As financial institutions continue to implement their operational resilience plans, the scale of the challenge is becoming increasingly apparent. Firms should identify their critical services, set a disruption tolerance level and take steps to meet that in the event of an outage.
Disruptions will happen
Operational resilience accepts that disruptions will happen and asks firms to be prepared for them. Firms must identify their key services, and establish tolerance levels, beyond which, continued disruption could cause harm to consumers or the wider economy.
Firms can measure an outage itself in a variety of ways, depending on the type of product offered. This may be the number of customers affected, the number of outages within a set timeframe, or the duration of the disruption. But measuring the impact of those outages isn’t so easy. It will be difficult to establish the degree to which customers could potentially be affected and predicting potential harm to the wider economy is even more nebulous.
This could be a key area where firms and regulators may disagree. What happens when a firm sets a tolerance level that is not appropriate in the eyes of the regulator? What happens when a firm doesn’t see a product line as critical, but the regulator does? These are big issues that can challenge the fundamental premise of operational resilience.
To robustly assess the agreed impact tolerances, and the ability to stay within that limit, firms must undertake robust scenario testing. These should be extreme, yet plausible scenarios and should provide insight into how disruption could reach the impact tolerance. With significant senior input, these tests will use a lot of resources across multiple departments, however they may have the potential to be disruptive.
Aside from working out in what scenarios a tolerance limit may be met, and making business changes accordingly, scenario testing can help to identify interdependencies across multiple critical services. Often these are only discovered when there are outages to a particular service, and they can have significant consequences for the business. Looking at these inter-dependencies, firms should review alternative processes and procedures that can be swapped in to cover periods of downtime and restore critical services.
Technology plays a big part in operational resilience
High profile technical failings are a key driver behind the current regulatory focus in this area. In their July 2018 consultation paper, the PRA, FCA and the Bank of England highlight the dangers of concentration risk, specifically of third parties who deliver specialist services, where there are few alternative providers. What if one such third party is unable to provide its services, upon which 50 of your 150 key services depend? What if that impacts other third parties, who also rely on those services, taking out another 20 of your critical services?
What to do now
Depending on the size of your business and the scale of your operations, operational resilience has the potential to be a highly complex and resource heavy regulation. In terms of next steps, firms should:
- assess their existing service lines, to identify the services which are critical for consumers, clients or the wider economy
- map the supporting systems and processes behind each critical service
- review your reliance on third party providers
- measure the impacts of an outage and set tolerance levels for disruption
- test the metrics using scenarios and establish recovery plans.
For more information and details on how we can help you meet your operational resilience requirements, please contact Paul Young.