Operational resilience: Preparing for failure
Over that last 10 years, regulators have focused on improving the financial resilience of banks. As a result, banks now hold more capital, along with more liquidity, than ever before – a measure that has significantly reduced the risk of any individual bank threatening the stability of the wider financial system.
The discussion paper, jointly published in July by the FCA, the PRA and the Bank of England, on building the UK financial sector’s operational resilience marks an important shift in focus from financial resilience to operational resilience. While the paper’s primary purpose is to start a dialogue between the regulatory authorities and the industry, it does also provide early insight into how the regulators define ‘operational resilience’ and what they will come to expect of financial services institutions in the future.
With a growing reliance on technology, cloud solutions and outsourced IT services, it is becoming increasingly challenging for individual banks to protect customers from cyber-attacks and unplanned system outages. Reuters recently reported that five of the UK’s biggest banks suffered 64 incidents that cut customers off from telephone, mobile or online banking in the second quarter of 2018. Indeed, senior operational risk practitioners now rank IT disruption as the top threat to financial services firms.
Vital services on which real people depend are vulnerable if banks are unable to coordinate the business, risk functions and IT functions to deliver a holistic approach to risk management and recovery planning.
Isn’t there enough regulation in this space already?
You would be right to think that operational risk management has been in the regulatory headlights for a number of years now:
- Existing EU legislation already requires that banks manage and mitigate their non-financial risks (the risk of financial losses stemming from inadequate or failed processes, people and systems).
- The new and incoming Operational Continuity in Resolution (OCiR) policy will require banks to demonstrate that, in the event of severe financial stress or under resolution, their critical operations and infrastructure will be maintained.
However Operational Resilience goes beyond traditional operational risk and recovery capabilities; being ‘operationally resilient’ means that, in the event of any operational disruption (no matter how big or small), banks are able to continue to provide critical services to both the UK economy and to their clients.
This will require an important change in mindset: boards and senior management should assume that disruptions to systems and processes will occur and must therefore increase their focus on back-up plans and recovery options. The holding of capital against potential losses will help build operational resilience, but the ability to withstand financial loss is not sufficient to ensure continuity of business services – risk acceptance is no longer enough.
In effect, Operational Resilience is being able to prevent, respond to and recover from disruptions so that customers are not impacted.
Prevention means that firms must have a thorough understanding of their critical services, as well as the processes, systems and people that underpin them. In addition, they will need frameworks for managing operational risks in order to appropriately understand and control their risk environment.
Response means that firms can quickly identify the scale of the impact, and can communicate efficiently with those affected (especially customers) to manage expectations and restore confidence.
Recovery means that firms need to be able to recover from an incident. This requires viable, tested contingency plans for the resumption of critical functions within agreed tolerance levels.
Six actions to improve operational resilience
In the long-term, closing this gap will probably require technology teams to be much more embedded in the day-to-day running of the business – a fundamental shift from current operating models which often sees technology being managed separately from more traditional ‘business’ functions. In the short- to medium-term the following activities will help financial services firms to enhance the resilience of their most critical operations:
- Identify critical services – Identify and prioritise your most important business services (those that have a direct impact on customers and the wider economy); map the systems and processes that underpin these services and identify the accountable persons. This won’t be easy as it will require strong cross-functional collaboration.
- Establish risk management and control frameworks – Implement frameworks for managing operational risks that embed the practices and approaches to enable your organisation to be confident that your risk environment is properly understood and appropriately controlled.
- Set tolerance thresholds – Assess how the failure of an individual system or process could impact your business, your customers and the wider economy and set board-approved impact tolerances, which quantify the level of disruption that could be tolerated (time to recovery is a common metric used).
- Define coordinated response mechanisms – Define escalation paths and identify key decision makers. Implement effective internal and external communication plans which will provide timely information for customers, other market participants and the regulator.
- Define robust recovery plans – Define and test plans that enable the resumption of critical business services within threshold tolerances when disruptions occur.
- Use scenarios to test resilience – Define severe but plausible scenarios to test the level of resilience of individual business units or the whole firm.
Recent IT incidents have drawn attention to weaknesses in major organisations, their technologies, their systems and their people. Weaknesses that are all too vulnerable to constantly evolving IT and cyber threats. The regulators are not asking firms to ensure they never fail, but rather that in the event of failure (which should be assumed as a certainty), it is orderly and avoids significant disruption to customers and the wider economy.
Having witnessed recent major operational incidents unfold, firms will be awake to their own vulnerabilities caused by hugely complex operations. Whichever way the authorities decide to implement new regulation, the financial services sector should be developing an approach to operational risk management that includes preventative measures, as well as the capability to adapt and recover when things go wrong. By increasing focus on critical services and testing their processes, controls and documentation, firms can start laying valuable foundations for a more resilient future.