Adapt, respond, and recover – Building a resilient financial sector

Key headlines

• The operational resilience of UK banks and financial services businesses will be regulated towards the end of 2021 in a move that has been broadly welcomed.
• Companies are working on plans to understand their critical services and impact tolerances – periods of accepted disruption.
• There is nervousness about the regulations, but the regulators’ message of collaboration and intent to focus on the outcome suggests they are keen to understand what businesses think.
• The Bank of England is collating the lessons learned from the Covid-19 pandemic, which will also inform the new rules.

The challenges companies face include: the tools needed to measure resilience; reliance on third parties (and their resilience); culture and focusing minds on recovery, rather than prevention; and alignment with international rules.

The chief operating officers (COOs) of banks and financial services businesses have been at the centre of a storm. With regulation on the horizon that will shine a spotlight on the resilience of their companies, they have also been busy responding to the pandemic. Even before the heightened expectations of customers kicked in, as more chose to access their services online, these business leaders were busy making sure their services were robust.

In 2019, consultation papers from the Bank of England’s Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA), started the ball rolling on a series of resilience measures designed to protect customers. Firms will be expected to identify important business services they offer and set impact tolerances. These refer to the period of disruption that is acceptable before a service has to be up and running again.

While the regulations will be implemented in the second half of 2021, companies have been working behind the scenes to get their operations prepared for these changes. Many have been looking at how cyber security, data, third party relationships and people impact their resilience efforts. This has helped them understand their ability to adapt, respond, and recover in the event of disruption. And it’s been time well spent, because when the first lockdown came into force, they were forced to stress test their capabilities.

People as the first line of resilience

In March 2020, many companies responded like they were ‘running an incident.’ They forget about the barriers and people worked as one team. Things moved fast and thousands of people switched to working from home overnight. One attendee explained that his company didn’t have a working-from-home policy before Covid-19. But now, since the world has turned on its head, it was in a very different situation. The company is currently home-based and working efficiently and effectively. In a recent survey it conducted, 80 per cent of people said they wanted to stay at home permanently.

Another COO expanded on some of the challenges that working from home had created. Covid-19 has shown them the importance of understanding mental health and wellbeing challenges when working remotely. While some people have been struggling, surveys of the workforce suggest the vast majority also want to stay at home.

Like others at the event, this COO was looking for ways to help his teams develop more resilience and also come together. The company is going to set up collaboration days, where people come into the office and work with each other, rather than sitting at their desks on video calls. One leader said he was planning certain days when everyone would come to the office, to avoid what he called a hybrid environment. Another attendee recognised that many people had got used to working at home. She had been working closely with her HR teams to explore ways of finding the balance.

Meeting the challenges ahead

The attendees said there was still nervousness in the industry about the regulators’ intentions. But this is a voyage of discovery for both sides. According to one attendee close to the regulators, they are interested in people’s thinking as much as the final output on the new measures. In response to the FCA and PRA papers from 2019, UK Finance published its response in October 2020, highlighting the need for the industry to work together. It said any regulations should be based on the principles of collaboration, proportionality, international alignment and ongoing guidance. Work being done to collate and share the lessons learned from Covid-19 should also inform the regulations.

One attendee said he had been working on an operational resilience plan for his business since 2019. The leadership team had selected six pillars to focus on: cyber security, people, IT, property, third parties, and data. He advocated early engagement with the board, and in particular the chair and chief financial officer, when developing the plan. He also called on firms to begin by asking themselves one key question: what are your critical businesses services? And to work back from that.

The event highlighted good progress being made by companies, but the events of 2020 were still revealing new challenges. It was interesting to see how cyber security had come to the fore. With people working from home, there was concern from some members about organisations being compromised more often. The issue of relying on other companies has also become more apparent. Broadband providers, for example, have risen to the top of the list as a result of the pandemic. There is a sharp eye on the resilience of third- and even fourth-party suppliers.

If Covid-19 has taught us anything, it is that operational resilience is now as important as financial resilience. The past eight months have changed the game and the size and scale of the challenges afoot. The good news is that any regulation in the UK is likely to invite companies to set their own benchmarks. Ongoing work in the sector, in addition to the lessons learned from 2020, will place them in a good position for any new rules.

What’s less clear is what the world will look like in another 12 months. That’s why coming together, and sharing best practice, will remain so important in 2021 and beyond for COOs – and their teams.

The first COO Network event, which held in association with Protiviti, was held on 2 December 2020 online under Chatham House rules and will become a quarterly event. For more information and to find out more about our work of UK Finance, contact Director of Operation Resilience – [email protected]