Estimated reading time: 5 minutes
What is operational resilience in financial services?
Operational resilience is the principle of maintaining business continuity in the face of disruptive events.
In the financial sector, operational resilience is an important consideration: complex business challenges, including criminal threats, natural disasters, advances in technology, and shifting regulatory obligations, increase operational risk and make disruptions more likely – and can quickly overwhelm companies that are unprepared for adversity. Within financial services, even minor disruptions can create snowball effects that lead to product failures, reputational damage, and unexpected costs.
Given the potential consequences of business disruptions, financial regulators have started to focus on operational resilience as a priority. With that in mind, it is vital that financial service providers understand how to achieve operational resilience, and how to continuously improve their response to operational risks.
Why is operational resilience important?
In 2020, Covid-19 lockdown restrictions created unprecedented challenges for businesses across the globe, many of which were unable to adapt to severe restrictions and were subsequently forced to close. In the financial sector, both anticipated disruptions such as the introduction of new legislation, and unforeseen disruptions such as power outages or cyber-attacks, can expose business vulnerabilities and lead to failures in services and products, and financial losses for customers.
The increased risk of disruption has prompted supervisory bodies to make operational resilience a regulatory concern. In 2019, the UK’s Financial Conduct Authority (FCA), the Prudential Regulatory Authority (PRA), and the Bank of England published a joint consultation paper that set out the regulators’ requirements and expectations for financial service providers in achieving operational resilience. Following that publication, in 2021 the FCA introduced new rules and guidance on strengthening operational resilience in the financial sector, including requirements for companies to set operational risk tolerance thresholds and identify vulnerabilities.
In the EU, the European Commission published the Digital Operational Resilience Act (DORA) in draft. This is a legislative proposal that seeks to harmonise an EU-wide approach to information and communications technology (ICT) risk management requirements. The final version of DORA is expected within the next 18 months, but will impose a host of ICT-related requirements on financial entities, from incident reporting through to third party providers.
Similarly, in late 2020, several US federal bank regulatory agencies released a paper setting out ‘sound practices’ for companies to increase their operational resilience levels. The paper was based on ‘existing regulations, guidance, statements, and common industry standards’.
How can firms improve operational resilience?
Managing threats to business continuity on an ad hoc basis is inefficient and costly. Siloed risk management procedures lead to poor visibility across corporate infrastructure and may even create unintended negative consequences for other parts of a business. Instead, companies should seek to develop a holistic approach to operational resilience that is sensitive to the interconnectivity of the risks they face.
In order to develop and implement an effective operational resilience policy, companies should understand the following key principles:
- Governance: Financial institutions should use their existing governance frameworks to improve accountability and ensure effective responses to operational risk at every level of authority. Senior employees should review their company’s objectives and take an active role in shaping its operational resilience policy.
- Risk management: Financial institutions should put effective controls in place to manage both their vulnerabilities and the threats that they face. These factors should be considered in the context of critical operations and business continuity planning, meaning that they should identify critical points of failure and the capabilities of internal systems to aid business recovery.
- Planning and testing: In implementing a business continuity plan, companies should consider a wide range of scenarios, including severe worst-case events. Continuity plans should include key internal and external dependencies and incorporate business-impact analysis and recovery strategies. Continuity plans should set out detailed guidance on roles and responsibilities during the recovery process, and should be tested rigorously for effectiveness.
- Dependencies: Companies should also consider threats to their third-party relationships as part of their operational resilience policy, including threats to outsourced services or functions that are critical to continuity. Operational resilience considerations should be formalised in agreements with any third-parties.
How can firms achieve compliance?
The introduction of new regulations in the UK reflects the increased global attention on operational resilience and the need for financial service providers to examine their compliance responsibilities, especially in the wake of the Covid-19 crisis. In practice, this means that companies should develop and implement a compliance policy that meets their business needs and reflects the threat landscape in which they operate.
Linda Gibson, Head of Regulatory Intelligence at BNY Mellon | Pershing recently told CUBE that the firms that fared best throughout the global pandemic were “those that invested in digitalisation to improve the client experience and really meet the new demand for digitised services across the board.” She added that “firms are expected to identify their important business services and set impact tolerance levels”, which requires a major data mapping exercise and solid data management.
Given the amount of data that must be collected and analysed as part of an operational resilience policy, it is important that firms integrate effective technology solutions to streamline their compliance processes. A technology solution, especially one that harnesses artificial intelligence in order to automate manual processes, adds speed and efficiency advantages to data collection requirements but also allows companies to centralise their risk data and provide access to the relevant personnel at every level of authority.
Find how CUBE solves for operational resilience.