The operating environment for financial firms has changed significantly in recent years. IT outages and cyber attacks – some of which have been very high profile – as well as increasing reliance on third parties through outsourcing and offshoring arrangements are transforming the risk environment and presenting significant risks of harm to customers and the stability of markets. As a result, regulators are keen on promoting the principles behind having an effective resilience programme and its benefits for firms, customers and markets.
In July 2018, the UK’s financial services regulators (The Bank of England, The Prudential Regulation Authority [PRA] and Financial Conduct Authority [FCA]) brought the concept of operational resilience into the limelight, with the publication of a joint discussion paper, Building the UK Financial Sector’s Operational Resilience. The comment period for the paper closed at the beginning of October 2018, and a response will likely be published in 2019.
Getting operational resilience right requires a change in perspective by management, boards, IT functions and control functions. For a long time, the focus has been on determining the probability of an adverse event occurring and on ways to prevent it or minimise the damage. As part of this approach, most firms have developed business continuity and disaster recovery plans (including simulated testing). Resilience – planning a response should a risk event take place – has up till now taken a back seat. In some cases – for example, when a firm claimed to have “zero tolerance” to certain types of risk events – the need for a response was in danger of being completely ignored.
Accordingly, firms must now focus on the resilience of the services that are critical to their customers and markets and the infrastructure that is critical to continue to provide those services.
With adverse events becoming a near certainty, UK’s financial services regulators now want operational resilience to be something that boards and senior managers are directly engaged with and responsible for through governance and assurance models. Senior managers are ultimately accountable for operational resilience under the Senior Managers and Certification Regime (SMCR), the UK’s regime for personal accountability of senior managers of financial institutions.
Six Key Actions Toward Building Operational Resilience
Below we offer six key actions firms should be taking to support and evolve their approach to operational resilience. These actions were discussed at a Protiviti event held in London in late November 2018, which brought together UK regulators, industry professionals and Protiviti subject-matter experts. The key actions are:
- Identify your critical services – Firms must identify which of the services they provide are critical to customers and other market participants or to the ongoing continuity of the firm itself, or are critical in terms of their impact on the financial system. These are the services that should be prioritised for resiliency, and firms should set clear tolerances for disruption to those services.
- Understand impact tolerance – Firms need to estimate through the use of scenarios the extent of disruption to a business service that could be tolerated. Scenarios should be severe but plausible, and assume that a failure of a system or process has occurred. Firms must then decide their tolerance for disruption – i.e., the point at which disruption becomes no longer tolerable. While using cyber events for such scenarios can focus attention, it is important to also use other events in scenario analysis – such as failure of change or IT implementation, or disruption at third parties, outsourced providers or offshore centres. Senior management and the board should then use this information to update policies and contractual agreements and drive investment decisions around improving business processes.
- Know your third parties – According to a recent survey by the FCA, third parties are the second biggest root cause of operational outages – after change management. Key business processes may be caught up in complicated supply chains, or be subject to concentration risk from shared service providers, such as cloud providers. Firms need to know their third parties well, remember that they are still responsible to regulators for the work these partners undertake, and incorporate the third parties into their resilience planning. Businesses should also obtain assurance that third-party controls that are important to the organization are robust.
- Develop stakeholder communication plans – Having a robust communication strategy is an essential part of any resilience programme. How will the firm communicate with its regulators, third parties, counterparties and customers in the event of a disruption to a key business service? And how will it ensure staff are sufficiently informed so they can react appropriately to any disruption, including responding to customer queries? How quickly does information need to be provided and who needs to be involved in any decisions that are required? What templates should the firm have prepared in advance to make it easier and quicker to respond to customers? What strategy and policy govern the communicating of information and responding to comments on social media channels?
- Keep the programme flexible – The operational resilience programme must be able to evolve with the business as it changes. Firms should understand what external or internal factors could change over time and what trends could impact the key business services identified, and adjust their resilience plans accordingly.
- Deliver good reporting – For boards and senior management, risk metrics and reporting provide an important insight into the effectiveness of the operational resilience programme. Having good metrics and reporting helps the board and senior management make informed decisions concerning the required investment in operational resilience.
The good news is that many firms already have the tools and infrastructure to help them put an effective operational resilience programme in place. Firms can redeploy or extend existing tools within their operational risk management programmes, such as key risk indicators, risk and control self-assessments and scenario analysis, to manage their operational resilience programmes.
It is clear that for the UK’s financial services regulators, operational resilience will continue to be a focus going into 2019 and beyond. The six action items above should help firms get started with building their operational resilience tools, frameworks and reporting approaches.