Becoming operationally resilient: the past, present and future for financial services
Simon C. Chard, Partner at PwC UK explores how to improve operational resilience capabilities, what this can afford and how firms should start thinking more ‘when’ rather than ‘if’.
Operational Resilience is a subject that has risen in prominence over recent years: a trajectory that is unlikely to change in the foreseeable future. Technological advances coupled with increased consumer demands has created an increasingly challenging environment in which to deliver services.
Understanding Operational Resilience helps to inform investment in technology, facilities, people and third-party contracts as there is a clearer understanding of the client-facing services delivered and, therefore, their profitability. In the following blog, we look at why Operational Resilience has become more important, what the regulators expect and, most importantly, what opportunities this affords firms as they seek to meet these expectations.
The state of affairs: how did we get here?
Recent prominent and sustained incidents have moved Operational Resilience into the public consciousness, while regulators continue to enhance their expectations on resilience capabilities. This has culminated in the UK Regulatory Authorities releasing a discussion paper[1] in July 2018, specifically addressing Operational Resilience within the financial sector. In the paper, the authorities set out the following definition: ‘operational resilience refers to the ability of firms, FMIs and the system as a whole to prevent, adapt and respond to; recover and learn from, operational disruption’.
This should not come as a surprise as speeches made by Charlotte Gerken in 2017[2] and earlier this year in 2018 by Lyndon Nelson[3], have provided clear guidance on how firms must consider becoming operationally resilient. To address this, firms and their boards must accept that ‘failure is inevitable’ and that you should develop ‘the ability to adapt operations to continue functioning, when - not if - circumstances change’.
This often differs from the objectives of previous continuity and recovery programmes which focused purely on the preservation of the firm and the interests of its shareholders, notwithstanding their ability to provide an appropriate level of service to customers. A key challenge is accepting that it is not possible to either predict or prevent every possible event.
What are the benefits of operational resilience consideration?
It is easy to believe this is just another regulatory requirement. Regulators are requiring firms to make substantial developments to their approaches to resilience, as an operational disruption can impact financial stability, threaten the viability of a firm or cause harm to consumers and other participants in the financial system. As we have seen in recent years, the crystallisation of a resilience issue heightens supervisory focus on a firm. In this environment, regulatory pressures are undoubtedly a strong driver for firms to evolve their approaches to resilience.
Operational disruption can impact financial stability, threaten the viability of individual firms and financial market infrastructure providers, or cause harm to consumers and other market participants in the financial system. Firms and FMIs need to consider all of these risks when assessing the appropriate levels of resilience within their respective businesses.
However, while spending time, money and resources addressing the new expectations, there are wide-ranging benefits to be achieved in delivering effective Operational Resilience that go far beyond mitigating risk of regulatory sanction and limiting downside risk. Organisations can achieve a quicker and more measured management of incidents by accepting that resilience events are inevitable.
“Understanding Operational Resilience helps to inform investment in technology, facilities, people and third-party contracts as there is a clearer understanding of the client-facing services delivered and, therefore, their profitability.”
Accepting that encountering resilience events is a question of ‘when’ rather than ‘if’ can help to move a firm beyond the first three stages of reaction to an unexpected event (typically surprise, anger, resistance) towards acceptance, where the issue can be managed far more effectively.
Other benefits are the ability to make better decisions at a senior level based on an understanding of the robustness of the organisation; closer alignment between the business, technology and sources of operational risk; increased agility; enhanced risk culture; and, ultimately, an ability to increase customer trust and reduce the risk of reputational damage.
All of these are reasons in their own right and, therefore, regulatory compliance could be seen as a byproduct. Importantly, this will also create an opportunity for markets to differentiate between organisations based on their stability and resilience.
Closing thoughts on effective operational resilience
Making the required change to achieve effective management of Operational Resilience often necessitates a step change in mindset. Resilience has often been considered a business continuity and disaster recovery issue, but, it is much more comprehensive and requires a broader set of skills and specific ownership. With the advent of the Senior Management Function (SMF) 24 role[4], the responsibility for Operational Resilience may have a somewhat more intuitive home, while the skills required to fulfill an Operational Resilience capability may need to be drawn together either formally or as a virtual team.
"...firms and their boards must accept that ‘failure is inevitable’ and that you should develop ‘the ability to adapt operations to continue functioning, when - not if - circumstances change’.
Interdependencies across the financial services ecosystem are increasing; the sophistication of criminal enterprises is growing and there is greater geopolitical uncertainty and a growing reliance on technology. As a result, we anticipate that the frequency and impact of operational interruptions will intensify in the next few years. The regulators finally articulating their thoughts can only bring positive outcomes that should lead to a more resilient and robust sector for the challenges and threats the future will bring.
You can find out more about Operational Resilience in PwC’s most recent report “Becoming Operationally Resilient” by following this link.
[1]Building the UK financial sector’s operational resilience
https://www.bankofengland.co.uk/prudential-regulation/publication/2018/building-the-uk-financial-sectors-operational-resilience-discussion-paper
[2] Charlotte Gerken, Director, Supervisory Risk Specialists at the BoE, defined operational resilience in a June 2017 speech at the Operational Risk Europe 2017 Conference
[3] Lyndon Nelson, Deputy CEO, Executive Director at the BoE speaking at the 2018 Operational Risk Europe conference
[4] The Regime currently applies to deposit takers and investment firms regulated by the FCA and PRA. From 10 December 2018, it also applies to insurers and will apply to all other FSMA authorised firms that are regulated solely by the FCA in the future. The Chief Operations function (SMF24) was introduced by the PRA in May 2017 and has been applicable to relevant firms since November 2017.