About a-team Marketing Services
The leading knowledge platform for the financial technology industry
The leading knowledge platform for the financial technology industry

A-Team Insight Blogs

Operational Resilience Ranks High on Regulators’ List of Concerns

Subscribe to our newsletter

Increased regulatory scrutiny of operational resilience in capital markets is forcing firms to take a more proactive approach to maintaining critical business functions. Continuity planning inevitably comes into focus during major events such as a global pandemic. But regulators’ concerns around the prevalence of other incidents – from ransomware attacks to natural disasters – have heightened demand for operational resilience support, especially when they see the impact of such events on critical market infrastructure.

Although work on operational resilience by regulators and market participants pre-dates Covid-19, its development and implementation has been accelerated by the pandemic according to Matt Smith, CEO of data analytics firm SteelEye.

“Those firms that struggled with manual or legacy solutions before the pandemic can expect regulators to become more demanding this year and beyond as they want to see evidence that demonstrates firms’ ability to deal with major incidents,” he says.

Emerging regulatory requirements – including the FCA’s new requirements and the EU’s Digital Operational Resiliency Act (DORA) – are setting the bar for operational resilience as well as driving demand for specialist support observes James Tedman, partner at cybersecurity services provider ACA Aponix.

“Reliance on outsourcing increases the challenge of identifying and managing risks,” he says. “Many firms have significant dependence on key service providers and it can be difficult to effectively identity resilience issues within the supply chain. Many of these third parties are operationally or financially critical and oversight is imperative to ensure that they do not increase cyber, data privacy, compliance, financial or other risks to the firm.”

Historically, operational resilience has often not been managed as an integrated, comprehensive programme, but instead through a piecemeal approach where components are tackled discretely and managed by separate groups within the organisation.

According to Tedman, regulations like DORA are shifting that dynamic by establishing that operational resilience programmes cannot be deemed successful unless all components are uniformly administered and work together efficiently.

The FCA’s new rules and guidance on operational resilience in the financial services sector – which come into effect from the end of March – will encourage firms to map out the people, processes and technology required to support important business services and support continual improvement and analysis, according to Roisin Floyd, research associate at data quality specialist Datactics.

“Developing internal and external communication plans and conducting ‘lessons learned exercises’ will help organisations move away from a culture of addressing a problem once it has happened,” she adds.

Tedman reckons most firms will already be undertaking many of the requirements, albeit less cohesively than the FCA’s rules require. For these firms, much of the effort required to comply with the regulations will lie in integrating and evidencing the various components of a robust operational resilience programme.

“From an IT risk perspective, the proposed regulation on digital operational resilience in the EU financial services sector will help to drive greater resilience and protect consumers,” he says. “The regulations bring much needed clarity around regulators’ expectations with respect to areas like technology, cybersecurity, business continuity and third party risk management.”

A harmonised approach with third party ICT providers is a reassuring development since it means everyone will be complying with a standardised set of regulations, says Floyd. “DORA’s standardised approach feeds into bigger picture around operational resilience,” she continues. “However, it could be difficult to coordinate internal change in large, complex organisations with expansive teams.”

DORA is still a little way off – the details are not expected to be finalised much before the end of this year and the regulation is unlikely to enter into force until 2024.

Justin Henkel, head of the CISO centre of excellence at data privacy management software vendor

OneTrust observes that the new rules and guidance place an increased burden on organisations to respond to and uphold business functions while remediating regulatory oversight.

“That being said, they are a welcome development from the customer’s perspective as the EU regulatory body is implementing new guidelines to support a free-flowing market,” he adds.

Managing operational resilience requires good governance for several key risk drivers around how financial institutions adopt new, less established technologies and manage change and investment, cyber security and fraud risks as well as climate factors and other ESG risks, says Johan Rosen, head of risk control for group functions at Swedbank.

“If governance is defined as a combination of rules, systems and processes that establishes both how an enterprise is controlled and operates but also how accountability is distributed, it could be argued that governance – if implemented effectively – guides the behaviours that make up risk culture,” he says. “Good governance should do just that but it should also break down silos and work consistently across all lines of defence.”

Rosen says operational resilience is all about taking responsibility for governance and management, adding that the use of purchased services or outsourced operations does not change accountability, only how governance is designed and implemented from design to daily operations to crisis management.

“Outsourced operational resilience vendor management needs to be first rate so as not to create complacency,” he continues. “It is all too easy to be lulled into believing that upgrades and configurations will just happen, but it requires trust and close dialogue with the outsourcing partner.”

“In my experience it is not so much the provider’s compliance that is the worry, but perhaps the maintenance of outsourcing relationships and contracts in order for the whole relationship to stay compliant in a rapidly changing regulatory environment.”

When asked for his views on DORA, Rosen acknowledges that bankers would rarely suggest additional regulation was a welcome development. “However, this regulation is an initiative to rationalise an increasingly fragmented regulatory landscape and has some interesting components that are sorely missing today,” he says. “One example is how it provides a clearer foundation for financial supervisors and another is how it extends to third party providers. We hope that the end result will be a more level playing field.”

Subscribe to our newsletter

Related content

WEBINAR

Recorded Webinar: The future of KYC and AML: How to tackle the challenges and gain the opportunities of perpetual KYC

Perpetual Know Your Customer (or pKYC) could be a game changer for client onboarding, due diligence and financial crime compliance. Moving on from today’s reactive approach that conducts client KYC processes at onboarding and typically at one, three and five year intervals, pKYC takes a proactive approach, creating a digital KYC profile and dynamically refreshing...

BLOG

Citi, State Street Join FundGuard Platform as Part of $40 Million Funding

Citi and State Street Corp. have joined existing investors in FundGuard’s $40 million Series B funding round, becoming strategic partners in the company’s bid to establish a SaaS-based investment management and asset services platform. With ‘anchor tenants’ Citi and State Street on board, FundGuard is now launching efforts to add more specialised providers of capabilities...

EVENT

Data Management Summit USA Virtual (Redirected)

The highly successful Data Management Summit USA Virtual was held in September 2020 and explored how sell side and buy side financial institutions are navigating the global crisis and adapting their data strategies to manage in today’s new normal environment.

GUIDE

ESG Data Handbook 2022

The ESG landscape is changing faster than anyone could have imagined even five years ago. With tens of trillions of dollars expected to have been committed to sustainable assets by the end of the decade, it’s never been more important for financial institutions of all sizes to stay abreast of changes in the ESG data...