Increased regulatory scrutiny of operational resilience in capital markets is forcing firms to take a more proactive approach to maintaining critical business functions. Continuity planning inevitably comes into focus during major events such as a global pandemic. But regulators’ concerns around the prevalence of other incidents – from ransomware attacks to natural disasters – have heightened demand for operational resilience support, especially when they see the impact of such events on critical market infrastructure.
Although work on operational resilience by regulators and market participants pre-dates Covid-19, its development and implementation has been accelerated by the pandemic according to Matt Smith, CEO of data analytics firm SteelEye.
“Those firms that struggled with manual or legacy solutions before the pandemic can expect regulators to become more demanding this year and beyond as they want to see evidence that demonstrates firms’ ability to deal with major incidents,” he says.Emerging regulatory requirements – including the FCA’s new requirements and the EU’s Digital Operational Resiliency Act (DORA) – are setting the bar for operational resilience as well as driving demand for specialist support observes James Tedman, partner at cybersecurity services provider ACA Aponix.
“Reliance on outsourcing increases the challenge of identifying and managing risks,” he says. “Many firms have significant dependence on key service providers and it can be difficult to effectively identity resilience issues within the supply chain. Many of these third parties are operationally or financially critical and oversight is imperative to ensure that they do not increase cyber, data privacy, compliance, financial or other risks to the firm.”
Historically, operational resilience has often not been managed as an integrated, comprehensive programme, but instead through a piecemeal approach where components are tackled discretely and managed by separate groups within the organisation.
According to Tedman, regulations like DORA are shifting that dynamic by establishing that operational resilience programmes cannot be deemed successful unless all components are uniformly administered and work together efficiently.
The FCA’s new rules and guidance on operational resilience in the financial services sector – which come into effect from the end of March – will encourage firms to map out the people, processes and technology required to support important business services and support continual improvement and analysis, according to Roisin Floyd, research associate at data quality specialist Datactics.
“Developing internal and external communication plans and conducting ‘lessons learned exercises’ will help organisations move away from a culture of addressing a problem once it has happened,” she adds.
Tedman reckons most firms will already be undertaking many of the requirements, albeit less cohesively than the FCA’s rules require. For these firms, much of the effort required to comply with the regulations will lie in integrating and evidencing the various components of a robust operational resilience programme.
“From an IT risk perspective, the proposed regulation on digital operational resilience in the EU financial services sector will help to drive greater resilience and protect consumers,” he says. “The regulations bring much needed clarity around regulators’ expectations with respect to areas like technology, cybersecurity, business continuity and third party risk management.”
A harmonised approach with third party ICT providers is a reassuring development since it means everyone will be complying with a standardised set of regulations, says Floyd. “DORA’s standardised approach feeds into bigger picture around operational resilience,” she continues. “However, it could be difficult to coordinate internal change in large, complex organisations with expansive teams.”
DORA is still a little way off – the details are not expected to be finalised much before the end of this year and the regulation is unlikely to enter into force until 2024.
Justin Henkel, head of the CISO centre of excellence at data privacy management software vendor
OneTrust observes that the new rules and guidance place an increased burden on organisations to respond to and uphold business functions while remediating regulatory oversight.
“That being said, they are a welcome development from the customer’s perspective as the EU regulatory body is implementing new guidelines to support a free-flowing market,” he adds.
Managing operational resilience requires good governance for several key risk drivers around how financial institutions adopt new, less established technologies and manage change and investment, cyber security and fraud risks as well as climate factors and other ESG risks, says Johan Rosen, head of risk control for group functions at Swedbank.
“If governance is defined as a combination of rules, systems and processes that establishes both how an enterprise is controlled and operates but also how accountability is distributed, it could be argued that governance – if implemented effectively – guides the behaviours that make up risk culture,” he says. “Good governance should do just that but it should also break down silos and work consistently across all lines of defence.”
Rosen says operational resilience is all about taking responsibility for governance and management, adding that the use of purchased services or outsourced operations does not change accountability, only how governance is designed and implemented from design to daily operations to crisis management.
“Outsourced operational resilience vendor management needs to be first rate so as not to create complacency,” he continues. “It is all too easy to be lulled into believing that upgrades and configurations will just happen, but it requires trust and close dialogue with the outsourcing partner.”
“In my experience it is not so much the provider’s compliance that is the worry, but perhaps the maintenance of outsourcing relationships and contracts in order for the whole relationship to stay compliant in a rapidly changing regulatory environment.”
When asked for his views on DORA, Rosen acknowledges that bankers would rarely suggest additional regulation was a welcome development. “However, this regulation is an initiative to rationalise an increasingly fragmented regulatory landscape and has some interesting components that are sorely missing today,” he says. “One example is how it provides a clearer foundation for financial supervisors and another is how it extends to third party providers. We hope that the end result will be a more level playing field.”