If operational failures are an inevitable part of corporate live, shouldn’t the focus be on operational resilience and better management of such incidents?
Do we need to worry about operational resilience? Many financial services firms will argue that operational resilience isn’t an issue. “We’ve come through two years of pandemic and have coped well,” I’ve heard many CEOs cry.
Yes, that is one way of looking at it — but there are current and future, known and unknown risks that mean that the challenge of operational resilience isn’t to be underestimated.
The increased use of technology, fintech, payment systems, artificial intelligence, crypto-assets — the list goes on — can all add to the chances a firm could experience a business disruption. And the longer the list, the more likely that business experience disruption. For example, it is nearly a daily occurrence that we hear about some banking app going down and customers not able to access their money. Further, more technological solutions inevitably lead to an increased reliance on third parties and outsourced arrangements to provide the expertise to manage these applications.
Now, the history of financial services is littered with examples of firms not controlling these types of relationships effectively. Whether this be a move to the cloud or the supply chain, firms are relying on third parties more. At the heart of firm’s historical failure is the false assumption that firms can just let third parties “get on with the job they have been paid to do.” In today’s environment, firms need to realize that managing third parties is more akin to managing an internal process than it is to delegating responsibility.
A natural follow-on from the use of third parties is concentration risk. Regulators are worried about the small number of suppliers in certain markets which results in concentration risk. For example, regulators have been concerned with how the provision of cloud services has resulted in the follow-on effect of Big Tech having an influence in financial services — by the back door, so to speak.
So, there are risks — and what is the best thing to do with risks, apart from transferring them to someone else? Manage them. And that is what regulators are telling firms to do.
Risk & regulation
With increased risk comes increased regulation. Let’s not forget that regulators around the world were looking at operational resilience prior to the pandemic and since then regulators have been developing their own regulatory approaches.
For some years the Financial Stability Board (FSB) has made it a priority to look at financial resilience in high-risk parts of the financial services sector. This has included cyber and operational resilience in its work program including effective practices for cyber-incident response and recovery.
The Basel Committee too has issued principles for operational resilience. The European Union published a draft regulation on digital operational resilience for the EU financial sector that would introduce a harmonized framework on digital operational resilience in Europe. The International Organization of Securities Commissions (IOSCO) also updated its recommendations for outsourcing. And in, both the European Banking Authority and the European Securities and Markets Authority have guidelines for firms on outsourcing, especially on outsourcing to the cloud.
In the UK, regulators have issued policy statements on operational resilience. In the US, the Federal Reserve, the Office of the Comptroller of the Currency, and the Federal Deposit Insurance Corporation have issued an interagency paper on Sound Practices to Strengthen Operational Resilience. In Australia, the Australian Prudential Regulation Authority has updated its guidance on prudential standards, business continuity management, and outsourcing and risk management; and the Australian Securities and Investments Commission has issued guidance on operational resilience of market intermediaries.
The Hong Kong Monetary Authority has issued principles for operational resilience, and the monetary authority of Singapore has guidance on operational resilience. In Ireland, the Central Bank published cross-industry guidance on operational resilience
Making firms operationally resilient
Among this stack of paperwork there seems to be some hope for actually making financial services firms operationally resilient. In the UK at the end of March, the deadline passed for firms to comply with part of the new policy statement; and since then, two speeches from the Prudential Regulation Authority (PRA) have given “positive” signs that firms are getting their acts together, albeit at a very early stage.
But more is needed. The PRA is asking firms to identify critical processes, place tolerances around these processes, and then identify scenarios through which operational resilience can be tested.
This approach requires firms to have a focus on the following areas (as outlined by the Basel Committee principles) governance; operational risk management; business continuity planning and testing; mapping interconnections and interdependencies; third-party dependency; incident management; and information and communications technology.
Clearly, firms need to take operational resilience seriously. To pay it only lip service will increase the likelihood of multiple risks crystallizing while not heeding the warnings that regulators are flagging.
If operational disruption is inevitable, then firms must make the likelihood of their operational resilience frameworks succeeding, inevitable as well. And this means firms leaders should keep a close adherence to the direction regulators are setting and a well-resourced focus on embedding the concept of operational resilience throughout their firms.