Operational resilience can be defined as the ability of a firm, and the financial services sector as a whole, to identify and prepare for, respond and adapt to, and recover and learn from, an operational disruption. An operationally resilient firm is able to recover its critical or important business services from a significant unplanned disruption, while minimising impact and protecting its customers and the integrity of the financial system.
Challenges to resilience
The financial services sector has come through a year of pandemic and, by and large, firms have coped well. Challenges remain, however, meaning that operational resilience is not a one-off exercise:
Increase in external threats — One of the main reasons operational resilience needs to be a continually evolving and improving discipline is that pandemic-style events could happen again. As well as pandemics there are political, economic, social and environmental factors from which another significant business interruption event could emerge. The world is now more alert to the threats of such systemic events, but in future there will be an expectation that firms “do better next time”. To meet this expectation, the lessons from the past year need to be turned into preparations for the next event.
Need to adapt business models — As pressures on financial firms grow — from shareholders, investors and customers — so the need to adapt their business models increases. This may take firms into new, unchartered territory and increase the risks to operational resilience accordingly.
More widespread use of technology — Whether as a direct result of the pandemic or not, more and more firms are turning to financial technology (fintech) to undertake their operations. Payment services is one area in particular where the pandemic has led to an explosion of automated solutions.
Outsourcing — Firms are relying much more heavily on third parties to undertake key business objectives. The move to more widespread use of technology and outsourcing has exposed firms’ lack experience in these areas; they have historically posed significant risk, and this risk has not always been controlled effectively. Whether this involves a move to the cloud or placing more reliance on others in the supply chain, firms need to realise that managing third parties is more akin to managing an internal process than it is to allowing third parties just to get on with it.
Heightened regulatory activity — Regulators are intensifying their scrutiny of firms’ operational resilience plans. Operational resilience will become a permanent fixture on future regulatory agendas.
Regulators were already looking at operational resilience before the pandemic. Once firms’ financial resilience had been addressed following the 2008 financial crisis, many regulators turned their attention to making sure firms’ operations were resilient.
Financial Stability Board — For some years the Financial Stability Board (FSB) has focused on financial resilience in high-risk parts of the financial services sector. This year it included cyber and operational resilience in its work programme and has issued its final report on effective practices for cyber incident response and recovery.
Basel Committee on Banking Supervision — The Basel Committee has issued its principles for operational resilience. These focus on the following areas: governance, operational risk management, business continuity planning and testing, mapping interconnections and interdependencies, third-party dependency, incident management and ICT.
EU — The EU published a draft regulation on digital operational resilience for the EU financial sector that would introduce a harmonised framework on digital operational resilience in Europe. The proposed Digital Operational Resilience Act (DORA) has two distinct sections. The first deals with financial entities, while the second focuses on the providers of technology services to those entities. The first section of DORA applies to a very wide spectrum of EU “financial entities” including banks, insurers, payment service providers, trading venues, crypto-asset issuers and crowdfunding service providers. DORA’s obligations for financial entities include:
- ICT risk management
- Operational resilience testing
- Incidents classification and reporting
- ICT third-party risk management and critical ICT service providers
- Information sharing
The second section of DORA is dedicated to those businesses that provide ICT services to financial entities. The objective of this pillar is to look at scenarios of risk concentration, with several financial services firms relying on a limited group of technology providers.
- UK — In the UK, the Prudential Regulation Authority (PRA)/Financial Conduct Authority (FCA) and the Bank of England have recently issued their policy papers on operational resilience. The PRA paper focuses on governance, the difference between operational risk and operational resilience and then business continuity and outsourcing.
- United States — In the United States, the Federal Reserve, the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corporation have issued an interagency paper on sound practices to strengthen operational resilience. Again, these cover areas such as governance, operational risk management, business continuity management, third-party risk management, scenario analysis and surveillance, and reporting operational resilience.
- Australia — In Australia, the Australian Prudential Regulation Authority ( APRA) has updated its guidance on prudential standards, business continuity management, outsourcing and risk management, and the Australian Securities and Investments Commission ( ASIC) has issued guidance on the operational resilience of market intermediaries.
- Asia (selected) — The Hong Kong Monetary Authority has issued principles for operational resilience and the Monetary Authority of Singapore has published guidance on operational resilience.
- Ireland — The Central Bank of Ireland (CBI) has issued a consultation paper on the proposed cross-industry guidance on operational resilience. The core principles of any operational resilience framework are: board and senior management ownership of the operational resilience framework; the identification of critical or important business services and all activities, people, processes, technologies and third parties involved in the delivery of these services; the setting of impact tolerances for each of these identified services and the testing of the firm’s ability to stay within those impact tolerances during a severe but plausible operational disruption scenario. Firms will also be expected to review how they respond and adapt to disruptive or potentially disruptive events so that lessons learned can be incorporated into operational improvements to continually enhance their operational resilience.
Regulators in many jurisdictions have taken significant action, and there are some common themes running through all the various pieces of policy and guidance. These include:
Main objectives of operational resilience — The six main elements of the definition of operational resilience, namely: identify, prepare, respond, adapt, recover and learn. In all jurisdictions a version of this definition is used as the backbone upon which to develop approaches to operational resilience.
- Governance — The root of operational resilience is governance within a firm. Most regulators mention the need for sound governance, and this means that operational resilience should be led by the board and treated as a main corporate governance strand, embedded into the fabric of a firm. In the UK, boards are specifically required to approve the important business services identified for their firm and the impact tolerances that have been set for each. In addition, firms should establish clear accountability and responsibility for the management of operational resilience.
- Identification of important business services — Business services deliver a specific outcome or service to an identifiable user external to the firm and should be distinguished from business lines, which are a collection of services and activities. Firms must identify their important business services.
- Impact tolerances — A new theme to emerge from the UK PRA is the need for firms to set an impact tolerance for each of their important business services. An impact tolerance is the maximum tolerable level of disruption to an important business service as measured by a length of time, in addition to any other relevant metrics. Firms should set their impact tolerances at the point at which any further disruption to the important business service would pose a risk to the firm’s safety and soundness.
- Mapping — Firms need to identify and document the necessary people, processes, technology, facilities and information required to deliver each of their important business services. Many regulators mention interdependencies and the need to be aware of risks within a range of internal and external relationships. These should also be mapped and assessed to establish whether they are critical to operational resilience.
- Scenario testing — Firms should test regularly their ability to remain within impact tolerances in severe but plausible disruption scenarios. Impact tolerances assume a disruption has occurred, and so testing the ability to remain within impact tolerances should not focus on preventing incidents from occurring.
There are some regulatory deadlines with which firms must comply:
- In the UK, the PRA has said that the operational resilience requirements will be effective from March 31, 2022.
- In Ireland, the CBI has requested feedback to its consultation by July 9, 2021.
About the author
Mike Cowan is a senior regulatory intelligence expert for Thomson Reuters with over 25 years’ experience of compliance, regulatory, risk and internal audit in UK financial services as regulator and practitioner.