Operational resilience – The top compliance priority at the moment

Given the reliance on complex and interwoven technology solutions in the financial services sector, the risk of serious disruption has increased dramatically in recent years. It is perhaps unsurprising, then, that the top compliance priority for the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) at the moment is operational resilience.

And where there is regulatory scrutiny, it will be no surprise that there follows a corresponding increase in the volume and complexity of rules with which financial services firms need to comply.

Preparation is vital

Operational resilience is all about preparing to withstand disruption to business. We have all seen the headlines that appear whenever there is a cyber-attack or systems outage that affects the financial services provided to consumers or wholesale markets.

In response to those incidents, the UK regulators have proposed new rules which are intended to build firms' resilience to future disruption. In days that are long gone, the focus was mainly on trying to prevent cyber-attacks, data breaches, and system, process and third-party service failures.

Nowadays, it is largely accepted that these types of events will happen, a view endorsed by the October 2019 Treasury Committee's report on IT failures in the financial services sector.

If the focus is not on stopping the disruption, then where does it lie? The answer rests in the firm's handling of the disruption from the hours immediately after the crisis to its longer-term response once the crisis has passed. The FCA sums this up as:

  • Respond
  • Recover
  • Learn
Crisis management approach

The regulators' vision for building operational resilience may not sound like anything new, just part and parcel of the crisis planning that firms are used to. The problem is that, in many cases, the crisis management approach still focuses on the risks relating to individual systems, processes or events. Legal entities, divisions, business lines and desks are incentivised to look after only what is within "their" areas, and the potential impact of events on customers, suppliers, the wider market and other third parties is too often left to be determined at the point of crisis, rather than beforehand.

In the FCA's terms, firms often acknowledge the importance of strong cyber security but lack enough technical understanding of the risks at management and other levels. The regulator recommends that firms take "proactive steps to foster a security-centric culture which transforms cyber from an IT issue to an organisation-wide priority".

This vision for what operational resilience looks like really shakes things up for the sector. It requires financial services firms to take a more holistic, clearly-evidenced, outcomes-focused approach to making themselves ready to resist and respond to disruption to their operations. The way in which firms judge disruption needs to be set by reference to clear impact tolerances — being the point at which the disruption to each of their services to customers and the wider market becomes intolerable.

Further, there is a new focus on protecting continuity of services. This represents a cultural change for financial services firms. This shift is toward protecting the continuity of the services that firms deliver to customers and others (and which are known as "business services"). This means that firms are expected to think about "business service outages", not just "system outages"; to think about the "end-to-end business service", and not just the "end-to-end system or process or outsourced service".

For many organisations, this will require significant cultural change and the bringing together of previously siloed parts of the business to speak a common new language.

What compliance obligations are heading firms' way?

The first point to note is that the FCA and PRA are half-way through a consultation period. Having published draft rules in December 2019, the regulators are gathering feedback from the sector before publishing final rules. These are expected in the second half of this year, following which there will be a period within which to get prepared. Given the institution-wide impact of these measures, firms need to be preparing for this now.

The regulatory proposals set financial services firms a long to-do list to work through. First, those rules require firms to think about everything they provide to clients, and from that list identify what are the important business services based on the risk of harm that disruption could cause.

Firms then need to articulate all the different elements that enable them to deliver those services to clients. That covers operations across the board, so not just IT, and includes where the firm relies on a third-party service provider.

Once the mapping exercise is completed, firms need to set for themselves what they think an acceptable level of disruption would be for each important business service and ultimately stay within that tolerance level. This is known as impact tolerance and could be set by different criteria such as the length of time that a service is unavailable. In practice this could be how long an ATM or an app may be out of action, or the number of customers affected by a delay in annuity payments or an outage of telephone banking.

Setting and testing impact tolerance

In fact, the way the rules have been drafted means the firm needs to ensure it starts to remain within its impact tolerance no later than three years after the rules become effective. This makes it important for firms to get operational resilience right in that implementation phase.

Implementation measures are likely to start with a gap analysis comparing existing arrangements and any work already in progress against the new expected standards for operational resilience. Firms will need to think carefully about what "good" looks like. Given the interconnectedness of the market, this is an area that would benefit from industry-wide cooperation and agreement.

Taking responsibility for operational resilience will be another area of regulator focus. In line with the FCA's regime of senior manager responsibility, it will be very concerned to know who takes responsibility for operational resilience planning and risk management, and what the governance framework that permeates the organisation looks like.

The importance of getting this right is therefore paramount in a landscape where a disruption is deemed inevitable and where the firm's systems and controls may, in hindsight, be viewed in an unflattering light.

Michael Kent is a partner and Victoria Hickman is a senior professional support lawyer in the Financial Regulation group at Linklaters

This article (Subscription only) was originally published by Thomson Reuters Regulatory Intelligence”