Global regulators are focused on the financial services industry’s response preparedness for operational disruptions and whether firms are doing enough to increase operational resilience. Their growing interest is expected to usher in a new era of enhanced resilience supervision.
Firms Should Act Now to Become Operationally Resilient
Information technology failures. Digital transformation. Outsourcing. Industry consolidation. Extreme weather. Recession fears. What do these global trends have in common? They are fueling global interest in operational resilience, and the financial services industry, given its criticality to the stability of the global economy, is bearing a fair share of the scrutiny.
Increasingly, regulators are concerned about the financial industry’s ability to respond quickly and effectively to disruptive events before they significantly affect consumers, other businesses, and the economy. The regulators’ interest in the industry’s capabilities is shifting from how effectively institutions can prevent events from occurring to how quickly they can recover and remain viable following major disruptions, including severe but plausible stress events.
The most significant effort to date by any financial regulator to create formal rules around the topic of operational resilience occurred on December 5, 2019, when the UK supervisory authorities proposed new rules and expectations aimed at strengthening the operational resilience of the UK financial services sector. The proposals were released collectively by the Prudential Regulation Authority (PRA), the Bank of England (BOE) and the Financial Conduct Authority (FCA) through a series of coordinated consultation papers.
In the consultation papers, the supervisory authorities provide their view on key concepts essential to building operational resilience. Their proposals emphasize the need for boards and senior managers to improve their understanding of the criticality of their businesses; set clear standards for resilience, including the maximum level of disruption their businesses can tolerate; and establish contingency arrangements to enable the delivery of important business services when disruptive events occur.
Given the UK development and the groundswell of activity around operational resilience globally, companies should act now to stay ahead of the regulatory curve. The following are immediate actions that firms can take:
- Identify important business services and functions and their reliance on third-party providers.
- Quantify the maximum acceptable level of disruption, referred to as “impact tolerance,” by establishing a point in time when the viability of an important business service is irrevocably threatened.
- Monitor and test the resilience of important business services and business lines against worst-case scenarios.
- Identify and document (also known as mapping) the necessary people, processes, technology, facilities and information required to deliver each of their important business services.
- Communicate resilience discussions and practices across the organization.
The Resurgence of Interest in Operational Resilience
Operational resilience represents an organization’s ability to withstand adverse changes in its operating environment and continue the delivery of business services and economic functions. The number of financial institutions that have suffered severe financial and reputational harm from major disruptive events in recent years continues to increase, renewing the urgency around building operational resilience. As a result of these events and growing regulatory concerns, financial industry trade groups are working with their members to consolidate their views on operational resilience and to elevate their resilience capabilities to a broad range of threats.
The key components of operational resilience include defining important business services, impact tolerance and economic impact, and developing a complete understanding of all business services, functions and third-party relationships. Specifically, it requires that firms develop a process of prioritizing the important business lines or services they provide to various stakeholders; assessing the impact tolerance of the organization for each business line and how a prolonged disruption will affect various stakeholders; and considering the effects of business disruptions not only on the institution’s stakeholders, but also on the financial sector at large.
Requirements to support resilient operations are not new to financial services leaders. Many financial institutions have long addressed key aspects of operational resilience under the guise of business continuity, disaster recovery, information technology change management, and cybersecurity risk management. Nonetheless, in the seminal July 2018 joint discussion paper issued by the BoE, the PRA and the FCA, “Building the U.K. Financial Sector’s Operational Resilience,” the supervisory authorities asserted that management of operational resilience is best viewed in the context of business services — versus distinct systems and processes. The discussion paper not only jump-started interest in operational resilience but also signaled regulators’ interest in holding financial institutions and financial market infrastructures (FMIs) accountable both for disruption and for failing to recover rapidly from those events.
Conversations on Operational Resilience Around the World
Regulators in various jurisdictions are weighing different approaches to operational resilience supervision. Many are revising existing policies, including those on risk management, outsourcing, controls and communication, and business continuity plans. Others intend to build on existing supervisory approaches or to supplement existing policies to improve the resilience of the financial system. Some jurisdictions are weighing a more prescriptive approach to resilience supervision, such as establishing specific resilience tolerances for institutions, and others have signaled their openness to a rules-based approach that incorporates leading industry standards and best practices. The latter approach was raised in May 2019 by a senior U.S. Federal Reserve Bank official. The Federal Reserve Bank’s intent is to incentivize new behaviors and investments to support the industry’s progress toward financial stability objectives. However, it has not ruled out the option of establishing specific tolerances and thresholds related to operational resilience for certain key business services.
The differing approaches under consideration imply that multinational institutions may be obligated to comply with varying operational resilience rules from various regulatory authorities. Many leading financial institutions have also voiced support for a principles-based regulatory approach to operational resilience — one that is firm-led, flexible in design, and not overly prescriptive.
Additionally, the financial industry is engaged in direct dialogue with regulators on several of its main concerns, including the need for global harmonization of operational resilience regulations. The discussions are already having an impact; the UK supervisory authorities said the industry’s feedback helped reshape some of the proposals in the December consultation papers.
Signs of Emerging Cross-Jurisdictional Collaboration
Hopeful signs of broader cross-jurisdictional collaboration on operational resilience regulation are emerging. These early signs suggest various regulatory bodies and professional organizations see the value in working to consolidate global standards.
- Singapore and UK: In June 2019. , the Monetary Authority of Singapore and the UK financial authorities announced agreements to collaborate on strengthening cybersecurity and resilience in their financial sectors. Both parties will cooperate on facilitating data flows, enhancing cross-border Know Your Customer (KYC) processes, and developing skills and competencies in the financial sector
- The Basel Committee on Banking Supervision: In January 2022, the member countries of the Basel Committee on Banking Supervision (BCBS) will begin a five-year phase in of Basel III reforms. These reforms will protect world economies from damage by banks that assume undue risk. At the beginning of 2018, the BCBS established the Operational Resilience Working Group, whose initial task has been to assess gaps and identify potential policy measures to strengthen operational resilience. The BCBS strengthens regulation and supervision of banks to enhance global financial stability. Its membership draws from 28 jurisdictions worldwide.
Recent Regulatory Proposals on Operational Resilience
There has been a flurry of activity around operational resilience in recent months and over the past year. The following are a few recent major proposals and developments.
The aforementioned December 5, 2019 proposals spell out the supervisory authorities’ clear expectations for regulated UK institutions, including the need for firms to take ownership of their operational resilience, prioritize plans and investment choices based on their impacts on the public interest, and communicate clearly to customers when disruptions occur. While key concepts essential to building operational resilience, such as defining important business services and impact tolerance, are clarified, the supervisory authorities stayed away from proposing taxonomies and prescriptive definitions relating to operational resilience.
Here are additional key takeaways from the consultation papers:
- Regulated institutions are expected to take a group-level view of operational resilience to ensure the risks of the whole group or organization, including parts or subsidiaries that are not subject to individual requirements, are considered.
- The supervisory authorities migrated from the term “critical business services” to “important business services,” expanding the number of services a regulated institution would have to validate as resilient. This change is expected to result in increased mapping of more processes and systems (possibly data flows), using a front-to-back approach to identify important business services.
- Regulated institutions are expected to use a time-based metric to define their impact tolerance or when the viability of a service is irrevocably threatened and be able to identify the stakeholders that would create the point of irrevocability.
UK regulators are under pressure to hold institutions and their executives more accountable for operational failures. In October 2019, the UK government’s Treasury Select Committee (Treasury Committee) published a report decrying the current level and frequency of operational disruptions and consumer harm and urged regulators to act to reduce the “unacceptable” number of IT failures in the financial services sector. In the report, the Treasury Committee called for banks and responsible individuals within the sector to be held more accountable. It urged regulators (specifically, the FCA, PRA and BOE) to apply their enforcement powers to ensure failures do not go unpunished.
In November 2019, the Federal Financial Institutions Examination Council (FFIEC) released an updated business continuity management booklet designed to make it easier for financial institutions to comply with its guidance and to help examiners determine whether management is addressing risks related to the availability of critical financial products and services. Among the notable changes from the earlier (2015) version, the booklet emphasizes operational resilience concepts such as the importance of understanding comprehensive process flows, potential systemic impacts, the need for more robust end-to-end testing, and maximum tolerable downtime (MTD). Also, as part of their examination objectives, FFIEC examiners will determine if management documented and implemented, as appropriate, resilience measures for third-party service providers. Specifically, the examiners will also consider disruptive events that threaten the operational resilience and viability of the entity’s third-party service providers.
Cybersecurity and operational resilience also feature prominently in the Office of the Comptroller of the Currency’s (OCC) Fall 2019 Semiannual Risk Perspective and 2020 fiscal year Bank Supervision Operating Plan. While these topics have been on the OCC’s supervisory radar for several years, the emphasis has expanded. According to the OCC, banks’ exposure to operational risks is on the rise as they adapt to a changing and increasingly complex operating environment. A key factor driving the elevation in operational risk is the need to adapt and evolve current technology systems for ongoing cybersecurity threats.
In June 2019, the Bank of Canada launched the Canadian Financial Sector Resiliency Group (CFRG), a public-private partnership to strengthen the resilience of Canada’s financial sector in the face of risks to business operations, including cyber incidents. CFRG, which brings together the Department of Finance Canada, the Office of the Superintendent of Financial Institutions (OSFI), Canada’s systemically important banks, and designated Canadian FMIs, will be responsible for coordinating a sectorwide response to systemic-level operational incidents. CFRG will also support ongoing resilience initiatives, such as regular crisis simulation and benchmarking exercises. The partnership replaces the Joint Operational Resilience Management Program (JORM), which played a similar role but had a different membership base and did not have the mandate to look at resilience coordination for cyber events.
In December 2019, the European Commission launched a public consultation on a proposed digital operational resilience framework for the EU financial sector. The Commission aims to gather the public’s views on strengthening the digital operational resilience of the financial sector, particularly in the areas of information and communications technology (ICT) and security risk, and the potential impacts of such policies. The public consultation will remain open until March 18, 2020.
In the paper, the Commission states that the financial sector is the largest user of ICT in the world, accounting for about a fifth of all ICT expenditure. The sector’s operational resilience will continue to hinge on ICT, given the growing use of emerging models, concepts or technologies such as distributed ledger and artificial intelligence. In the Commission’s view, the increased use of artificial intelligence in financial services may generate a need for stronger operational resilience and, accordingly, increased regulatory supervision.
This latest paper follows earlier efforts by the European Supervisory Authorities (ESAs) to address the need for improvements to ICT risk management requirements in the EU’s financial services industry. In April 2019, the ESAs clarified their requirements on ICT governance and sought to ensure secure delivery of regulated services. The ESAs’ proposals (Joint Advice) promote operational resilience of the EU’s financial sector. They point out that as financial services firms’ reliance on technology increases, exposure to cyber risk also grows. The European supervisors continue to suggest changes to harmonize risk management rules throughout the EU.
In March 2019, MAS released a pair of consultation papers. The first paper proposed expanding Technology Risk Management (TRM) guidelines to include direction on cyber surveillance, software development security, adversarial attack simulation, and cyber risk management connected to the Internet of Things. The second paper proposed updates to Business Continuity Management (BCM) guidelines that will increase financial institution business continuity plans’ focus on interdependencies across operational units and with third-party service providers.
How Financial Institutions Can Respond Now
The pressure to comply with operational resilience requirements and/or guidance and the desire to avoid the consequences of operational failures are strong motivations for institutions to strengthen operational resilience. The benefits extend beyond mere compliance; companies can protect their profits and reputations by staying on top of the industry best practices.
Here are a few initiatives that institutions can take immediately:
- Given that most organizations already have an idea of what their important business services are, they should not wait for future requirements requiring a formal approach to defining “important business services.” Acting now to gain internal consensus on which services are important will help firms increase their understanding of the scope and impact of any future operational resilience regulations focused on important business services.
- Institutions should develop action plans to address known operational risks or gaps, whether self-identified, noted by internal audit, communicated by regulators in a matter requiring attention (MRA) or ordered by a court. Focusing on and addressing known gaps is a crucial step for firms to demonstrate resilience and their ability to respond to or recover from severe-but-plausible scenarios.
- Building a robust operational resilience program will require investment in technical and human resources. It is therefore important for firms to immediately begin the process of weighing the impact on budget and other resources. Clearly, budgetary considerations may vary, depending on a specific institution’s existing capabilities. Operational resilience professionals can help institutions assess resources required to support implementation and the budgetary impacts and benchmark.
- While institutions have invested significant resources in the foundational elements, providing a true front-to-back mapping of important business services — inclusive of all processes, systems, and third parties involved — is a challenge for many institutions. Mapping is critical, as it will help institutions identify vulnerabilities in the delivery of important business services within an impact tolerance and take action to remedy the discovered vulnerabilities.