By Howard Womersley Smith, Partner, Reed Smith
Latest developments in operational resilience
As consumers demand easier and instantaneous access to their financial services, the reliance on technology by financial firms has increased, bringing greater risks to the availability and stability of the financial sector. These risks are intensified by the increasing adoption of fintech (financial technology), the greater use of (and reliance on) outsourcing and the pervasiveness of cyber-threats.
Examples of these risks arising have culminated in events such as the:
- banking information-technology (IT) failures of TSB Bank during its cut-over to new IT systems;
- ransomware attack still being suffered by Travelex;
- global focus on climate change; and
- current outbreak of the coronavirus. It is predicted that this will lead to less in-person interaction, thereby further increasing the demand for digital financial products.
These factors have led to concern by supervisory authorities in the United Kingdom that UK financial firms are not prepared or equipped, and therefore not resilient, to deal with them as they arise. These concerns have been encapsulated in the need of UK financial firms to have what has become known as “Operational Resilience” (OpRes). The concept isn’t new. It has previously been used within the context of operational risk (OpRisk) before it was spun off and given its own standalone name.
The Bank of England (BoE), Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA), as the UK’s financial regulators, jointly issued a Discussion Paper setting out their approach to the concept of OpRes. This Discussion Paper was followed by a suite of documents published in December 2019 by the three financial regulators (the supervisory authorities), which included consultation papers on their proposals to embed this approach to OpRes within the insurance and financial-services sectors (the Proposals). They contained their plans to update the regulatory framework on outsourcing and third-party risk management, which is a key component of the concept of OpRes. Clarity, and hopefully harmonisation, of this area is certainly needed since the EBA’s (European Banking Authority’s) guidelines on outsourcing came into force at the end of September 2019.
Concept of OpRes
With all of this work by the supervisory authorities to build and embed a regulatory framework around the newish concept of OpRes, what does the concept mean?
A definition of OpRes was touched upon in the Discussion Paper but has been formalised in the Proposals as being: “The ability of firms and FMIs [financial market infrastructures] and the financial sector as a whole to prevent, adapt, respond to, recover and learn from operational disruptions.”
The supervisory authorities recognise that it is not possible to prevent every risk materialising, and dependencies are often identified only once something has gone wrong. Therefore, the approach in the Discussion Paper and the Proposals has been based on the assumption that major operational disruptions will occur and for firms to have robust and reliable arrangements in place to deal with them when they do.
The Proposals go further, however, by requiring firms to put in place preventative measures that ensure that such major operational disruptions do not occur at all, which very much sounds like a risk-management activity.
OpRisk versus OpRes
While OpRisk looks at reducing the probability of disruption to their systems, people and processes as a result of an event, OpRes addresses the ability of firms (and the financial sector as a whole) to prevent, respond to, recover from and learn from operational disruptions.
However, the Proposals are not intended to replace existing rules, principles, expectations or guidance, including those on OpRisk or business continuity planning (BCP). They are intended to augment them and to sit alongside financial resilience on a higher level of compliance.
What does OpRes mean for financial firms?
OpRes is an outcome that depends on a variety of factors in order to achieve it. The Proposals set out a governance framework for identifying those factors and putting in place measures to achieve that outcome on a rolling, perpetual and self-assessed basis. That process is not, however, intended to be boundless. The key to it is proportionality, whereby firms are able to identify the level of detail necessary to deliver the desired outcome. The supervisory authorities give the example that due to the differing business models of firms, the same business service may be important to one firm but not to another.
What this means for firms is that firms will not be able to apply a blanket approach to an OpRes project and certainly will not be able to buy a commoditised or off-the-shelf solution that magically upgrades all systems and processes to the required standard. Never has this been truer than when it comes to firms updating supplier contracts, as a gold-plated addendum could undo previously negotiated mechanisms that reach a higher standard than that required by the Proposals or create conflict in contractual interpretation.
Identifying the firm’s business risk perspective is, therefore, a crucial first step before embarking on an OpRes transformation project. The Proposals assist with this by setting out a step-by-step approach to the requirements and expectations of firms, which include:
- identifying important business services by considering how disruption to these services could impact beyond a firm’s own commercial interests. The impact could include threatening or causing harm to consumers or market participants, market integrity, policyholder protection, safety and soundness, or financial stability. The consultation papers themselves explain how firms should approach the identification of important business services;
- setting impact tolerances for each important business service. These will quantify the amount of disruption that could be tolerated in the event of an incident, such as the maximum acceptable outage time of a business service before the harms listed above would be caused;
- understanding and mapping the systems and processes needed to support the important business services;
- setting measures using those systems and processes in order to remain within the impact tolerances; and
- testing them using plausible scenarios for context. This should extend down to the firm’s outsourcing and supply chains.
These provisions coincide with the PRA launching a separate consultation on outsourcing and third-party risk management and the FCA including a chapter on the same subject within its OpRes consultation paper. Each set of rules will, of course, need to dovetail with the recently implemented Guidelines on outsourcing arrangements issued by the European Banking Authority and the EBA’s Guidelines on ICT (information and communication technology) and security risk management, which will come into force later this year on June 30.
Implementing an operationally resilient regime within a firm must be carried out from the ground up. On the basis that firms comprise people, processes and systems, the implementation must be carried out deep within the culture of a firm as well as within the design architecture and functionality of the processes and systems.
This is the biggest challenge for all firms, not least the large institutions that have been struggling to maintain the stability of creaking legacy technology systems, while at the same time innovating new products and upskilling to respond to the modern threat from cyber-attacks. Making incremental changes will not have the impact required in order to solve this problem. It takes a transformative-level project to do so.
Obtaining board approval and securing an internal budget for a project of the size and scale required in order to achieve success in this arena is a frequent challenge for firms. This is further compounded by the external challenges that the supervisory authorities have recognised as being required in order to make firms’ businesses resilient to operational disruptions.
- technical innovation from fintech and emerging technologies, such as artificial intelligence, distributed ledger technology and demand for crypto-assets;
- changing behaviours, particularly from consumers who demand instant access, mobile technology and faster transactions;
- keeping pace with the speed of innovation in technology and the sophistication of external threats, particularly in the cybersecurity space;
- a challenging environment, in which there is increased scrutiny on shareholder value and value for money from customers, who so easily switch to new providers; and
- system complexity, especially in the context of outsourcing and the use of third-party suppliers. Firms must balance concentration risk that may provide economies of scale against spreading the risk of supplier failure in order to drive innovation and ensure price competitiveness.
After the consultations close on April 3, 2020, the PRA and FCA aim to publish their final OpRes policies in the second half of 2020, requiring financial firms to implement the rules during the second half of 2021. This gives firms little time to prepare, let alone build the scale of the transformation project required in order to achieve OpRes. These requirements will also come after the transition period for the UK’s withdrawal from the European Union and possibly when firms have more clarity around how they are to deal with their cross-border businesses.
Theory would say that dealing with all of these problems at once would ensure consistency within the firms solving them. The reality is that these problems are on a scale in terms of size and cost never experienced before by firms within the financial sector. In order to cope, firms will need assurance from the supervisory authorities that enforcement of the OpRes rules, once they have come into force, will be slow and light-touch, which is unlikely to come.
The best advice is for firms to adopt a paper-compliance approach first and to implement that paper, once they are able to. Although this may feel like an approach from which we moved away post-financial crisis, in some cases, it may be the only way that firms are going to be able to cope with what is on their plates over the next 22 months and beyond.
Firms could, therefore, consider drawing up the following documents, or adapting existing ones, in accordance with the Proposals (and new OpRes requirements once issued) in order to show the supervisory authorities of their intentions and journeys to compliance:
- the planning aspects of the requirements set down by the Proposals (see What does OpRes mean for financial firms? section above);
- third-party governance controls, including materiality risk assessments;
- outsourcing policy, including analysis of what a firm has outsourced within its third-party supplier inventory;
- supplier contracts and outsourcing arrangements;
- information security policies, including cyber-incident response and data-protection policies;
- data-retention and -erasure procedures and policies;
- business continuity plans; and
- supplier exit plans.