A steady hand on the tiller: how to build operational resilience

In a financial services sector heavily reliant on technology and subject to increasing numbers of cyber-attacks, how can firms hope to avoid operational disruption? This is the focus of a suite of consultation papers published on 5 December by the Prudential Regulation Authority (PRA), the Financial Conduct Authority (FCA), and the Bank of England. Although a joint policy statement is not expected until the second half of 2020, there are recommended actions in the consultation papers that firms and financial market infrastructures (FMIs) should take note of now.

Building on concepts set out in their 2018 joint discussion paper, and incorporating feedback received from market participants, the regulators’ proposals seek to ensure the operational resilience of firms and FMIs. In a speech given on the day the proposals were published, Megan Butler, Executive Director of Supervision at the FCA, said that the intention of the regulators is to change how the industry thinks about operational resilience, emphasising the need for firms to be resilient to a wider range of operational risks than cyber-attacks alone.

Operational failures: a growing enforcement risk

The consultation papers follow closely behind a report by the House of Commons Treasury Committee (which we have summarised here ) on IT failures in the financial services sector. It is clear that technological and operational failures are prominent items on the agendas of the FCA and the PRA.

The number of IT incidents reported to the FCA increased by 187% between 2017 and 2018. The majority of these related to the retail banking sector, which had over five times the number of reported incidents as the next highest sector. The impact of such disruptions can range from customer inconvenience to customer harm and, in extreme circumstances, may also call into question a firm's safety, soundness and viability. There are important enforcement risks here.

Key points in the new consultation papers

The key points arising from the proposals in the new consultation papers are as follows.

• What does it all mean? First, it is important to understand exactly what we are talking about. Three of the key terms contained in the proposals are helpfully defined by the regulators as follows:
  • Operational resilience – ‘the ability of firms and FMIs and the financial sector as a whole to prevent, adapt, respond to, record and learn from operational disruptions’.
  • Impact tolerance – ‘the maximum tolerable level of disruption to an important business service, including the maximum tolerable duration of a disruption’.
  • Important business service – ‘a service provided by a firm or FMI to an external end user or participant where a disruption to the provision of the service could cause intolerable harm to consumers or market participants; harm market integrity; threaten policyholder protection; safety and soundness; or financial stability’.

• The problem. A lack of operational resilience poses a threat to the statutory objectives of each of the regulators, as well as endangering their shared goal of financial stability. They are therefore working together to ensure a consistent approach is applied to these risks across the financial sector. Although the precise methods adopted by each regulator will necessarily be different, their intended outcomes align.

• The approach. The regulators accept that, regardless of policy and strategy, major operational disruptions will occur. It is not possible to prevent every risk materialising. As a result, the proposals aim to ensure that, when a disruption does occur, firms have robust, reliable and adequately resourced arrangements in place to deal with it. Firms are required to take ownership of their operational resilience and communicate clearly with the public in relation to any disruption.

• Key proposals. In very brief summary, the proposals would require firms to take the following steps:
  • identify their important business services that if disrupted could cause harm to consumers or market integrity, threaten the viability of firms, or cause instability in the financial system;
  • set impact tolerances for each important business service, which quantify the maximum tolerable level of disruption;
  • identify and document the people, processes, technology, facilities and information that support their important business services (known as ‘mapping’); and
  • take actions to be able to remain within their impact tolerances through a range of severe but plausible disruption scenarios (known as ‘scenario testing’).

• Important business services. The continuity of important business services is an essential component of operational resilience and, as such, is the focus of the regulators’ proposals. Firms are responsible for identifying which of their business services are the ‘important’ ones. Once they have done so, the operational resilience of these services should be prioritised. The proposals do not prescribe how such services should be identified, nor do they list which services should ordinarily be considered ‘important’ – this is a decision left to firms’ discretion.

• Impact tolerances. Firms are required to identify specific metrics for the maximum tolerable level of disruption for important business services. These metrics could measure the extent of disruption, for example, by determining the maximum number of customers or transactions that could tolerably be affected. Firms should also consider the maximum tolerable duration of such a disruption.

The proposals confirm that impact tolerances are not the same as ‘risk appetite’, in that impact tolerances assume a particular risk has crystallised. The regulators hope that their use of impact tolerances will increase firms’ focus on their operational resilience before risks have crystallised.

• Delivering operational resilience. In order to deliver operational resilience, the regulators explain that firms should be prepared to take ‘decisive and effective’ actions, such as replacing outdated or inadequate infrastructure or increasing the capacity of their systems. Any deficiencies in a firm’s operational resilience should be addressed as a matter of priority.

• Scenario testing. One way in which a firm can test its ability to remain within its impact tolerances in the event of a severe (but plausible) operational disruption is through scenario testing. Conducting such testing, firms must identify an appropriate range of adverse circumstances (varying in nature, severity and duration) and consider the operational risks inherent in such circumstances.

• Mapping. According to the regulators, an operationally resilient firm will have in place a comprehensive understanding of the systems and processes that support each of its important business services. This will enable them to understand how such services operate and how they could be disrupted. The mapping process should help firms identify potential vulnerabilities (such as an over-reliance on a single resource) and take action against them.

• Oversight and accountability. The regulators have made it clear that, consistent with their expectations under the Senior Managers and Certification Regime, firms should establish clear lines of responsibility for the management of operational resilience. The consultation papers suggest that responsibility for implementing the new proposals may fall to a firm’s Chief Operating Office (SMF24), but that ultimately firms should determine who is the most appropriate Senior Manager to hold this responsibility. In addition, regulators expect boards and management committees to have appropriate information available to them to inform decision making which could affect operational resilience. Although individual board or committee members will not necessarily be required to be technical experts on operational resilience, they should collectively have adequate knowledge, skills and expertise to provide constructive challenge to senior management.

• Evidence. The consultation papers also propose that firms should create and maintain self-assessment documents relating to operational resilience. These self-assessments should include factors such as firms’ approaches to mapping, its impact tolerances and ‘lessons learned’ from operational resilience issues that arise. The regulators’ expectation is that firms’ boards or management committees should review and approve these self-assessment documents on a regular basis.

• Third parties. In conjunction with these operational resilience proposals, the PRA has published a consultation paper on outsourcing and third party risk management. The FCA’s consultation paper also contains a chapter on outsourcing. This emphasises the regulators’ expectation that firms should ensure they can remain within their impact tolerances even when relying on third parties, such as outsourcing companies. Firms cannot delegate any part of their regulatory responsibilities to a third party.

Next steps

Firms have until 3 April 2020 to submit responses to the consultation proposals. Once the consultation has closed and the regulators have reflected on the responses they receive, a joint policy statement will be published in the second half of 2020.

Sign up to Investigations Insight to receive updates on important developments in business crime and financial services investigations – email investigations.insight@allenovery.com.