Operational Resilience: no time to waste
Last week, the UK regulators published the much-awaited Consultation Papers on Operational Resilience. The PRA and FCA published CP29/19 and CP19/32 respectively, both titled Building Operational Resilience: impact tolerances for important business services. The Bank of England also issued three Consultation Papers focused on building the operational resilience of (i) central counterparties, (ii) payment system operators and specified service providers and (iii) central securities depositories. In this blog post, we set out why these papers are so welcome and what financial services firms should be doing to address any gaps in their Operational Resilience frameworks.
Trouble has been brewing
Financial services institutions are failing to protect customers from disruptions to vital services. Rising external threats, increasing internal vulnerabilities, and an ever-growing dependency on third parties have all led to a sharp rise in operational disruptions. Between October 2017 and September 2018, regulated firms in the UK reported a 187% increase in outages to the FCA.
As the role of technology in providing core financial products becomes ever more pivotal, it will come as no surprise that a large proportion of these disruptions were caused by IT failures: roughly 30% were due to external factors such as third party failures and cyber-attacks; perhaps more surprisingly, almost 50% were caused by internal failures such as poor change management or software / hardware failures (see figure 1).
In October 2019, the Treasury Committee conducted an enquiry into the common causes of operational incidents in the financial services sector. They too found that the number of incidents, especially IT incidents, is increasing and concluded that “the current level and frequency of disruption and consumer harm is unacceptable”.
Regulators kick into action
In response to this growing threat, the Bank of England, PRA and FCA set out an initial approach to improving operational resilience across the industry in a joint Discussion Paper, published in July 2018. After gathering feedback on the paper itself as well as processing responses to a number of surveys, the regulators published the follow-on Consultation Papers (CP) on Thursday 5th December 2019.
The CPs propose clear standards for operational resilience whilst building on existing rules for managing operational risks and business continuity planning. Overall, this suite of documents reinforces the principles set out in the discussion paper. And while the PRA and FCA have proposed slightly different approaches to the supervision of operational resilience, their intended outcomes are very much aligned.
Supervising Operational Resilience
The consultation period closes on Friday 3rd of April 2020 and the proposed implementation date is the second half of 2021. Firms will be expected to demonstrate that they can recover from operational incidents within appropriate impact tolerances and do this no later than three years after the regulations come into effect.
The main supervisory tool is likely to be a self-assessment, a document expected to include:
- a list of the firm’s important business services
- the impact tolerances for these services
- the approach used to map important business services, including:
- how the firm has identified the people, processes, technology, facilities and information underpinning each; and
- how mapping has been used to identify vulnerabilities
- the strategy to be deployed to test the firm’s ability to recover and deliver services within impact tolerances
- a list of the vulnerabilities that threaten the firm’s ability to deliver important business services
- lessons learned from previous incidents
- the methodologies used to undertake the above activities
Key Principles of Operational Resilience
Given the high levels of engagement from the industry on this topic, it is unlikely that any policy will differ much from what the CPs are proposing. With this in mind, firms should assess the maturity of their current Operational Resilience frameworks and push forward with efforts to address any gaps. Six key activities are listed below:
- Have a strategy
In order to build and deliver resilient business services, firms need to be able to prevent disruptions from occurring; adapt systems and processes to continue to provide services in the event of an incident; promptly return to normal when the disruption is over; and learn and evolve from both incidents and near misses. Financial services providers must plan on the basis that disruptions will occur, which is a fundamental shift in approach away from traditional risk management practices.
- Identify important business services
These are the services that, if disrupted, would be most likely to cause intolerable levels of harm to organisations, consumers or the integrity of the wider market. The regulators do not propose to publish a standardised taxonomy as they want firms to be responsible for identifying their own important business services.
Each service should be clearly identifiable and separate from the firm’s business channels; for example the ability to withdraw cash at ATMs and check balances online are two separate services, whereas the provision of packaged bank accounts is a collection of services. Additionally, firms will need to identify the users of each service so that the impacts of disruption are clear.
- Map important services
In order to have a complete view of resilience, firms will need to identify and document the people, processes, technology, facilities and information necessary to deliver their important business services.
The regulators would like firms to develop their own mapping methodologies in a way that:
- is proportionate to their size, scale and complexity;
- identifies any vulnerabilities or weaknesses in the delivery of important business services (e.g. lack of substitutability, high complexity, single points of failures, concentration risk, dependencies on third-parties or external incidents such as power failures);
- includes dependencies on third parties. Existing rules on managing the risk(s) associated with outsourcing and third-party service providers are extensive, but the essence is the same: regulated firms retain full accountability for the delivery of their regulated services, including any dependencies on third party service providers.
- Set impact tolerances
Firms are expected to set their own impact tolerances, which is the maximum tolerable level of disruption to an important business service. This is different to Risk Appetite – the amount of risk a firm is willing to take in pursuit of its strategic objectives – in that it assumes disruption to the supporting systems and processes will occur.
The CPs suggest firms should use a combination of duration, volume and/or value metrics for their impact tolerances; for example, an important business service can only impact a certain percentage of customers for a specified period of time, before it is considered to cause intolerable harm to consumers.
Firms regulated by both the PRA and FCA will probably need to set two impact tolerances: one focussed on harm to consumers or market integrity (FCA) and one that considers the firm’s safety and soundness or policyholder protection(PRA).
- Test scenarios
Firms will need to define scenarios that test their ability to remain within the impact tolerances for each of their important business services in the event of a severe but plausible disruption to operations. Testing should focus on the response and recovery activities firms would need to take to resume and continue to deliver the important services, rather than the activities to prevent the disruption from occurring in the first place.
The regulators have suggested that firms will need to define five different types of scenario of varying degrees of severity, including unavailability of third-party services, loss of technology and corruption/deletion of critical data.
- Define response plans
Fast and effective communications have an important role to play in mitigating damage during an operational disruption. Firms should implement a robust communications framework that enables them to communicate quickly and effectively with internal as well as external stakeholders (especially any impacted customers).
Firms will incur costs to set up and maintain their operational resilience frameworks; key areas of investment will include people (training and awareness), enhancing internal processes and improving legacy technologies to ensure continuity and a timely recovery in the event of an incident occurring.
In line with the requirement for regulators to undertake a cost-benefit analysis of the proposed approach, both the FCA and PRA have provided some estimated costs for implementing any Operational Resilience policy. The size categories are likely to be broad, with each encompassing a range of firm sizes, so the exact costs will obviously differ. Nonetheless, these figures provide a useful baseline to estimate the costs for firms to become more operationally resilient:
Source: CP29/19 (PRA) and CP19/32 (FCA)
Firms have been asked to comment on these estimates when responding to the consultation papers.
A significant paradigm change
Over the last 10 years regulators have focused on improving the financial resilience of financial institutions. As a result, institutions now hold more capital and liquidity than ever before, a measure that has significantly reduced the risk of any individual bank threatening the stability of the wider financial system.
The focus over the next 10 years will be on developing an approach to operational resilience for the wider financial services industry that includes preventative measures, as well as the capability to adapt and recover when things go wrong. By recognising the exposure to technology related risks and by increasing focus on critical services and testing their processes, controls and documentation, firms can start to lay valuable foundations for a more resilient future.
The Consultation Papers have provided clarity on what the regulators expect, as well as timelines for implementing new policy. But firms need take ownership of (and invest in) their own operational resilience agendas immediately. Operational disruptions are on the rise and increased supervisory scrutiny is a certainty, so firms must be prepared.
Please get in touch if you would like to discuss what this means for you and the steps you can take to make your organisation more operationally resilient.