As financial institutions continue to implement their operational resilience plans, the scale of the challenge is becoming apparent. Firms should identify their important services, set a disruption tolerance level and take steps to meet that in the event of an outage.
What is operational resilience?
Operational resilience accepts disruptions will happen and asks firms to prepare for them. Firms must identify their key services, and establish tolerance levels, beyond which, continued disruption could cause harm to consumers or the wider economy.
Setting operational resilience metrics
Firms can measure an outage in many ways, depending on the type of product offered. This may be the number of customers affected, the number of outages within a set timeframe, or the duration. But measuring the impact of those outages isn’t so easy. It will be difficult to establish the degree to which customers might be affected and predicting potential harm to the wider economy is even more nebulous.
This could be a key area where firms and operational resilience regulation may disagree. What happens when a firm sets a tolerance level that is not appropriate in the eyes of the regulator? What happens when a firm doesn’t see a product line as critical, but the regulator does? These are big issues that can challenge the premise of operational resilience. Not to mention that the regulators may have a different emphasis n the operational resilience consultation paper, FCA operational resilience may have a slightly different emphasis than that of the PRA - with the FCA's approach looking at preventing harm to consumers, while the PRA's focus is financial stability.
Operational resilience scenario testing
To assess the impact tolerances, and stay within that limit, firms must undertake robust scenario testing. These should be extreme, yet plausible, scenarios and should provide insight into how disruption could reach the impact tolerance. With a great deal of senior input, these tests will use a lot of resource across multiple departments and may have the potential to be disruptive.
Aside from working out in what scenarios a tolerance limit may be met, and making business necessary changes, scenario testing can help to identify interdependencies across multiple important services. Often these are only discovered when there are outages to a particular service. They can have significant consequences for the business. Looking at these inter-dependencies, firms should review other processes and procedures that can be swapped in to cover periods of downtime and restore critical services.
Technology plays a big part
High-profile technical failings are a key driver behind the current regulatory focus in this area. In their July 2018 consultation paper, the Prudential Regulation Authority (PRA), Financial Conduct Authority (FCA) and the Bank of England highlight the dangers of concentration risk, specifically of third parties who deliver specialist services, where there are few other providers. What if one such third party is unable to provide its services, upon which 50 of your 150 key services depend? Or what if that impacts other third parties, who also rely on those services, taking out another 20 of your critical services?
What to do now
Depending on the size of your business and the scale of your operations, operational resilience has the potential to be a highly complex and resource-heavy regulation. In terms of next steps, firms should:
- assess their existing service lines, to identify the services that are critical for consumers, clients or the wider economy
- map the supporting systems and processes behind each critical service
- review your reliance on third-party providers
- measure the impacts of an outage and set tolerance levels for disruption
- test the metrics using scenarios and establish recovery plans
- establish an operational resilience framework.
For more information and details on how we can help you meet your operational resilience requirements, contact Paul Young.