Operational resilience: how to comply and evolve in a world of complex risk

When things go wrong for millions of customers simultaneously, it can imperil the functioning of the entire economic landscape. Data breaches, outages, and major disruptions have been challenging for all industries, but particularly for the financial sector given its sleepless role in powering global business. Governments and bodies have reacted to these disruptions by calling on regulators to step up efforts.

At the end of March 2021, the Bank of England’s Prudential Regulation Authority (PRA) issued a new Supervisory Statement (SS2/21). It was coupled to a second statement, Operational Resilience: Impact Tolerances for Important Business (SS1/21). Effective as of March 31, 2022, the latter obligates financial services firms to ensure compliance by planning for “severe but plausible” risks connected to critical business services and to set proportional impact tolerances. Organisations are expected to present a cogent plan for remaining within their impact tolerances no later than March 31, 2025.

Given the scale of complying with SS1/21, vigilant and ongoing project planning will be key; ensuring vulnerabilities are comprehensively mapped out and that a programme of scenario testing has been instituted, will be crucial to this effort.

At Eurobase, a software provider to financial services worldwide, the ambit of the new regulation has yielded some vital insights. One such point of note is the need for in-scope firms to acknowledge the ubiquity of significant risks. Some level of disturbance to the engineering of services is inevitable; to acknowledge this, the regulators are asking firms to implement outcome-based impact tolerances. To be able to deliver on these, collaboration with counterparties, suppliers, and other stakeholders will be needed to ensure there is total buy-in to the impact tolerances proposed.

Accepting the inexorability of disruption is, strangely, beneficial to operational resilience. The real presence of incidents and disruptions is akin to sparring – it keeps risk reflexes keen and encourages a culture of continual learning. A nimble firm is one which can also comply more effectively with SS1/21: operational resilience fundamentally enables a business to adapt faster and safer to new challenges in the digital world.

A firm can also empower its ability to comply with the new regulation by understanding that operational resilience is a thread that can be woven into its decision-making culture. Operational resilience itself is the result of effective business continuity, internal cross-examination, and aligning contributions via oversight and governance structures.

Leaning on existing resilience frameworks

So, how can firms leverage existing culture and governance to ensure compliance? “One method would be to recalibrate current performance management systems, to focus on operational resilience”, says Dhavarajh Frank, General Manager for Banking and Financial Services at Eurobase. Dhavarajh continues, “Firms may wish to reward and incentivise for this focus too. As the new regulation stipulates senior management will have responsibility for delivering policy outcomes on operational resilience, firms may elect to leverage the SMCR regime to ensure transparency and accountability.”

The new regulation ensures firms are mandated to protect consumers and provide real confidence in the UK’s banking and financial services environment. Indeed, a consideration of the pace at which firms are sustained by new forms of complex digital technology shows a focus on operational resilience is here for the long haul.

The new rules and guidance will compel firms to report major operational risk failures and enjoin them to prove they have resolution plans available to address them. Firms must also have planned effective communication redress responses, exercised, and practiced for negative eventualities. As part of this, it will be crucial to review and update scenario testing contingencies for severe and plausible disruptions. These scenario tests should ideally include multiple teams and relevant third parties to properly coordinate rehearsed responses that run a wide gamut of potential events.

Financial firms can identify and prioritise key business services by drafting lists of the offerings they provide to their customers and grading them based on impact and scope, says Dhavarajh. These services can then be coordinated through operations, infrastructure, and IT to ascertain and comprehend the critical fissures of risk.

To further identify important business services, regular scenario testing should be performed against prioritised objectives to mitigate the fallout from risk. All such risk events should be recorded in regular review procedures, and, says Dhavarajh, “it is vital to implement an Enterprise Risk Framework- (ERM) which subtends all essential business services.”

What impact, then, will improving operational resilience have on customer experience? “Ultimately, a focus on assuring operational resilience prevents causing harm to customers and other stakeholders by making firms more crisis-resistant, mitigating the fallout from disruption, and combatting financial instability. Therefore, increased operational resilience should provide confidence to consumers by building loyalty for firms which can demonstrate their adaptability and durability in the face of disruptive duress”, says Dhavarajh.

Strengthening operational resilience can also bolster customer experience by virtue of its association with enhanced verification and identity checks to mitigate the risk of fraud in transaction scenarios. Similarly, compliance is more likely with a communications strategy that is  better planned and better prepared when advising customers and end-users of likely outages and disruptions to reduce harm and inconvenience.

Cyber in focus

There is evidence to suggest increased focus on operational risk from financial regulators is perhaps, at least in part, driven by public attention on recent high-profile cyberattacks. Certainly, the risk of these is pervasive – the frequency and likelihood of cyberattacks has also increased over time as a result of digitalisation and seems likely to intensify in the future.

As a severe and plausible risk, it is advisable to refer to advisories from the National Cyber Security Centre (NCSC) to provide steer and guidance in considering a firms’ ability to withstand the risk of a cyberattack. Stress tests, up-to-date business continuity and incident management protocols, and the reporting of incidents to the Financial Conduct Authority (FCA) are all pivotal too.

Cyber threats have contributed to the increased regulatory focus on operational risk and are constitutive of cyber and operational resilience frameworks. That said, while the peril of large, state-sponsored cyberattacks is certainly a reality, it is also important to consider a wide range of both internal and external strategic, regulatory, and operational risks to ensure full compliance with SS2/21.

• Read more under:
• BankingTech
• Risk & Fraud Monitoring