This article was first published in FT Adviser
The December 2019 extension of the Senior Managers and Certification Regime (SMCR) is now looming. From that point, the regulation will apply to Financial Conduct Authority solo-regulated companies, pushing them to put a renewed focus on operational and cyber resilience.
There is an expectation from the regulators that operational resilience and cyber security will be taken seriously and that senior managers will be held accountable for them.
Its importance was underlined in the jointly published Prudential Regulation Authority, FCA and Bank of England Operational Resilience discussion paper which re-iterated the need for operational resilience to be on an equal footing with financial resilience.
A recently published Bank of England Financial Stability Report then made it clear that, under SMCR, the Chief Operations Senior Management Function (SMF 24) will be the individual responsible for the resilience of operations.
In light of this, firms now need to take a number of steps to make sure they are prepared.
Make sure there is accountability for the resilience of your most critical services.
Regulators expect firms to understand the criticality of the services they provide in the context of the customers and markets they serve.
To take a simple example, the ability to sell a mortgage may not be considered as critical as a mortgage drawdown. The failure of the latter can hugely disrupt an individual’s life and possibly the wider market, while the former is likely to only impact the firm commercially.
You then need to understand the different components that make up a resilient service and recognise that having a single and senior point of accountability helps to answer the key questions in each of them.
The first question to ask is whether the technology is reliable. Is it patched and tested?
Then you need to consider if there are skill gaps in the teams who support the service and ask, what are the key people risks? That includes looking at your suppliers and checking whether they are acting to promote resilience.
It is also important to consider risks to the current service and any changes that could disrupt it.
Testing is essential in this process and managers need to check if they have tested the resilience of the service recently and that they know what to do if things go wrong.
Resilience is multi-faceted and dealing with each of these questions is likely to need specialist teams to help answer them.
However, without accountability at a senior level where someone looks across all the component parts, several minor problems may go unnoticed but which could then end up being catastrophic for the resilience of the service.
Advice companies also need to think carefully about who they make accountable.
It is rarely appropriate for accountability for resilience to sit entirely with IT because very few processes are fully automated.
There are also people, suppliers and broader change management to consider. This means chief operations function will need to be able to look all accountable people in the eye on a regular basis and ask the following: ‘Is this service resilient? Is there anything we need to worry about?’
In addition, resilience needs to be considered in the context of the customer and wider markets.
Regulators will naturally place their emphasis on protecting the rights of consumers and maintaining stability of markets.
Equally, the reputational damage and loss of trust from a customer facing incident is likely to be remembered for many months, if not years - as we have seen in recent high-profile financial services disruptions.
Use of third parties
Think about the risks from outside your firm.
The use of third-party providers makes the financial services supply-chain complex.
It is unsurprising, then, that the FCA says third-party issues are the second most common cause of IT failures and breaches.
Alarmingly, when the FCA surveyed 296 firms, only a fifth said they include third parties in their resilience testing and planning.
If your business outsources core processes, you must be prepared to enforce the same controls on those third parties as you would your own company.
Many firms only consider third-party risk during onboarding or when re-negotiating vendor contracts.
Even then, the assessment of risk is often skewed towards the financial standing of the third party.
However, regulators expect a broader set of risk categories to be assessed at critical points, such as when a third party starts work, during the lifetime of the contract and when the agreement is terminated.
The key questions that need to be asked are: Will the third party handle sensitive data on behalf of the firm? How will they control that data and what happens to it when you terminate the contract?
There is also a need to check if the third party has a business continuity plan that supports the specific services you are buying from them and then, if that has been tested, ask can you observe the tests?
That should be reinforced by a review of how the third party will deal with any crisis, such as a cyberattack or data breach, and what services they will provide, as well as what service levels you can expect.
Then there is the question of what will happen if there is market-wide disruption and how the third party will prioritise your company.
That needs to be supported by a check of your own resources to make sure you can manage the contracts that are being serviced, or if there is a major concentration risk. Again, the chief operations function will need to make sure that third-party risk is an ongoing consideration, well beyond contract signature.
Approach change management with rigour.
A major challenge in managing resilience is that organisations regularly change their technology as they evolve and grow. The increasing speed and scale of such digital transformation increases risks significantly.
The FCA says that between October 2017 and September 2018, poor change management caused around a fifth of reported operational incidents.
Yet financial services organisations told the FCA they have strong governance with enough senior engagement, clear accountabilities and an adequate resilience strategy.
This shows an under appreciation of the impact of disruption and how practices, processes and risk culture are key to a firm’s overall resilience.
The biggest issue is that change is often poorly co-ordinated and carried out without a deep understanding of the context.
What might appear like small and localised technical changes can have a huge impact on wider systems if the person carrying out the change does not appreciate the context and has not taken that into account in preparing for the change.
Testing is often a particular weakness when changes are tested in isolation and sometimes in environments that are not representative of the final environment.
The means the chief operations function should have a thorough understanding of planned changes and have the ability to scrutinise change on a regular (typically weekly) basis.
Understand the cyber risk
There is also a particular need to understand the cyber security risks facing the firm and establish robust and pragmatic governance, and the associated management systems, to address and reduce the impact of those risks.
One way to do this is to use CBEST, a security exercise mandated by the Bank of England.
It is focused on the more sophisticated and persistent attacks on critical systems and essential services.
By conducting CBEST testing, organisations replicate the evolving threat landscape and ensure continued resilience to attacks.
It is highly effective and some of PA Consulting's clients are running CBEST tests as a hygiene practice on top of the regulatory requirement.
But CBEST is not the only way to prepare.
Management teams will need to run simulations to understand how prepared they are. Simulating a cyber attack with your senior response team will allow you to put the firm’s resources under pressure and assess the suitability of your planned response.
These should focus on determining if you can make decisions about failing over or shutting down systems quickly, and assessing the possible implications for customers.
You also need to know if you have the necessary deep technical skills (for example, e-forensics) available to support you, and if your cyber and business continuity plans work together.
That includes checking if there are manual work-arounds if you have to shut down part of your IT estate and if your vendors can help you to clear backlogs of work.
You should also have a plan to get back up and running again.
While cyber attacks cannot always be prevented, they generally exploit weak processes and human vulnerabilities and you should make sure your defences have the basics right.
Following the National Cyber Security Centre’s Cyber Essentials and training staff to be your strongest defence will provide a solid foundation for this work.
While getting effective resilience in place presents challenges, overall, there will be a competitive opportunity for established financial services organisations and new entrants that get it right.
As the UK adapts to an uncertain future, operational resilience will be vital in maintaining customer and regulator trust and firms need to take the steps now to meet the new requirements effectively.