Operational resilience for financial institutions

March 2020  |  FEATURE  |  BANKING & FINANCE

Financier Worldwide Magazine

March 2020 Issue

In the decade or so since the global financial crisis, the way that banks and other financial institutions (FIs) think about risk has evolved significantly. In the UK, due to the work of the Financial Conduct Authority (FCA), the Prudential Regulation Authority (PRA) and the Bank of England (BoE), ‘operational resilience’ has become a key issue.

Operational resilience allows FIs to provide business services in the face of adverse operational events by anticipating, preventing, recovering from and adapting to setbacks. It goes beyond simply trying to prevent cyber attacks, data breaches and system, process and third-party service failures (though these are important challenges) and demands FIs zoom out and adopt a more holistic, outcome-focused approach to preparing themselves to resist disruptions.

In July 2018, the BoE, PRA and FCA released a joint discussion paper, ‘Building the UK financial sector’s operational resilience’. The paper highlighted the most important factor in the development of operational resilience for FIs: the evolving expectations of regulators. Today, FIs are expected to be able to demonstrate both financial and operational resilience, regardless of the threats they face. Customers expect the same and demand that FIs provide services around the clock. Failure to meet these expectations can cause financial and reputational harm. FIs need to communicate with customers transparently when trying to resolve adverse events affecting the organisation. According to the FCA, the most common reported causes of disruption include cyber attack, change management and third-party failure. Similarly, according to a report from EY and the Institute of International Finance (IIF), cyber risks, third-party outages and prolonged IT outages are the top resilience concerns for bank risk functions.

In December 2019, the FCA, PRA and BoE published a consultation paper designed to set out their commitment to “facilitate greater resilience and adoption of the cloud and other new technologies” and to support proposals on operational resilience. The paper also underlines the PRA’s expectation that firms keep their most important business services within impact tolerances, even when they rely on outsourcing or third-party providers.

Regulators have made it clear that testing is essential to operational resilience and FIs must demonstrate that their procedures can meet impact tolerances.

The policy proposals would require FIs to: (i) identify their important business services which, if disrupted, could cause harm to consumers or market integrity, threaten the viability of firms or cause instability in the financial system; (ii) set impact tolerances for each important business service, which quantify the maximum tolerable level of disruption they would tolerate; (iii) identify and document the people, processes, technology, facilities and information that support their important business services; and (iv) take actions to be able to remain within their impact tolerances through a range of severe but plausible disruption scenarios.

The consultation period closes on 3 April 2020, however full compliance with operational resilience rules is not expected to be tested until 2024.

“Operational resilience is a vital part of firms’ safety and soundness, and has become an important priority for the PRA,” said Sam Woods, chief executive of the PRA and deputy governor for prudential regulation, in a statement. “This consultation marks the next stage of integrating operational resilience into our regulatory framework. Alongside this, our proposals on outsourcing and the cloud will steer firms to be resilient in their adoption of new technologies.”

Prioritising operational resilience does offer FIs a number of competitive advantages, such as business continuity. It can also help to build brand reputation.

Successful implementation requires a coordinated effort to break free of process, technology infrastructure and organisational silos. FIs must also understand how the various aspects of their business, including technology, data, facilities and human relations, among others, influence their ability to provide services and create a system which continues to function despite an adverse operational event, such as a data breach.

Communication is also key. FIs must develop robust internal and external communications plans, particularly for responding to an adverse event. Social media is already playing a greater role in how FIs communicate with customers and in the event of a crisis they must have contingency plans to deal with negative reactions. FIs should provide consistent messaging across all media channels in the event of a crisis.

FIs are under mounting pressure from regulators and stakeholders to achieve operational resilience. To meet these demands, there must be strong leadership from the top. The board and the C-suite must establish the right culture to improve operational resilience to high-impact events and prove that the measures they have taken will prevent incidents from

impacting consumers, markets and the collective financial system.

As the pace of technological change accelerates and regulatory pressure builds, FIs must develop their operational resilience frameworks in response to emerging risks. They should also be prepared to test them. Regulators have made it clear that testing is essential to operational resilience and FIs must demonstrate that their procedures can meet impact tolerances.

© Financier Worldwide

BY

Richard Summerfield

©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.