Operational Resilience Requirements Are Changing: It’s Time to Reinvent Your Solutions and Approach
- David Long, Chief of Staff, Head of Non-Financial Risk at Delta Capita
- 23.02.2021 04:00 pm COVID-19
The spotlight is shining on operational resilience
In 2020 global regulators ‘encouraged’ financial institutions to revisit and enhance their operational resilience strategies; the 2021 stance is expected to be more demanding.
Even prior to the pandemic, financial institutions found themselves increasingly susceptible to resiliency related failures, often stemming from digitisation efforts being accelerated without adequate focus on preserving resiliency. The result – IT breakdowns, cyber-attacks, and migration failures became ever more common place, demanding urgent interference from regulators to limit the impact of such events to institutions and customers alike, in the future.
The pandemic has only strengthened the case for revamping operational resilience requirements, as financial institutions were exposed to more drastic operational pressures resulting from the need for new control metrics to manage working from home arrangements and increased digital and cloud services usage, as well as market volatilities putting processes under pressure.
A familiar yet also unacquainted landscape
Up to now, financial institutions have been required to implement mechanisms to quickly adapt to new market environments outside their control and demonstrate the resiliency of ‘internal’ critical business services through existing frameworks such as Business Continuity Planning, Disaster and Recovery Resolution Planning and BCBS.
Going forward, operational resilience requirements will look to build on the above frameworks to emphasise the focus on market and consumer harm. The concept of acting to minimise end-consumer harm presents the biggest mindset shift in the regulatory focus surrounding operational resilience. Now, it is no longer enough to focus solely on how the impact of a decision affects the company internally, but the external implications on the consumer and market harm must be entrenched in the decision-making process.
In addition, critical business service definitions will now need to include dependence on third-party vendors, offshoring suppliers, and IT partners especially if they directly or indirectly impact clients.
Increased scrutiny on Operational Resilience has further been stressed by a pair of consultation papers jointly presented by the FCA and PRA: Building Operational Resilience: Impact Tolerances for Important Business Services, and Outsourcing and 3rd Party Risk Management.
Operational resilience – under the global microscope
In today’s world, the firms, services, and processes that constitute financial institution’s value chains are increasingly geographically diverse. As a result, regulators across the globe are expanding their attention on the topic. The BCBS recently proposed a global approach to operational resilience in its consultation document Principles for Operational Resilience. The FED has stressed how operational resilience sits high on its list of priorities and is expected to make moves in the coming year. And the EU is also expected to release a paper on the topic in 2021. In fact, at the European level, the scope of operational resilience regulation is even beginning to be stretched to include digitisation, with the draft of the Digital Operational Resilience Act (DORA) being published in the back end of 2020.
How is the market reacting?
There are still questions surrounding operational resilience that firms need to tackle. The industry is still trying to find common answers on some of the below ‘kick-off’ thematic questions:
Where to start: understanding the existing overlaps
It is common to conflate operational resilience with other risk management frameworks. Overlaps do occur between regulations set forth by the FCA and PRA, and with existing frameworks across both preventative and reactionary measures.
Delta Capita believe the extent to which firms can reuse existing risk management frameworks presents both questions and opportunities to springboard an organisation’s operational resilience strategy. There is no need to start from scratch, but intelligently pivoting existing frameworks, policies and controls against the consumer and market harm lens should give a good start. For example, business continuity plans can help identify and kick start the mapping of the ‘revised’ critical business resources, and board risk and control attestations can be used as a starting point for operational resilience self-attestation as firms set and test impact tolerances.
Which rules to follow: the regulatory nuances across multiple jurisdictions
Rules regarding operational resilience have converged rapidly following the PRA Consultation paper publication. In attempting to implement a sound operational resilience strategy, multi-national firms struggle to understand which jurisdiction to comply with and which rules to follow.
Our view is that whilst initially firms felt that the global misalignment of operational resilience regulations was a problem that required fixing, this has now changed. Globally, legislation is now broadly aligned, and is becoming ever more so. However, at least in the short term, there are likely to be overlaps and conflicts across regulators that will need to be managed as edge cases for financial institutions operating across multiple jurisdictions. It is vital for the operational resilience teams to understand the nuances across various rule sets in order to design the most optimal approach for compliance.
What does impact tolerance mean, now?
Impact tolerances set out thresholds for the minimum acceptable disruption that an important business service can handle before serious impacts occurs. However, more clarity is required in the setting of impact tolerances as set out by the FCA consultation paper, particularly with respect to proportionality and customer harm.
In our opinion, even as guidelines are evolving around threshold setting, firms should revisit their analysis to re-identify important business services, and map supporting resources which could cause harm to consumers or market integrity, if disrupted. Firms also need to start designing testing approaches to demonstrate their ability to remain within impact tolerances by identifying a range of severe but plausible disruption scenarios that could cause external harm.
How DC can help reinvent and redesign your Operational Resilience strategy and approach
Senior practitioner led advisory services: Delta Capita’s operational resilience experts include industry veterans like David Long and Nick Wilcock, who have personally been accountable for prudential risks and all operational resilience initiatives at large Tier 1 investment banks. Our teams have developed a range of proprietary strategy accelerators such as self-assessment methodology, functional and operational impact assessment toolkits, programme governance & framework design checklists and communication plans that can help accelerate, shape and re-invent your operational resilience efforts. In addition, our teams are working in close collaboration with various industry bodies and think tanks, and pro-actively support clients to ensure they remain well-informed of every new development in the rules.
Implementation Support: We have a team of highly skilled delivery specialists and consultants who can support all your implementation requirements such as identification and mapping of critical and important business services and resources, assessing impact thresholds, designing scenario testing approaches as well as programme management support.
DC Technology Assets: Keeping in line with our fintech DNA, Delta Capita also offer many technologies across the entire operational resilience value chain to set our clients up for success. We have a healthy and ever-growing portfolio of leading-edge technologies spanning from impact assessment and operating model platforms, enterprise control platforms, tools to support third-party vendor risk management and IT resilience monitoring, as well as many cybersecurity and anti-fraud platforms.