Operational resilience – the ability to prevent, respond to and recover and learn from operational disruptions – is now centre stage alongside financial resilience. In recent panel discussions at a UK Finance event, the regulators suggested firms should consider ‘what will break you?’
Cybersecurity, third-party management and change management are three of the most crucial areas to address in the quest for operational resilience. So, how can organisations tackle them and become more resilient?
Financial services firms continue to invest heavily in cybersecurity. But they can always do more, and regulators are keen to ensure the industry can respond to the global nature of cyber threats.
Cyber-attacks can quickly spread across national borders, highlighting the need for international coordination. To combat this, regulators around the world are encouraging collaboration and information sharing to support detection, response and recovery.
In our experience, boards often lack the technical expertise needed to fully understand the complexity of cyber risks. Firms need to train senior leaders and ensure they have the right people in place to advise the board on these risks. This will let them take cybersecurity beyond a simple ‘tick box’ exercise and benefit from enhanced trust and reputation.
The use of third-party providers makes the financial services supply-chain complex. It’s unsurprising, then, that the Financial Conduct Authority (FCA) says third-party issues are the second-commonest cause of IT failures and breaches. Alarmingly, when the FCA surveyed 296 firms, only a fifth said they include third-parties in their resilience testing and planning.
A risk-based approach to assessing the criticality of each third-party and their potential impact is fundamental to operational resilience. So, firms should run end-to-end reviews of third-party operations within the context of a robust Business Impact Assessment exercise.
When we’ve worked with financial institutions on such third-party reviews, we’ve found three common issues:
Most financial services firms will have thousands of third-party relationships. The biggest will have tens of thousands. Keeping such huge records up to date can be an intensive, manual process.
We recently helped a leading financial services organisation identify, assure and document the exact nature of more than 2,000 supplier relationships. It was a time-consuming process as the information on suppliers wasn’t readily available and there was poor ownership and accountability – both common issues in the sector.
In our experience, there’s often a disproportionate focus on financial value when it comes to third-party contracts, lessening the efforts spent on ensuring operational resilience. Due diligence assessment frameworks must evolve to examine areas such as technology dependencies and process criticality.
Even if firms recognise the above issues and know they must address them, they often lack the manpower or skills to do so. They typically have a backlog of due diligence exercises that takes people away from the manual process of identifying third-parties. And they rarely have the expertise and tooling needed to bring together the diverse data needed to manage the risks posed by suppliers.
To comprehensively manage risks in an agile way, firms should map each third-party to the processes they help perform (and how critical they are), the risks they help manage and the controls they help run. This will, however, often require integration with obsolete governance, risk and compliance (GRC) systems.
Re-thinking Regulators: from watchdogs of industry to champions of the public
Organisations regularly change their technology estates as they evolve and grow. The increasing speed and scale of such digital transformation increases risks significantly.
The FCA says that between October 2017 and September 2018, poor change management caused around a fifth of reported operational incidents. Yet financial services organisations told the FCA they have strong governance with enough senior engagement, clear accountabilities and an adequate resilience strategy. This shows an under appreciation of the impact of disruption and how practices, processes and risk culture are key to a firm’s overall resilience.
A robust assurance programme will ensure better quantitative information and highlight key risks. Through our experience of assessing business readiness with regulators and business throughout the financial services sector, we’ve devised an approach that ensures the upfront effort of assurance delivers long-term value.
Organisations need to consider the possible incidents that would cause significant disruption and plan to respond quickly. They must assume there will be issues with individual systems and processes, and focus on back up plans and recovery options.
Start by identifying and understanding critical business services and the systems, applications, processes and people that support them. Then establish and validate impact tolerances before refreshing recovery plans to account for the new information.
Such an approach to exploring and addressing what will break you must be led from the top. Boards and senior management are crucial to the delivery of operational resilience and will be accountable.