Expect announcements shortly from the FCA on one of the most current and prioritised themes – operational resilience.
In conjunction with the Prudential Regulation Authority and the Bank of England, the Financial Conduct Authority published a discussion paper in July, which closed on 5 October. Financial services firms were invited to put forward ways in which they expect to be able to manage risks that could severely damage their operations and how they will minimise the impact on customers.
Regulators believe operational resilience poses a risk to the supply of crucial services on which the economy depends, threatens firms’ viability and causes harm to consumers and other businesses.
Regulators want to see firms improve their preparedness to withstand, absorb and recover from disruptive incidents. They also want to see firms manage incidents effectively, in particular, where customers are impacted.
Defining the problem
Operational resilience is defined as, “the ability of firms and the financial system as a whole to absorb and adapt to shocks, rather than contribute to them.” Regulators want this to be an integral part of a firm’s overall strategy so they can continue providing “critical economic functions” to both the UK economy and their customers.
Banks are the key target for regulatory work in this area, since online banking outages in particular, result in widespread disruption. Barclays and RBS Group were in the firing line recently, when customers were unable to access their accounts during incidents in September, with the banks asked by the Treasury Select Committee to provide full details on what caused the events and on how customers will be compensated.
Further, the Bank of England’s Financial Policy Committee is setting standards for how quickly banks must be able to restore vital services following a cyber attack and it will also conduct stress tests to check these can be met.
But, operational resilience is required across the financial services sector and data theft, for example, affecting an insurer or credit card company would be viewed with equal severity.
What is required?
Firstly, regulators expect operational resilience to be high on agenda for boards and senior managers in addition to their operational risk advisers. They should also work on agreeing ‘impact tolerance’ an upper limit for the impact to business services that a firm is prepared to tolerate, as a result of a ‘severe but plausible’ operational disruption. This is expected to be expressed as a set of specific metrics on the duration, volume or nature of a disruption. Firms should also:
- plan for disruptive events as well as aiming to prevent them
- focus on the wider impact of disruptive events, not just on restoring systems and processes
- map products and services to underlying systems and processes
- identify the likely impact on customers and market participants and on the firm’s own viability
- prioritise the most important business services and identify the systems and processes that support them, whether internally to the organisation or if outsourced
- ensure there is an effective communication strategy when there is a disruption to assist both employees and customers.
Covering all the bases
Regulators state that disruptive events are inevitable but firms that could be impacted must prepare and be as resilient as possible. Clearly, guarding against and managing a cyber attack, is seen as the most obvious on the operational risk manager’s checklist because there is so much reliance on technology and data, but other potential could include an outage for non-malicious reasons, severe weather such as flooding, fire or pandemic flu.
Regulators have not produced any immediate changes to supervisory processes. But, once feedback to the discussion paper is properly assessed then new rules are indeed almost certain. There may be a willingness to engage with the industry to improve operational resilience and to take on board feedback, but this is also viewed as too important an area to allow the present status quo to continue, which is why operational risk managers must ensure that activity is now escalated.