About a-team Marketing Services
The knowledge platform for the financial technology industry
The knowledge platform for the financial technology industry

A-Team Insight Blogs

Operational Resilience Ranks High on Regulators’ List of Concerns

Subscribe to our newsletter

Increased regulatory scrutiny of operational resilience in capital markets is forcing firms to take a more proactive approach to maintaining critical business functions. Continuity planning inevitably comes into focus during major events such as a global pandemic. But regulators’ concerns around the prevalence of other incidents – from ransomware attacks to natural disasters – have heightened demand for operational resilience support, especially when they see the impact of such events on critical market infrastructure.

Although work on operational resilience by regulators and market participants pre-dates Covid-19, its development and implementation has been accelerated by the pandemic according to Matt Smith, CEO of data analytics firm SteelEye.

“Those firms that struggled with manual or legacy solutions before the pandemic can expect regulators to become more demanding this year and beyond as they want to see evidence that demonstrates firms’ ability to deal with major incidents,” he says.

Emerging regulatory requirements – including the FCA’s new requirements and the EU’s Digital Operational Resiliency Act (DORA) – are setting the bar for operational resilience as well as driving demand for specialist support observes James Tedman, partner at cybersecurity services provider ACA Aponix.

“Reliance on outsourcing increases the challenge of identifying and managing risks,” he says. “Many firms have significant dependence on key service providers and it can be difficult to effectively identity resilience issues within the supply chain. Many of these third parties are operationally or financially critical and oversight is imperative to ensure that they do not increase cyber, data privacy, compliance, financial or other risks to the firm.”

Historically, operational resilience has often not been managed as an integrated, comprehensive programme, but instead through a piecemeal approach where components are tackled discretely and managed by separate groups within the organisation.

According to Tedman, regulations like DORA are shifting that dynamic by establishing that operational resilience programmes cannot be deemed successful unless all components are uniformly administered and work together efficiently.

The FCA’s new rules and guidance on operational resilience in the financial services sector – which come into effect from the end of March – will encourage firms to map out the people, processes and technology required to support important business services and support continual improvement and analysis, according to Roisin Floyd, research associate at data quality specialist Datactics.

“Developing internal and external communication plans and conducting ‘lessons learned exercises’ will help organisations move away from a culture of addressing a problem once it has happened,” she adds.

Tedman reckons most firms will already be undertaking many of the requirements, albeit less cohesively than the FCA’s rules require. For these firms, much of the effort required to comply with the regulations will lie in integrating and evidencing the various components of a robust operational resilience programme.

“From an IT risk perspective, the proposed regulation on digital operational resilience in the EU financial services sector will help to drive greater resilience and protect consumers,” he says. “The regulations bring much needed clarity around regulators’ expectations with respect to areas like technology, cybersecurity, business continuity and third party risk management.”

A harmonised approach with third party ICT providers is a reassuring development since it means everyone will be complying with a standardised set of regulations, says Floyd. “DORA’s standardised approach feeds into bigger picture around operational resilience,” she continues. “However, it could be difficult to coordinate internal change in large, complex organisations with expansive teams.”

DORA is still a little way off – the details are not expected to be finalised much before the end of this year and the regulation is unlikely to enter into force until 2024.

Justin Henkel, head of the CISO centre of excellence at data privacy management software vendor

OneTrust observes that the new rules and guidance place an increased burden on organisations to respond to and uphold business functions while remediating regulatory oversight.

“That being said, they are a welcome development from the customer’s perspective as the EU regulatory body is implementing new guidelines to support a free-flowing market,” he adds.

Managing operational resilience requires good governance for several key risk drivers around how financial institutions adopt new, less established technologies and manage change and investment, cyber security and fraud risks as well as climate factors and other ESG risks, says Johan Rosen, head of risk control for group functions at Swedbank.

“If governance is defined as a combination of rules, systems and processes that establishes both how an enterprise is controlled and operates but also how accountability is distributed, it could be argued that governance – if implemented effectively – guides the behaviours that make up risk culture,” he says. “Good governance should do just that but it should also break down silos and work consistently across all lines of defence.”

Rosen says operational resilience is all about taking responsibility for governance and management, adding that the use of purchased services or outsourced operations does not change accountability, only how governance is designed and implemented from design to daily operations to crisis management.

“Outsourced operational resilience vendor management needs to be first rate so as not to create complacency,” he continues. “It is all too easy to be lulled into believing that upgrades and configurations will just happen, but it requires trust and close dialogue with the outsourcing partner.”

“In my experience it is not so much the provider’s compliance that is the worry, but perhaps the maintenance of outsourcing relationships and contracts in order for the whole relationship to stay compliant in a rapidly changing regulatory environment.”

When asked for his views on DORA, Rosen acknowledges that bankers would rarely suggest additional regulation was a welcome development. “However, this regulation is an initiative to rationalise an increasingly fragmented regulatory landscape and has some interesting components that are sorely missing today,” he says. “One example is how it provides a clearer foundation for financial supervisors and another is how it extends to third party providers. We hope that the end result will be a more level playing field.”

Subscribe to our newsletter

Related content


Upcoming Webinar: ESG standards and taxonomies – A progress report

Date: 15 June 2023 Time: 10:00am ET / 3:00pm London / 4:00pm CET Duration: 50 minutes The development of ESG reporting and disclosure standards and taxonomies has progressed rapidly over the past few years, yet there is still no certainty on whether there will ever be measures that can be applied on a global basis....


Cube Acquires The Hub to Help Clients Automate Compliance Processes

Regulatory data automation specialist Cube has acquired The Hub, a provider of artificial intelligence solutions for capturing and monitoring unstructured regulatory data. Cube plans to integrate The Hub’s technology with its own RegPlatform to allow clients to automate their regulatory compliance processes. The acquisition aims to address what Cube has identified as financial firms’ growing...


Data Management Summit London

Now in its 14th year, the Data Management Summit (DMS) in London brings together the European capital markets enterprise data management community, to explore how data strategy is evolving to drive business outcomes and speed to market in changing times.


ESG Handbook 2023

The ESG Handbook 2023 edition is the essential guide to everything you need to know about ESG and how to manage requirements if you work in financial data and technology. Download your free copy to understand: What ESG Covers: The scope and definition of ESG Regulations: The evolution of global regulations, especially in the UK...