Building Operational Resilience in Financial Services

Predicting operational risk in our interconnected global economy is becoming increasingly difficult, if not downright impossible. And this is particularly true in the financial services sector, which is why operational resilience in financial services has become such a hot topic. 

The global economic environment is uncertain and volatile, with slower economic growth and declining margins. Strategic financial risks such as capital adequacy and liquidity are increasing under external pressures. The geopolitical environment and associated financial impacts are changing day-to-day. And fraud and cyber crimes remain on the rise. 

To counteract this environment, we need to turn our focus away from “predictions” and towards “expectations”, accepting that now and into the future there will be disruptions to operations in the financial services sector. And though we continue to struggle to see what those disruptions may look like, we can still prepare a robust operational resilience strategy to help us manage and overcome any negative impacts.

What is operational resilience in Financial Services?

The UK Financial Conduct Authority (FCA) has defined operational resilience as “the ability of firms and financial market infrastructures, and the financial sector as a whole, to prevent, adapt, respond to, recover and learn from operational disruptions.” 

Let’s look at what this means in practice.

Changing regulatory requirements

Financial regulators, particularly in the UK, are well aware of the importance of a robust approach to operational resilience, especially in light of growing global connections and increasing financial sector complexity. While operational resilience is a relatively new term, regulators now see it as essential because its failure alone could lead to extreme financial volatility.

Because of this, the Prudential Regulation Authority (PRA) and the FCA have been forming an extensive regulatory framework around operational resilience. This new framework, which has been approved and came into force on 31 March 2022, allows operational resilience to be analyzed in a holistic manner. For example, the following can be assessed:

• Connections between functions, operations and third-party providers that could pose operational risks
• Cyberattacks and financial frauds that could potentially disrupt financial services organizations, banks, or entire industries or markets
• Commercial pressures around climate change and the global sustainability agenda
• Risks arising from the concentration of the market around favored providers

New operational resilience framework

The first year of the new framework, March 2022 through March 2023, is an implementation period where organizations who fall under the framework will be able to start actioning the elements. The ultimate goal is that by 31 March 2025, each organization must be able to ensure that in the event of a disruption, they have the processes, procedures, and strategies in place to ensure their important business services remain within their impact tolerances to operational disruption. As part of that process each organization will need to identify both their “important business services” and their “impact tolerances”.

Defining “Important Business Services”

“Important business services” are a vital part of the regulatory requirements, and are the services that, if disrupted, could cause intolerable harm to a client or clients of that organization or risk the stability, resilience, or orderly operation of the UK financial system or financial markets.

Defining “Impact Tolerances”

The Bank of England defines impact tolerance as, “the maximum tolerable level of disruption to an important business service.” 

This definition accepts that disruptive events will happen to and within an organization. These disruptions then need to be analyzed and quantified to determine the severity and duration of that particular disruption the organization can tolerate. This analysis includes three main steps:

Step 1: Identify the key business services, products, and systems to understand how the particular disruption will impact the overall business viability and the larger market.

Step 2: Set the maximum acceptable downtime for key business services, products, and systems (this is your organization’s tolerance).

Step 3: Implement a process to ensure you can continue to provide core services and stay within your impact tolerances when you face severe disruption. 

Importance of operational resilience in Financial Services
 

Increasing regulatory activities within the industry, competitive pressure to switch to digital-first business models, transformative technology, and digital tools that are introducing efficiency, but also creating avenues for greater risk, digitized banking and financial operations – these factors all have an impact on an organization’s ability to adjust and recuperate from operational disruptions. 

Forward-looking organizations are focusing on operational resilience with a greater sense of urgency, particularly in light of the key role that the industry plays globally, and the devastating impacts it could have should the industry fail to function well.

Here are a few reasons why banks and financial services organizations should be focusing on operational resilience:

To prepare for inevitable security threats

Rapid digitization and an increasing reliance on third parties, means that financial services organizations are more vulnerable to cyber attacks and frauds, which are on the rise.

To eliminate risks and mitigate their impacts

Building an operational resilience framework helps to protect vulnerable core business functions. Organizations can shift from the traditional “recovery” model and move towards the “mitigation” model, where operational resilience serves to both eliminate and mitigate continuity and disaster risks. 

To integrate a market-wide operational resilience net

When integrated with other actors in the financial services sector and third-party partners, operational resilience becomes a market-wide net that is continuously on the watch for disruptions or shocks, leading to a more agile and reactive system overall. 

A note on the importance of digital transformation for robust operational resilience

Digital transformation is part of the financial services environment. Banks and other lending and financial institutions are pressured by competition to find new, easier, tech-forward integrations to please customers, and interlocking systems to create more seamless funds dissemination is becoming a central element of the industry. This means new partnerships and new technologies are being introduced every day.

Financial institutions must ensure that all new technologies, partnerships, or digital initiatives are analyzed and reviewed for risk to ensure that the right controls and protocols are in place. These risks could include cyber, information security, business continuity, anti-corruption, and more.

See also: Operational Resilience vs Business Continuity

How a GRC platform helps build operational resilience in Financial Services

Operational resilience in financial services must integrate the management of operational risk with the requirements of the regulatory framework. The TriLine GRC platform helps you do that by:

• Ensuring you have accurate and timely data visibility to define your important business services
• Improving the way governance, risk and compliance data is gathered, stored, curated and linked, and then compiling it into a single source for the entire organization
• Providing you with the data necessary to accurately define your impact tolerances and ensure you’re meeting your regulatory framework requirements
• Enabling rich scenario testing 
• Mapping external and internal stakeholders, including all required regulator 
• Enhancing your communications via fast and accurate reactions to data flows