Regulators expect the financial services sector to demonstrate a coherent approach to implementing operational resilience. Attendees at a virtual roundtable discussed their progress.
The Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) have set out requirements for operational resilience in financial services, said Chris Butler, of Sungard Availability Services (Sungard AS), introducing a virtual roundtable event.
Speaking to an audience of senior executives from the financial services sector, Mr Butler noted that the regulators have set out their guidance, but have largely left it to firms to determine how they should implement suitable measures.
They want to see informed thinking, tangible processes, and clear actions. But how has the sector reacted?
Overall, progress to date appears to have been positive. The regulators appear to have spurred action.
Many organisations in the financial services sector, particularly the major Tier 1 firms such as the large retail banks, have always expected to be ahead of regulation. However, attendees said that the regulators have offered a useful framework on resilience.
Most attendees felt that the freedom permitted by the regulators was a good thing, though some found the lack of detailed requirements frustrating.
Mapping important business services
Leadership is important for any major project and the Chief Operating Officer was the most common owner of these projects, usually with support from the risk management and resilience (or business continuity) teams.
Few of the organisations represented had advanced very far in the projects. All were in some stage of mapping their processes.
Mapping important business services has proved to be complex. Organisations need to identify any service that, if it were to fail, would have an impact on the customer, the organisation’s viability, or the wider financial market.
Most organisations recognise the need to prioritise their important business services. But those that try to map every single process end up becoming bogged down in complexity. It is better, said Sungard AS’s William Owen, to start by identifying where processes have known vulnerabilities or problem areas.
There is a wide range of software available to support service mapping, but most organisations are still very much in the early days of trying to work out what their requirements might be.
What matters at this stage is developing high-level activity maps. Organisations can then develop and refine their process descriptions, based on continuous improvement. Firms that establish a pilot project and learn from it seem to achieve success.
At root though, mapping helps to identify the resources needed to deliver the most important business service and show where any vulnerabilities might exist.
Defining impact tolerance
Central to operational resilience is the idea of impact tolerance. Defining this has proved complex. Delegates at the briefing felt that it is hard to get an objective view of what it means.
This is because it depends on many factors including the number and type of customers at risk, and the potential financial losses. In addition, the impacts to the business and the customer, should the service be disrupted, are also relevant.
All agreed that it is vital to map services that, when disrupted, could cause intolerable harm. But just what is intolerable? Organisations felt that they are having to set their own boundaries for disruptions that could result in inconvenience, those that could cause real damage, and those that could lead to intolerable harm.
As the regulators do not set specific definitions or metrics for the concept of harm, it is up to firms to justify their approach.
One thing to keep in mind here is that it is expected that the regulators will be receptive to organisations that have made a serious effort to understand the harms caused and can provide cogent analysis to support the mitigation measures they have implemented.
Testing the system
The next stage, which many attendees had yet to reach, is to simulate disruptions and test the response measures. This could mean, for example, disaster recovery testing of technology systems to confirm impacts on the business and to identify the additional mitigation measures that might be necessary.
Full tabletop simulations with senior executives will allow them to understand their response to a major disruption or crisis.
For any kind of test, said Mr Butler, the priority is to define the scope of the test at the outset. Some organisations attempt tests that are too broad and end up missing out vital elements, or gathering more data than they can meaningfully analyse.
Summarising the discussion, Mr Owen said that many of the organisations at the briefing were further behind in their operational resilience efforts than he expected. However, they should all be capable of meeting the spring 2022 deadline set by the regulators for an initial response.
He urged them to keep their processes moving and refine things in due course. There is still more work to be done.