Financial services risk and regulation unravelled podcast

Episode 1: Operational resilience

Subscribe to the series today:

   

Participants:

  • Gavin Stewart, Director, Financial Services Group, Grant Thornton
  • Irina Velkova, Associate Director, Financial Services Group, Grant Thornton
  • Andrew Rogan, Director of Operational Resilience Digital Technology & Cyber, UK Finance
  • Tim Armit, former Resilience and Business Continuity Manager, Post Office

Irina Velkova

Hello and welcome to the first episode of Risk and Regulation Unravelled, our Grant Thornton Financial Services podcast. I'm Irina Velkova, your regular host, and I bring to you, conversations about the dynamic world of risk and regulations. We help our financial services clients understand new regulatory developments, upcoming changes, and how to stay ahead of the regulatory curve by inviting renowned experts to share their insights.

In today's episode, I'm joined by Andrew Rogen from UK Finance the collective voice for the banking and finance industry in the UK.  Andrew is UK Finance’s lead on operational resilience and in his role as a Director, he engages with Government and other key stakeholders focussing on delivering positive outcomes with respect to operational resilience.

I'm pleased to also welcome Tim Armit.  Tim has been most recently the Post Office’s Resilience and Business Continuity Manager and has extensive experience in resilience matters starting as far back as 1989 when the term ‘operational resilience’ was not even coined.

Tim has delivered solutions globally across a number of companies, including the Bank of England, BBC, Nestle, HMRC, Marathon Oil and many others and has worked in over 16 countries. Tim has served in the army and is also a regular Ironman triathlete and marathon runner, which takes some serious risk management. How very impressive, you clearly know about resilience from any point of view Tim. Great to have you today.

And last but not least, we have Gavin Stewart who is a director in our regulatory practice.  Ex-regulator himself and the steward of our regulatory thought leadership. Welcome, Gavin.

We are recording this episode remotely, so please excuse us if this impacts the quality of the sound. As you might have guessed from the introductions of my esteemed guests, today, we'll be talking about operational resilience. With the PRA and FCA’s joint policy statement on operational resilience expected imminently, firms are still grappling with requirements and any changes they may need to introduce to their businesses to be compliant.

Even without the regulatory niche though, the current COVID-19 crisis has certainly placed resilience in the spotlight, as many organisations have had to transform their operations overnight to be effective in a remote environment. This has inevitably increased operational risk and the safeguards that had to be put in place to tackle this challenge.

From a regulatory standpoint, the aim of operational resilience is to encourage firms to consider the impact of disruption they can experience and prevent, adapt, respond to, recover and learn from this, so as to protect their customers and businesses. But are firms clear on what is expected from them?

So, shall we start by defining what is operational resilience and how we got here? Tim, would you like to share your perspective first maybe?

Financial services
Risk and Regulation Unravelled podcast Listen to the latest developments in financial services

Risk and Regulation Unravelled podcast

Discover the latest developments in financial services with industry experts.

Tim Armit 

Sure. I’ve been doing this for a long time now and I've seen an awful lot of things come and go, and a lot of different approaches come and go as well and the bottom line is that most organisations want to protect themselves. I sometimes think that external forces aren't always helpful, because a company wants to be there, it wants to continue to trade, it wants to continue to do business and deliver the best for its customers and I can understand why some of the external forces from regulators or controlling bodies want to get an understanding themselves of how companies are, but I'm not sure that stricter enforcement or stricter rules will actually help or change much in the market.

I think over the years, we've seen many companies, that the biggest problem that companies have ever had, have generally been self-inflicted, rather than external pressures as well and I think this scope of operational resilience at the moment in a lot of organisations is still very physical and auctioned, and it needs to be more holistic and wider. I do welcome some of the things in the regulations where they look at the interoperability between different external providers and internal providers. But I’ll be interested to get into this debate with the other guys as well, just to see their opinions on what they think this brings.

Irina Velkova

Andrew, is that you're experience as well, with the businesses you're working with? Are the regulations actually helping or not?

Andrew Rogan 

Well, we're at a real inflection point actually, whereas we're transitioning from a sort of regulatory regime where operational resilience was implicit rather than explicit into something much more hardcore and conservative written down and conservative. My path to this subject operation resilience goes back quite a long way and I'm looking at this from a trade association for the political point of view.

Where I first really heard about operational resilience was in the wake of the RBS, the then RBS’s IT outage in 2012, which I think was a three day IT problem which in hindsight actually looks quite quaint these days that people weren't able to log on, with some inconvenience, but it was shortly thereafter that actually Mark Carney who at that stage was the new Governor, the Bank of England, coined this phrase ‘Operational Resilience’ and I think there was a growing awareness on the part of the supervisors that actually, in the wake of the global financial crisis, we'd seen a lot of consolidation across businesses and that, in practice, meant that a lot of legacy IT systems were now being operated by single group entities, or across group entities, and that was causing problems.

I think there was a growing awareness of the future of digitalisation, which even back then looked very different than it did now, but an awareness that there was a challenge coming as firms utilise new technologies to serve their customers and third is that thanks to around social media, and the speed that news travels these days, expectations of customers was much more demanding and much more challenging than it had been even 10 years before. So, despite the proliferation and ways that customers engage with their financial services providers, their banks, that actually they were becoming much more aware and attuned to, and sensitive to, any disruption that came in front of that.

Now, since that time, we've had numerous operational disruptions. Some more of an inconvenience rather than a significant issue, others really quite impactful in the way that they affected customers and the system as a whole but generally speaking, where we are now is a reflection of at least eight or nine years of hard thinking by regulators and industry, which exactly the point that Tim said, and also changing customer expectations.

Irina Velkova

Yeah, that that sounds like a really good summary as to where we've got to.  Gavin, do you think that the new policy statement, for example, is going to actually help with the disruption?

Gavin Stewart

Yes, I think it will help. But I do think it's the start rather than the end of the journey.  I agree with Andrew, that a lot of this goes back to 2012 and the RBS outage.

I think that was the first kind of time where regulators kind of confronted what this might look like in a world where there's social media where everything happens much faster and where legacy systems really start being a kind of a drag on not just firms, but the system as a whole and I think the other thing that's kind of come into the mix much more over the last few years is the kind of cyber-attack element to it and I think the regulator's particularly the PRA, who were less interested back in 2012, than the FCA, I think that PRA is very conscious of the potential systemic elements in this.

So, they're looking at things like single point of failure, and so on. So, I think one of the things we'll probably explore is, to what extent we'll end up with some kind of industry standard as opposed to individual firms doing what they see is right for them.

Irina Velkova

Yeah, that sounds very reasonable. Obviously, there is a lot for firms to think about in that whole, potentially upcoming standards concept, and obviously, all the regulatory guidance but are there any key issues or matters that boards, for example, of organisations need to concern themselves with so to make sure they can sleep at night, put it that way.

Tim Armit

I'll jump in on this. I think one of my frustrations on this is, I’ll go right back to the beginning of our industry, the industry is not much more than 35 years old, has been looking at resilience in different names or forms and in the early days, an awful lot of people that came into it were either ex-IT or ex-facilities, ex-security, ex-police or ex-army and the one thing they all had in common was none of them were business people and they came in to create a business, an industry to start looking at resilience and hardness of organisations and maybe our industry, my industry hasn't grown up enough in its quality or its understanding of what's required, because if you read the 68 pages or whichever one of these documents you read through, after the first few pages when it starts repeating itself, all it’s saying is, what's important to you, how long can you tolerate it being down, and how much would it hurt other people if it was down, that's it.

Now, if you haven't been doing that for the last 30 years in your company, you've been doing the wrong job, and you shouldn't be in this industry because that's the simplest thing.  Now to overcomplicate this and then to say you'll need £1.9 million or something to fix it is a terribly scary thing for boards to start reading when, in essence, this is quite simple, should already be in place and should have been exercised for the last year as well.

Irina Velkova

Yeah, absolutely and it seems to be that there seems to be obviously gaps too in place there, which is the most concerning point back to what you were just saying, that they should be doing this already but are there any really big ticket items Andrew, Gavin, that you think firms really need to think about now, as the guidance is coming into play?

Andrew Rogan

Well, let me sort of lead on, sort of follow up from Tim there. I agree with much of what he says in terms of firms that haven't had one eye to, what we now call operation resilience don't tend to last very long and historically haven't lasted very long.  There are industry and firms are absolutely full of operations professionals who ultimately think about failure. I think what's new is the way that this has all been packaged up under the single narrative, and a regulatory expectation put alongside it, that ultimately sees this as being on par with financial resilience.

So, if we think back to 10/12 years ago, the entire focus of the public narrative and their supervisory narrative was around about cleaning up and learning the lessons of the global financial crisis and so much of that was about capital, and leverage ratios and MRL and a whole range of things. What we're seeing now is effectively, the response to the disruptions that we spoke about a bit earlier is that for the supervisors are effectively saying, ‘okay, this is now on par with financial resilience’, and trying to put a framework around that in a way that hasn't existed before. So, some firms are really good at it, some firms weren't so good at it.  Some sectors and industries were much better than ourselves but now we have to up the game.

I think that's what's new and I think what's ultimately new is the way that boards are being asked to think about this and that being also so explicitly linked with the senior managers regime, and the responsibilities under the senior managers regime. I think the, in terms of what a board needs to ask themselves at this stage, now we're about a month away, less than a month away from the publication of these policy statements, Tim's exactly right, if firms haven't already been thinking about this, they've got some ground to make up.

But ultimately, the key questions firms need to ask themselves, at least initial starting point boards need to ask themselves is, you know, what do we do that's important? What do we do that's important to our customers and that's a real change from the regime around recovering resolution, which is all about the firm and the survivability of the firm, this actually puts customers at the very centre of consideration. How do we identify weaknesses, to the delivery of that service and then what do we do to mitigate against that and by that, I mean, effectively investment? Where do we need to spend our money to really address this? So that framework that's being put around which boards are being asked to consider is new, or at least its previous bracket, previous experience bracket any other way, but that's certainly something that boards should be starting with, those sort of three premises as to what do we do, what's important to customers and then what are the risks to that particular service?  

Gavin, I don't know if you want to follow that?

Gavin Stewart 

Yeah, I mean, I think the only thing I would add is the requirement that variable comp will need to come up with impact tolerances for those business services and actually, I believe that thinking through what that really means in practice, might be quite profound, depending on where you are at the moment and what your legacy systems are, and so forth. So, thinking through what it means to kind of be able to essentially say, in two days’ time unless it’s really exceptional, we're going to have everything up and running again, I think potentially changes, you know, the profile of your investment strategy and all sorts of other things. So, I think that's, for me, that's certainly one of the most fundamental things that I probably see less frequently referenced in a lot of the literature than I think it deserves.

Tim Armit

Irina, can I just come back on this as well, from a board point of view.  The one good emphasis in this point focus is to focus on the external organisations. I think a lot of boards may naively have lost track of just how much outsourcing they've done, and how much secondary tertiary outsourcing they've done as well and actually, this might be a wake-up call on to say, well, I've got my stuff in the cloud, then the two parties within the cloud, were delivering X, Y and Z and may not actually sometimes know who is delivering half of their key business or the key operations within their businesses and I think some of that came out within COVID as well when other nations had different levels or different problems to what we had and how it caught certain organisations a bit cold on how much reliance they had in other locations. So, I think one of the good things from this paper is that that is a big wake up call to get your house in order of what is the real mapping of the external third-party landscape that your company works in?

Gavin Stewart 

I think that plays into Andrew’s point about the senior manager regime as well because I think what are you really the decision maker for? Do you control the various kind of supply chains and the various kind of outsourcing, we don't need to go into the detail here, the various outsourcing arrangements you have.  Do you really understand how they work and what would happen, how you could fix them if they went wrong, for whatever reason.

Irina Velkova

So, is outsourcing the number one kind of subject companies should start thinking now about.

Tim Armit 

I think, personally, I think the important business areas and the impact and the tolerances, most of our bigger organisations should already have.  I think tolerance is a great word, it came in about five or six years ago and it's so much more realistic than recovery times, or how long you can be down for, it’s how much can I take this pain before I'm gonna stop complaining about it and I think, what will surprise companies is, it is a lot longer than you think. I think people have probably had it mentally too short beforehand. So, I think they'll do that. But in parallel, yes, I do believe this is a key thing, because they'll know less about it and a lot of the organisation's we were talking about are really difficult to get information from as well. So, I think sometimes we might be going back to the regulators with a ‘we can't get that information’ statement.

Irina Velkova

Yeah, that sounds absolutely sensible and obviously Gavin, you and I do a lot of work around SMCR and the point around mapping the new requirements or the new regulative expectations with the regime and the responsibilities, do you think firms are there yet?

Gavin Stewart

So, I think a lot of them probably are, but I mean, I’m sort of a bit of a broken record on this, I don't think we'll really know until it's been properly tested and I don't think it has been. So, until something's gone wrong, how decisions are made, how problems are fixed, we're not really going to know how well the senior manager regime works. I think the absence of significant enforcement cases is kind of part of that. I think the other thing I'd probably add to what Tim just said is that I think over time, the financial policy committee, which looks at the macro Prudential aspects of our system, and is, if you like top of the pyramid, above the PRA, and the FCA in some respects, is going to form its own view as to what a reasonable impact tolerance is and I think that I wouldn't be entirely shocked if that ended up being tighter than a lot of firms at the moment are contemplating.

Irina Velkova 

Yeah and you mentioned what I already mentioned, quite a lot of you mentioned the practical steps that firms need to think about now. So, we have the consultation paper already expecting the policy statement, obviously, any moment, a lot has been set around impact tolerances. So that's clearly key. What are the practical steps firms should be thinking about now?

Andrew Rogan

It's been UK finances experience that there's a range of places firms are at the present time. So, you've got some firms, which are really at the cutting edge of thinking and the resources available to them to really throw their way into this, then you've got other firms that really at the start of the journey and I don't necessarily like using the word journey to describe this, because as Tim said, a lot of them, we all should have been doing something that looks a bit different, some time. But what I would say is that the consultation papers and the way that the consultation papers are written, which we know from our engagement with the authorities, is broadly and thematically going to be the approach taken by the policy statements, is that it does provide a very effective step by step approach that firms can and should take, as they look to implement this policy statement. So, it starts with important business services and what I would say is that most firms have already done some hard work to really think about what their important business services are, you know, what is the point of contact between the customer and the firm on which they rely.

The second is to really engage with the customer to understand what the failure of that service would mean to them, okay, and whether it would cause intolerable harm and that's a quite an important concept, because effectively from that it dictates the proportionality of the response.  If you are engaging with a particular customer, and you represent 80% of the business market, then clearly a failure in your trading systems or a failure in your execution services, represents a potential to cause intolerable harm.  Equally, if you represent just a small portion of their business, so, if you're a broker, and you only do a fraction of their business, then when setting your impact tolerances with respect to that customer, or that category of customers, depending how you're doing it, you can take a different response.

So those are the starting points right now.  Sort out your Business Services, understand what those are, speak with your customers, really get your head around and really make sure that you understand the business that you provide them and to what extent they rely on that business and then from there set the impact alone just now, completely agree with Gavin, that actually impact art is really tricky. So far, at this point of the cycle in advance of the policy statements will be, this is the area where there's the most sort of Greenfield so to speak and there's a lot of a lot of thinking being done there in the industry, as to what this might look like and I'm afraid we won't probably know much more than that until the policy statements come out. But at this point, as we are mere weeks away, there's more than enough to get our teeth into this.

I think there's some practical things that firms should be doing as well, it's ensuring that all parts of the business are aware that this is coming.  Ensuring that all parts of the business are aware that this is going to have implications for the way the firm at least thinks about the way it provides services and finally, it's making sure that all parts of the business are really bought into the philosophy that underpins these changes in this evolution in the approach operational resilience and that is something that is on everyone to solve, and not just individuals.

Irina Velkova

Thanks Andrew, that's really great. I'm sure our audience will be delighted to hear that because it'd be really helpful. And I can see Tim is burning to add into that.

Tim Armit

I think that,  I mean Andrew summed it up beautifully there, and I think that we've been for years trying to put things in language that people can get who don't do this on a daily basis and are not particularly interested, but now have to do it and putting it as ‘so what and who cares’ and ‘when can't you take the pain anymore’, is a lot easier than talking about RTO’s and RPO’s and impact analysis and things that nobody else really cares about, people who are in my business, they are the only ones who do so put it in a language that people who can get. 

If you were on a Monday to Friday, 9-5 business and you have a problem at seven o'clock on a Friday, you don't have a four-hour tolerant period, you have a Monday nine o'clock tolerant period. So, is it a next working day tolerance rather, this thing about hours and minutes and pounds and pennies, and that's another good point.

We've impact analysis, this business has been a consultancy led business for a very long time and that's not lead to any cohesive thinking because competition is good because it brings variety and change but why can't the bank or the PS here come together and say, ‘look, here's the five levels of impact we want to measure against and here's the six periods of time we want to measure them over’ and everybody work to the same ones and so, we've got a predefined book or banquet that we’re working against here, rather than every different type of industry trying to make up their own one, none of it being comparable or measurable against each other, and not having a direct relationship to each other. So, you can have a different level of failure over different period of time, and not be able to measure it.

In 2005, I led the first benchmarking for the financial sector. One of the things we found out there is, you've got a big multinational American or whatever bank with a huge amount of money to throw at something and a need to be fully resilient and then underneath these five tiers down, you've got other financial regulated organisations that are running with six men in the back of an office somewhere down in Stockport and you can't say and it does say that there's different sizes of firms, I get that but other companies, resilience might be being able to be in business in six months’ time. It's very very different and Andrew's key point, I would take away that anybody listening is, start at the end, start at the customer. What do they want and if you've got what they want, right and work backwards from that, what these regulators are doing is turning away from what we want as organisations to what the customer needs. And I think that's good.

Irina Velkova

Yeah, and I think that's absolutely the biggest shift that Andrew was talking about the mindset is now, right and thinking about recovery and the business, it's more about actually the customers and having that as a foundation as opposed to starting from your own firm. Gavin, did you did you want to add anything to that in particular?

Gavin Stewart

Just a couple of things briefly, one is I mean, I think the regulator's see this as the sort of equivalent to Hirsch Dodds settlement risk in the 1970’s which again goes back to ‘what's the impact on the customer’? So, I wouldn't underestimate the importance of how they see it, not a normal regulatory initiative where it kind of comes and goes and secondly, related to that, I think there is an international element to this.

I think it's slowed because of COVID. But I think, you know, towards the back end of this year, I wouldn't be surprised at Basel and the FSB sort of started picking this up again. I think in the UK, we're probably ahead in thinking actually, but I think it will be with solar winds and so on, I think it will be increasingly important in the US, and also across the kind of international regulatory networks.

Irina Velkova

Yeah, no, absolutely. I agree.  Tim, Andrew, what are your views on the international aspect?

Tim Armit 

Andrew, do you want to go first.

Andrew Rogan

Yeah, look, I think complex is the quick and easy on that one. There's a real difference in approaches between the US and the UK. Although I would be quite firm in saying when we think about international don't just think about the dichotomy between the US and the UK. But for a starting point, the US has taken a different approach thus far to the treatment of operation resilience. They're viewing it as the way that you approach this issue in the way that you solve the challenges, which as the UK regulators have identified and look to challenge, look to solve, is through the pre-existing arrangements.

It's a much more complex patchwork of regulators in the US than it is over here. I always marvel when people talk about the inability of the FCA and the BOA sometimes to be on the same page. I mean, you know, to have that same conversation with a US Bank, and they just say that they take the UK version, or the UK approach any day of the week. But there's a real challenge there, there's going to be an added level of complexity, because we are expecting the Basel Committee, the BIS, Bank of International Settlements to release its findings with respect to what they consulted on last year in terms of creating a more globally consistent approach. We know that even as they wrote that, even as BIS wrote that particular consultation paper, there were some fundamental differences between the US and the UK as to the approach.

What I'd say is for the rest of the world, is there a real inflection point. Japan, South Korea, Australia, etc, they've become the Bank of England's done a really, really good job of actually lifting this issue to the forefront of global regulation and saying, ‘look what we're doing here’, which as a result means that those jurisdictions that I just listed, are now doing some heavy thinking as to the approach they take.  Will they go down the UK approach of seeing resilience as an outcome and designing a system around that? Or will they go down the US approach of seeing resilience as being a result of a number of pre-existing approaches to IT and cybersecurity, or change management and otherwise, and having a much more diversified and spread across a whole range of jurisdictional approaches and rules and regulations.  It's gonna be very complex and unfortunately, for many of our members, they'll be right in the middle of it.

Irina Velkova

Yeah, I was going to say those who operate internationally are going to have a fairly complex challenge to cope with, in the years to come.

Tim Armit 

I think that it's going to be an interesting couple of years in the short term.  We still don't know the full picture of what Brexit will mean to us. We, in a world of IT which is a global, single, almost global cloud, nations are sometimes becoming more isolationist rather than singular, which is odd. We do not know what the full impact of COVID will be for the next 18 months in terms of open travel, open movement, not just on the ether but in reality, and what that means for business. There's lots of things we don't know and going back again 30 odd years, in terms of continuity and stuff, Britain has always been at the front of the world of our planning and thinking of this and a lot of people picked up from us.

But I think if we can do it right here again, other people will follow us because it generally gives a stronger base for business and I think one of the things we do need to make sure though is in this resilience is that we don't just think of the physical, like the IT and the operational side, but we also look at the products and the operation and the leadership as well and making sure that resilience is from top to bottom and that will then have, for international banks that particular international trading organisations, will have a feed into the rest of the world where they see ‘well, you are doing this as a way of thinking’ and in this country, that should trickle back into another country.

Irina Velkova

And you said, Tim, that we there are lots of things we don't know. But if you had a crystal ball, what do you think are the biggest struggles that firms are going to have in trying to implement proper operational resilience?

Tim Armit

Well, I'll start on that.  The first one is, I think a lot will over complicate it and I think that they will try eat the elephant in one bite instead of doing it by single nibbles and I think that this is not a difficult thing to do if you actually think ‘I need to do what's important to me, how long can I tolerate it being down, what am I going to do about it, who do I depend on and what's the impact of my customer’?

Just take a few simple steps, draw out some simple maps, find out I think some of the companies will struggle to find out…. this sounds so stupid, but honestly, it's based on its experience around the whole world, find out what they do, and what they have to do with, you know, what IT they have, where their IT is, what their IT does for them. I think some of them will struggle with that initially on the technical side. But if they take it simply, they focus on what the customer needs and work backwards, this is not a difficult exercise.

Irina Velkova

Gavin, your thoughts?

Gavin Stewart 

I think we started off talking about boards and I think it's putting something like this, which is probably, let's not call it a journey, but it's a multi-year challenge against all the kind of short term demands that they're going to have, particularly any time but particularly in the next 6 to 12 months.

Irina Velkova

Great. Andrew?

Andrew Rogan

I don't think I'll probably add too much to that. Actually, I think the guys have pretty neatly summarised areas of focus and where the challenges come from yeah, so I'll let them have the last word on it.

Irina Velkova

Excellent. Well, Gavin, Tim, Andrew, thank you very much for this absolutely fascinating discussion today. It's been insightful especially having done this for so many years, and with so many businesses.  Clearly a change of mindset for organisations to start with, particularly in terms of putting the customer as a starting point and thinking it backwards. Lots of things to think about in terms of how you put operational resilience rightly, in the sense of starting simple and making sure that it's on the board's agenda and I guess we are all waiting, as these are our clients, to see the policy statement, but as Andrew said, hopefully it won't be too different from the consultation paper so we know the direction of travel, certainly. 

To leave you with some more regulatory food for thought, we have recently published our Financial Services Regulatory Handbook, your one-stop shop for all key regulatory developments in the year ahead.

We also run monthly Financial Services Regulatory Update webinars with David Morrey and the one and only Gavin Stewart. If that's not enough for you, you can also sign up to the Financial Services Regulatory Newsletter to receive weekly updates and invites into your inbox and of course, don’t forget to subscribe to our podcast.

Thank you all for joining in, we will be back with our next episode next month to talk about other exciting topics in the Risk and Regulatory world.  Thank you again, and goodbye.