After publication of the UK regulators’ policy statements containing their final rules, chief operating officers should consider the following: Adapting the lessons learned from the pandemic, engaging third-party suppliers, and improving customer communication. Protiviti UK’s Country Market Leader Tom Lemon and Director Laura Moore explain.
In April 2018, a major high street bank began transferring its customer data onto a new IT platform. The migration was expected to take two days, but shortly after the implementation started, alarm bells rang. Customers were locked out of their accounts, and some gained access to other people’s money. Following a tumultuous week in which the crisis escalated, its chief executive declared in a press interview that the bank “was on its knees”.
This is just one of many high-profile examples in recent years where the operational resilience of a financial institution has been called into question. Insurance companies Aegon and Aviva faced similar challenges transferring to new platforms. And, in June 2018, payments giant Visa went down, affecting many customers across Europe and resulting in supervision measures from the regulator.
Clearly, patience was beginning to wear thin. In July 2018, the Bank of England’s Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) released a joint discussion paper. They stated that a resilient financial sector is “one that can absorb shocks rather than contribute to them”. Firms needed to bounce back when things went wrong, they added, and consider the ability of their people, processes and organisational culture to respond.
At the end of 2019, the regulators began consulting on a series of measures to increase operational resilience. Financial firms would have to identify their important business services and put in place minimum periods of disruption, called impact tolerances. Since then, we have seen strong collaboration between industry and the regulators. In fact, this has been one of the most principled-based consultations we’ve ever experienced. It makes good business sense and has become more than a compliance exercise.
This year, at the end of March, the PRA and FCA released their policy statements. Firms now have a year to put their operational resilience plans in place. They will have to carry out mapping and testing exercises to the extent necessary to identify important business services, set impact tolerances and identify any operational resilience vulnerabilities. After that, their mapping and testing will need to evolve and become more sophisticated. Regulators have set a date of no later than 31 March 2025 for firms to stay consistently within their impact tolerances.
While these regulations have provided an important framework, they have also highlighted three topics we believe will be important as firms continue to refine their approach.
Continue crisis collaboration
Until last year, it was tough for financial services firms to focus on the bigger picture of operational resilience. The prospect of their systems facing large-scale disruption was often just a hypothetical scenario in leaders’ minds. While big-name failures alerted the regulators, many chief operating officers (COOs) were still focused on business as usual.
Then Covid-19 happened. In a matter of weeks, companies were stress tested, teams came together, and everyone experienced a resilience event. Businesses with remote working plans did better than those without them, and the disruption they faced became more than a scenario. The past year has also shown how pivotal important business services are and how they cut across traditional corporate reporting lines.
The pandemic has therefore helped develop the operational resilience story inside companies. COOs have been able to amplify their message and win over people’s hearts and minds. Their understanding of important business services has evolved, and their firms’ ability to bounce back has been more deeply explored. In some cases, the people supporting these services are returning to the office first.
This dynamic approach, which has been acknowledged by the regulators, will be really important in the months and years ahead. Operational resilience is on everyone’s mind now, and the sense of collaboration forged in a time of crisis, is part of a recipe for the future.
Bring third-party suppliers closer
It’s healthy and increasingly common for financial services firms to work with third-party suppliers. As customers access more services online, external providers of technology can help smooth the path towards digital transformation. But this trend places greater pressure on firms’ responsibility for these external agreements.
In 2019, retail bank Raphaels was fined £1.89m by the PRA and FCA for failing to manage its outsourcing arrangements properly. On Christmas Eve in 2015, a technology incident at a third-party supplier caused the failure of services for eight hours. More than 3,000 people were unable to use their pre-paid cards and more than 5,000 transactions couldn’t be authorised. In 2020, Raphaels began to wind down its operations for good.
We believe third-party risk management has struggled to be an effective discipline. Lots of companies go through the motions, putting ‘rights to audit’ in contracts and sending out questionnaires to suppliers, among other actions. These interventions might help them believe they are doing the right thing but won’t offer much assurance when things go wrong.
As such, it’s important for relationships with third-party suppliers to evolve. On their journey towards implementing operational resilience plans, companies will be required to test out scenarios with key suppliers. These will demand closer working relationships in order to be successful. If firms are able to establish partnerships with suppliers during this process, they’ll have a greater chance of boosting their resilience.
Communication is a competitive advantage
Communication is always important but it’s pivotal in a crisis. If people are kept in the dark, unsure of what’s happening, the damage to businesses can be swift and lasting. But if firms present clear, timely and relevant information, they will meet regulators’ expectations, and keep their customers happy too. TSB was criticised by the FCA for its communication during the crisis in 2018, but internet bank Monzo was praised by its customers during an outage 12 months earlier.
We believe communication will become a competitive advantage as financial firms consider the benefits of operational resilience. There is no doubt that ‘born digital’ companies are helping others to communicate better. When major failures occur, customers flock in their hundreds to social media, to call out firms that fall short. This transparency, which helps to benchmark positive service, can also assist companies when things go wrong.
In other sectors, like the construction industry, it’s common practice to document the number of days since the last accident on a site. It helps contractors maintain their health and safety record and provides awareness about what matters. As financial firms focus on operational resilience, techniques like ‘days since last disruption’ could help them share their journey with customers. If they communicate well when times are tough, and celebrate the improvements, they could even win more business as a result.
What does the future look like?
Following the policy statements at the end of March, it’s clear that best practice for operational resilience will evolve. Lessons are being learned from the Covid-19 pandemic, and communication plans will also develop alongside third-party supplier relationships. The next 12 months will continue to sharpen everyone’s plans.
In the future, the best-case scenario is that customers will feel no disruption to the services that matter most, when things go wrong. We will see a reduced number of incidents, and for those incidents that do occur, these will not come as a surprise.
The regulations have certainly provided an opportunity for financial firms to do what is right, but they have also opened up areas for ongoing discussion and debate. Now is absolutely the time for companies to keep operational resilience on the agenda and enhance their reputation with customers and the media for the long term.
What do you think? These are three areas we believe will be important as firms step up their operational resilience plans. But it would be great to know what else will help. Get in touch and let us know – [email protected]