Why banks should start preparing for operational resilience

16 March 2021 Consultancy.uk 5 min. read

Regulatory activity in the financial services industry is undergoing a profound shift to focus on risks arising from technology. According to David Long from Delta Capita, the banking industry must consider the implications of this shift in mindset carefully and prepare in advance in order to meet the required levels of operational resilience. 

Across all segments of the banking industry, technology is becoming ever more present. The pace of technology adoption in the sector has already been massive over the past years and going forward the use of next‑generation technologies such as robotic process automation, machine learning, and business-friendly blockchain innovations is only set to accelerate.

Benefits aside, this transition to a digital-first business and operating model comes with technology risk. IT systems with weak operational resilience – in particular, legacy systems – pose a risk to operational resilience. 

David Long, Head of Non-Financial Risk, Delta Capita

“Even prior to the pandemic, financial institutions found themselves increasingly susceptible to resiliency-related failures, often stemming from digitisation efforts being accelerated without adequate focus on preserving resiliency,” says David Long, Head of Non-Financial Risk at Delta Capita. “The result – IT breakdowns, cyber-attacks, and migration failures became ever more commonplace, demanding urgent interference from regulators to limit the impact of such events to institutions and customers alike.” 

Meanwhile, the pandemic has only strengthened the case for revamping operational resilience requirements. According to Long, the pandemic exposed financial institutions to more drastic operational pressures related to new work realities. The abrupt increase of working from home, digital and cloud services usage and market volatilities all further strained already inefficient processes. 

Regulators have laid down the expectation that banks should continuously adapt to threats in order to withstand, absorb, and recover from severe disruptions to their business services (including but not limited to cyber and IT‑related incidents). In preparation for operational resilience regulation, the FCA, PRA, BCBS, and the EU continue to work on consultation papers to shape the expectations to better refine previous guidelines. 

But operational resiliency is already being stressed in the most recent papers, says Long, including Building Operational Resilience: Impact Tolerances for Important Business Services and Outsourcing and 3rd Party Risk Management. “And it’s clear that resiliency initiatives aren’t going away anytime soon.” 

Start preparing

While many questions still remain unanswered, Long says that banks should already adopt a number of measures to redesign their operational resilience in order to be well prepared for the new mindset. As a starting point, he advises risk leaders to leverage existing risk management frameworks to springboard an operational resilience strategy. 

“There is no need to start from scratch, but intelligently pivot existing frameworks, policies, and controls against the consumer and market harm lens. For example, business continuity plans can help identify and kick-start the mapping of the ‘revised’ critical business resources, and board risk and control attestations can be used as a starting point for operational resilience self-attestation as firms set and test impact tolerances.” 

Second, Long urges multinational firms to take a two-fold approach. In the short term, operational resilience teams should first understand the nuances across various rule sets across jurisdictions to design the most optimal approach for compliance. At the same time, these teams can work towards a more aligned operational resilience approach across jurisdictions. As global frameworks begin to become more standardized, the path towards operational resilience will become clearer. Long says, “Our view at Delta Capita, global legislation is becoming ever more aligned.”

Third, while much clarity is required on impact tolerances – thresholds set for the minimum acceptable disruption that an important business service can handle before serious impacts occur. Long advises banks to proactively revisit their current baselines. 

Banks should re-identify important business services, and map supporting resources which could cause harm to consumers or market integrity, if disrupted. They can also use design testing approaches to demonstrate the ability to remain within impact tolerances. This would include identifying a range of severe but plausible disruption scenarios that could cause external harm and creating action plans to minimize harm and disruption.” 

Reaping the benefits

“Banks that get a head start will down the line reap the benefits,” says Long. For one, they will be equipped with better response capabilities and reputational defence. Proactive and customer-centric approaches to resiliency allow executives to gain a comprehensive understanding of disruption, react more promptly in a crisis, reduce potential harm done to customers and counterparties, and present accurate information to stakeholders. 

Internally, a better understanding of a bank’s IT infrastructure and interdependencies can bolster cybersecurity, and lead to improved performance on regulatory compliance. And to top it all off, banks that have integrated operational resilience into their technology processes are likely to not only comply better but also lower costs and greater systems adaptability.