Beyond Regulation: The Growing Need for the Financial Services Sector to Embed Operational Resilience

  • Alex Hammond, Partner at Airwalk Reply

  • 16.11.2022 12:30 pm
  • #financialServices

Earlier this year, the FCA began enforcing new rules and guidance relating to operational resilience for firms, financial market infrastructures and the overall financial sector. The FCA defines operational resilience as the ability to respond to, recover and learn from operational disruption and it’s easy to understand why this is a priority. In today’s hyper-dynamic and ultra-connected environment, operational disruption in one organisation can have wide-ranging implications for the wider economy.

Look no further than the recent ‘mini-budget’ that sent the value of the pound tumbling and nearly brought the financial market to its knees. Or consider the recent impacts of the pandemic, a constant barrage of cyber-attacks and natural disasters. These issues have shown us that operational disruption is not an anomaly; it’s a guarantee.

It’s fair to say that the financial crash of 2008 highlighted the contagion risk that the financial services sector has overall. The key development since that time has been the increased importance of technology in banking channels. Online and mobile banking are now the predominant means of banking versus 10 years ago when this was much less widespread. As a result, the impact of technological failures and risks have increased significantly.

Becoming resilient clearly has strategic importance, yet too many firms still view operational resilience as a box-ticking exercise to meet the requirements of regulations like the Bank of England Supervisory Statement on Operational Resilience, and the HM Treasury’s Regulation on Third Parties. Currently, it is very much the external pressure of regulators, and firms’ willingness to satisfy them, that is driving the industry’s pursuit of operational resilience. 

It is the purview of risk teams to manage and make it go away. But this view is myopic, operational resilience can be a significant strategic advantage for organisations and frankly it is the right thing to do, not just because a regulator is saying it’s sensible and enforcing it.

The reasoning for resilience

Ensuring the UK financial sector is operationally resilient is essential for consumers, firms, and financial markets. Operational disruptions and the unavailability of critical business services have the potential to cause wide-reaching harm to consumers and risk to market integrity, threatening the viability of firms and causing instability in the wider financial system.

Every organisation will, at some point, experience problems. Whether it is cybercrime or tech issues, operational failure is inevitable. As FS providers scale, innovate, evolve, and increase the number of people relying on their services, the greater the likelihood is that something goes wrong. The goal behind operational resilience is to identify these issues before they happen and embed contingencies to mitigate the impacts or allow the organisation to quickly recover.

Why is it broken?

The concern from the regulator has evolved somewhat, from financial resilience to operational resilience. The response to the former, Basel II regulation for example, has taken over a decade to fully bed into ways of working, and the same will be true for operational resilience. 

Clearly then, external pressure takes a long time to change the industry. The lack of internal buy-in for operational resilience is where the real problem lies. While they will make the necessary changes to satisfy regulators, financial service providers currently underappreciate the true business value and competitive advantage of being a resilient, responsive organisation.

The contagion effect

Based on the interdependence of FS organisations, which expands beyond banks and financial providers, if one goes down, the whole system collapses – known as the contagion effect. With every major bank now hosted on multiple cloud providers – usually including AWS, Microsoft Azure or Google Cloud Platform there is a new third-party risk as all roads lead to the same places. However, it is not always obvious which systems these are. They could be SaaS offerings via a vendor, who then hosts on a cloud service provider. Without realising it, a whole network of FS providers may all be reliant upon the same ultimate supplier – only further illustrating the important of operational resilience.

Moving the needle

No one knows when operational resilience will be needed most – but the longer banks wait to introduce resilience measures, the more difficult and expensive it will be to implement. With an exponential increase in the connections and complexity of digital services, introducing innovation will only get harder the longer they wait.

Banks must buy-in to the strategic importance of operational resilience – in the same way that building digital services quickly is vital. Beyond regulation, it is valuable for banks to know what their key systems are, where their data is stored, how secure they are, how to stop their systems from breaking and how, if they do break, they can be fixed almost immediately. 

Risk teams are traditionally focused on just that, risk so they may look at technology apprehensively but, in most cases, it is the solution to the problem. Modern technology, and particularly cloud, gives organisations the opportunity to move away from the traditional, manual, spreadsheet-based audit-response process, to a real-time, automated, highly visible and integrated way of managing operational resilience. Delivering in a way that significantly reduces risk and enables much easier action to be taken when things do, inevitably, go wrong.

We are seeing some organisations evolve, particularly with the management of their cloud estates, building automated control frameworks and platforms that provide unprecedented levels of visibility, control and security intervention but there’s much more that can be done. The challenge is changing the mindset and embracing the strategic opportunity. If your systems fail and you have no way to recover them – and recover them quickly – you are not a resilient organisation, and the impact can be catastrophic. Promoting internal buy-in from firms for operational resilience and supporting this with a dedicated investment into the correct technology and systems can kickstart a push for operational resilience in the financial services industry.

Related Blogs

Other Blogs