What next for operational resilience?

The Review examines how firms are faring on operational resilience in light of regulatory focus and pandemic shockwaves
by Alexander Garrett

MicrosoftTeams-image

There hasn’t been a year in recent history that has posed such a challenge for companies around the world in every sector, not least financial services. Covid-19 forced organisations of every size and shape to think about how they could protect their employees while keeping their operations up and running. The pandemic was a risk scenario that few had prepared for: a ‘black swan event’ that, despite past warnings and predictions from scientists, caught the vast majority of financial firms – and governments – unawares.

It also threw the spotlight on the importance of operational resilience, defined by the FCA in its December 2019 consultation paper CP19/32 as “the ability of firms and the financial sector as a whole to prevent, adapt, respond to, recover and learn from operational disruptions”. Operational resilience goes some way beyond the measures of existing management processes, such as business continuity planning or disaster recovery. 

In a speech in December 2019 in London, Megan Butler, then the FCA executive director of supervision – investment, wholesale and specialists, said: “Our starting point is the premise that operational disruptions happen. We want to dispel the belief, which many firms hold, that we expect them to stop all operational disruptions altogether. We understand these happen. The outcomes we are seeking are more focused on the continuity of supply of the financial products and services that people, businesses and the wider economy rely on most. Even in the event of severe operational disruptions.” 

She later made it clear that the FCA had “begun to transition from the immediate ‘incident response’ towards focusing on longer-term impacts” and that it expects firms “to have contingency plans to deal with major events” and ensure “that these plans have been properly tested”.

In March 2021, the main financial regulators in the UK – the Prudential Regulation Authority (PRA), the Bank of England (BoE), and the FCA – published a joint final policy summary regarding requirements to strengthen operational resilience in the financial services sector. Notably, the date by which firms must comply with the new rules has been set as 31 March 2022, with the grace period intended to alleviate the burden on companies amid the pandemic environment. 

Building operational resilience globally

There is global momentum behind the drive to make financial firms resilient. In October 2019, the Global Financial Markets Association, in conjunction with the Institute of International Finance, published a discussion paper titled Draft principles supporting the strengthening of operational resilience maturity in financial services.

Then in March 2021, the Basel Committee on Banking Supervision, which serves as the primary global standard-setter for the prudential regulation of banks, published a new paper on Principles for operational resilience. Pandemics, alongside other factors such as cyber incidents, technology failures and natural disasters, are cited as operational risk-related events that banks must strengthen against.

In Hong Kong, political unrest has caused significant disruption in the past two years, with the Hong Kong Monetary Authority, a member of the Operational Resilience Working Group of the Basel Committee, setting up a working party in 2019. And the Securities and Futures Commission of Hong Kong notes in its Quarterly report April–June 2020 that, “During the Covid-19 outbreak, we stepped up our supervisory work and stress tests to monitor firms’ financial and operational resilience in light of heightened market volatility and issued frequently asked questions to explain the flexibility we allow for some regulatory requirements.”

Japan, too, is concerned. On 1 October 2020, for example, the Tokyo Stock Exchange (TSE) had to suspend trading in all shares for an entire day because of an IT failure. In the wake of the meltdown the TSE, and its parent company Japan Exchange Group, submitted reports to Japan’s financial services regulator, the Financial Services Agency, and were issued with business improvement orders that emphasised the importance of resilience. 

Meanwhile in South Africa, the country’s financial regulator, the Financial Sector Conduct Authority (FSCA) reports in its Regulatory strategy document for 2018 to 2021 that the FSCA will voluntarily submit itself to International Monetary Fund Financial Sector Assessment Programme reviews, which are designed to help countries’ financial systems identify key risks and enhance their resilience to shocks and contagion. 

FCA final rules

In the UK, the FCA’s CP19/32 and subsequent feedback and final rules, published in its policy statement PS21/3 in March 2021, provides a highly prescriptive approach towards implementing operational resilience across the whole of a firm’s operations. In her 2019 speech, Megan Butler summarised the three key requirements:  

  • Mapping: firms should “identify and document the resources that deliver and support their important business services”. For FCA-regulated firms, these services might include enabling people to buy goods, borrow money and transact on financial markets.
  • Impact tolerances: setting impact tolerances at “the maximum tolerable level of disruption to an important business service, including the maximum tolerable duration of a disruption”.
  • Testing: testing firms’ ability to remain within their impact tolerance during a severe event, in order to reveal gaps and weak points in the resources that support delivery of the important business service. 

The rules will apply to banks, building societies, PRA-designated investment firms, Solvency II firms and Recognised Investment Exchanges, as well as some other regulated firms. Although small “out of scope” firms will not be subject to the requirements, no doubt the proposals will come to be seen as ‘best practice’ for many smaller firms across a number of sectors, even if they are not required to adhere to the specific regime.

The FCA will apply a proportionate approach to affected firms, “reflecting the impact on consumers and market integrity if their services are disrupted,” it says. Firms will need to show that they have fully evaluated their operational resilience using the approach prescribed, and where weaknesses are identified, they will be expected to act, for example by investing in improving processes, introducing better infrastructure or training, building back-up systems, addressing vulnerabilities in legacy systems, or enhancing contingency plans.

The FCA’s PS21/3 feedback and final rules says that, by 31 March 2022, firms must have identified their important business services, set ‘impact tolerances’ for the maximum tolerable disruption, and carried out advance mapping and testing. As soon as possible after 31 March 2022, and no later than 31 March 2025, firms must have performed mapping and testing so that they are able to remain within the set impact tolerances, and make any necessary investments in order to enable them to operate within these tolerances.

The change may be profound. Tara Kenny, head of group operational resilience at Lloyds Banking Group, believes that, “In many ways this approach challenges traditional risk matrices by making the probability axis irrelevant. Firms are encouraged to treat the probability as guaranteed and therefore focus resources on minimising the customer and market impact of the event.”

Embracing change

How ready are firms to make the necessary changes? Ian Pickford CFP™ Chartered MCSI, head of financial planning and wealth management at Mazars, says: “We will probably fine-tune what we do to fit alongside what they are asking for. If there are any gaps, we will fill them. But we do already have a procedure that looks at the resilience of our business.” 

Salina Ladha, a director in the finance, risk and compliance team at business management consultancy Baringa Partners, says, “We have already seen some firms looking at reshaping their operational risk teams as a result of Covid-19, in some instances to try and bring in more expertise so they can challenge the first line and make sure they are thinking about risk in the right way. It’s about upskilling the team with the right seniority and expertise.”

David Ostojitsch, director of technology and operations at the Association for Financial Markets in Europe, says that, overall, the global financial services sector has responded very well to the shock, with financial markets staying up and running throughout the crisis, in spite of frequent spikes in volume. There is another lesson though, he says, in that the pandemic has highlighted that the types of scenarios and events firms need to plan for in terms of their operational resilience are extensive and distinct. 

“In some ways it will act as a benchmark for operational resilience. But equally, the next type of event to happen will be very different. So it’s more about ensuring there is flexibility in the outcome. There is a danger that you focus on some areas too specifically, which in the next big event might not be relevant. Remote working was huge in this pandemic, but in a different event that might play a smaller part.” 

The full article was originally published in the June 2021 edition of The Review

The flipbook edition is now available online for all members. 

All CISI members, excluding student members, are eligible to receive a hard copy of the quarterly print edition of the magazine. Members can opt in to receive the print edition by logging in to MyCISI, clicking on My account, then clicking the Communications tab and selecting ‘Yes’.

Once you have read the print edition, keep coming back to the digital edition of The Review, which is updated regularly with news, features and comment about the Institute and the financial services sector. 

Seen a blog, news story or discussion online that you think might interest CISI members? Email sophie.mackenzie@wardour.co.uk.
Published: 08 Sep 2021
Categories:
  • Financial Planning
  • Fintech
  • International regulation
  • Compliance
  • Risk
  • Operations
Tags:
  • featured
  • pandemic
  • operational resilience
  • Megan Butler
  • Japan
  • Hong Kong
  • Covid-19
  • black swan
  • #CISIReview

No Comments

Sign in to leave a comment

Leave a comment