insights

Operational Resilience – time to act

February 17, 2020

Operational Resilience is a vital part of protecting our financial institutions and their customers and the regulators want you to do more. The Bank of England, the PRA and the FCA have coordinated their approach to ensure that the whole UK financial services landscape runs smoothly even when the challenges are increasingly demanding. In July 2018 we were presented with joint discussion papers, followed by consultation papers in December 2019. The consultation period closes on the 3 April 2020 and the final regulation will come into effect in Q3 2020, with an implementation date for the second half of 2021. The core activities are to identify your key business services, set impact tolerances for “severe yet plausible scenarios”, evaluate your readiness and remediate.

We have some breathing space to avoid any last-minute panic and can analyse, prepare and implement the best solutions for each firm.

Nobody wants to be a penguin on the outside.

If there’s one thing I know about the FinServe sector, it’s that nobody wants to be the metaphorical penguin braving the freezing winds of the Antarctic (harsh regulator analogy) on the outside of their waddle.

(Yes, a group of land-based penguins is fetchingly called a waddle.)

No firm will want to be singled out for special attention. Everyone will prefer to be safe and warm amongst their peers in the middle of all the evolving resilience standards. So we’ll see an interesting, partially-sighted negotiation, often behind closed doors, where the bravest will work with their regulator to assess where ‘the middle’ is and try to stay there as long as possible. Each regulator has the freedom to assess their own desired impact tolerances, so this could get complicated for the larger multi-regulated firms. Particularly if other regulators across the globe follow suit in implementing their own operational resilience frameworks too.

I think we’ll see the benefit of marketwide discussions to help establish the middle ground of impact tolerances. I believe that the Operational Resilience Collaboration Group (ORCG) is a good example of a proactive force to help craft the direction and tempo of the required changes.

SMCR makes it personal.

On the 9 Dec 2019, the Senior Managers Regime was applied to all FSMA-authorised firms. That means that senior decision makers at all large asset managers, insurers, investment firms, mortgage providers, consumer credit firms, crowdfunders and even sole traders are subject to scrutiny. That scrutiny requires you to adhere to your own corporate accountability in performing your role. That sounds entirely reasonable and if you fail to do so, you can reasonably expect a sizeable, personal fine.

So, SMCR plus Operational Resilience equals a high level of personal accountability for a moving target of business tolerances. In particular, the Chief Operations function (SMF24, for short), is likely to attract the majority of interest in assessing the viability of any operational resilience changes. The SMF24 will be under the microscope.

It’s not all about Cyber, but it probably is.

Your impact tolerances will cover issues from natural hazards, physical sabotage, third party failure, data security failure and, of course, cyber attacks. It is cyber that represents the biggest unknown – the others are more easily mitigated. Whilst you can be covered by cyber insurance in the short-term, it won’t help with the reputational fallout from not protecting your customers. The recovery from that is much harder than any of the others.

The cloud providers are ready for reg. Well, some of them.

The recent Treasury Committee report “IT failures in the Financial Services Sector” identifies cloud providers as one of the emerging risks in the sector and that “the case for the regulation of these providers to ensure high standards of operational resilience is therefore considerable”.  Regulating them as critical infrastructure has been expected by the big three in Cloud: AWS, Google & Microsoft, and surely makes sense.

We’ve also seen a rise in multi-cloud environments and the ability to manage redundancy more effectively. Again, eminently sensible and will be looked on favourably by all the regulators.

Forget the reg timeline, keep calm and hurry up.

The standard response to any regulatory push is to do the minimum required. But, I firmly believe that having market-leading operational resilience could be a source of competitive advantage. In the first instance, it’ll keep you in business when some others may well falter or suffer significant reputational damage. Increasingly, though, I see that operational resilience excellence will help FinServe firms win business too.

So, the FinServ winners will forget the regulatory timeline, work collaboratively, run pilots, keep calm and hurry up and deservedly take more market share.

Chris Mills
Director, Financial Services