By Kate Needham-Bennett, Sr. Director of Resilience Innovation, Fusion Risk Management
The frequency and complexity of disruptions to business operations seem to be increasing across all industries, often with immediate and occasionally severe impacts on customers and wider markets. Over the past couple of decades, we have seen financial crises with reverberations felt worldwide, ramifications of a global pandemic, supply-chain disruptions due to incidents in transport routes, geopolitical conflicts causing rising tensions between global superpowers, divisions of economic alliances and zones, cyber and physical attacks on critical infrastructures, and various adverse climate-related events—all of which have tested the operational resilience of organisations and demonstrated how crucial it is in the current volatile environment.
This focus on operational resilience isn’t top of mind for businesses only, though; regulators have also raised its importance, introducing and enforcing regulations to ensure that standards are in place to prevent disastrous business disruptions that can affect the global community. The financial-services sector, in particular, is under the magnifying glass due to the immediate and monumental impacts disruptions can have on individuals’ livelihoods, with the insurance, energy and ICT (information and communications technology) outsourcing sectors also increasingly being scrutinised. For financial institutions, it is evident that now is the time to prioritise operational resilience from the top down.
How did we get here?
We’ve evolved as a sector from focusing on the recovery capabilities of mainframe hardware and IT (information technology) systems (1970s) and people and facilities (1980-90s) to a governance and compliance-driven approach (2000s) and the more holistic method of the modern day. This century has seen the introduction of industry standards concerning business continuity, such as the British Standards Institution’s (BSI’s) BS 25999 and the International Organization for Standardization’s (ISO’s) ISO 22301, the “Dear Chairman” letters and exercises (2012-15) seeking to understand technical resilience rather than just financial preparedness, and the Treasury Select Committee’s (of the House of Commons) inquiry and subsequent report on IT failures in the financial-services sector (2018-19), amongst other initiatives.
The deployment of operational resilience, the practice of cross-discipline cooperation and the lens of looking beyond the firm to the impacts on customers and markets have been a long time coming. The scale of the crises over the past few decades, particularly the global financial crisis (GFC) of 2008, led regulators and standards bodies to develop a range of guidelines, rules, policies and acts around resilience, risk, cybersecurity and IT to raise the standards of resilience to which the financial sector should be held accountable.
Regulations released
The United Kingdom took the lead on publishing financial-services operational-resilience regulations in 2021, following the circulation of discussion and consultation papers over a few years. The Bank of England (BoE), the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) established a framework to oversee and strengthen the resilience of important business services provided by the UK financial sector to drastically improve their abilities to continue delivering those services, mitigating impacts on stakeholders in times of disruption.
Simultaneously, the Basel Committee on Banking Supervision (BCBS) published its Principles for Operational Resilience and revised its Principles for the Sound Management of Operational Risk, reflecting the natural alignment between the two disciplines.
The CBI (Central Bank of Ireland) followed suit, releasing its aligned Cross Industry Guidance on Operational Resilience (the Guidance), while the APRA (Australian Prudential Regulation Authority) issued CPS 230 (Operational Risk Management), bringing together a range of other standards covering business continuity, operational risk and third-party risk management to strongly mirror the tactical requirements of operationally resilient organisations.
The European Union (EU) expanded upon that framework, introducing the Digital Operational Resilience Act (DORA) and increasing the scope of regulations to highlight ICT risks. The DORA looks to coordinate existing digital operational-resilience frameworks for distinct types of financial entities along with critical cloud-based and non-cloud-based technology and data service providers (TSPs, or technology service providers). Firms have until January 2025 to comply with its requirements, the goal being to improve the resilience of interdependent organisations and the digital resilience of the ecosystem’s supply chain.
In Singapore, the MAS (Monetary Authority of Singapore) issued updated business-continuity guidelines for financial institutions. These new revisions consider learnings from the UK’s initial regulations and the COVID-19 pandemic to, ideally, future-proof the country’s financial services. In addition to continuity planning, the MAS introduced regulations around threat monitoring and environmental scanning to mitigate critical threats. The HKMA (Hong Kong Monetary Authority) followed a similar approach to the UK’s, requiring operational-resilience framework development over the first year of implementation, with testing and remediation carried out over the subsequent three years.
Canada’s government is one of the latest to turn its focus to operational resilience. Its Office of the Superintendent of Financial Institutions (OSFI) is expected to finalise guidelines later this year for financial firms to implement more robust governance and risk-management programmes to strengthen supply chains. The United States is also following suit, with the Securities and Exchange Commission (SEC) finalising a comprehensive list of rules for cybersecurity-risk management and the Federal Reserve System (the Fed) publishing guidance on third-party relationships and risk management.
Operational resilience in the present day
With current regulations requiring compliance and, in some cases, true resilience by 2025, technological innovation is a game changer that can help firms more effectively navigate their journeys toward operational resilience. In years gone by, risk, resilience, cyber, supply chain and IT disciplines existed and operated in relatively siloed departments, unable to recognise the interconnectivity of their projects, endeavours and requirements.
Operational resilience comes from unifying those organisational silos and facilitating cooperation and transparency between those teams to create a succinct yet comprehensive programme from the top down. To do that, organisations must deploy new tech-enabled solutions to integrate the different aspects of continuity planning. Incidents generally do not impact individual areas of an organisation in isolation; they impact the whole organisation. As such, solutions must facilitate enterprise-wide responses.
Advanced tech-enabled innovations also allow institutions to implement a new global level of operational resilience that is fit for our modern world. For example, financial-services firms based or operating in multiple jurisdictions face the unique challenge of ensuring compliance across borders. They must demonstrate proactive and integrated approaches to operational resilience, working knowledge of global regulatory policies and unified organisational practices to compliance, all whilst ensuring that improved capabilities remain the cornerstones of their programmes. This necessitates implementing solutions that can centralise operational resilience and enable businesses to achieve the level of compliance at the scale that is now required.
Where do we go from here?
Regulators will only increase pressure on financial institutions and their critical third parties regarding operational resilience, as evidenced by the PRA’s release of DP3/22 (“Operational resilience: Critical third parties to the UK financial sector”) in the UK and the Federal Reserve Board’s (FRB’s, or the Fed’s) “Interagency Guidance on Third-Party Relationships: Risk Management” in the US. Regulatory bodies are stepping up worldwide, and it is not enough for firms to react to the mounting pressure; they must take proactive approaches to equip their organisations with the flexible tools needed to weather yet-unseen scenarios. These future-proofing efforts require streamlined approaches to continuity and technology investments, unifying processes and steps to ensure regulatory compliance across the entire organisation.
The unprecedented challenges of recent years have shown that the financial-services industry cannot operate through unforeseen crises and deliver on its customer and brand promises without firm focus on and investment in operational resilience. By making operational resilience a key part of their programmes today, companies ensure uninterrupted operations in the face of the next unexpected challenge.