yet
When they Tweet, their Tweets will show up here.