Stalled at the lights: meeting regulatory expectations for operational resilience
The lights have gone green and a range of banks, insurers, asset managers and wider financial services organisations have started their operational resilience programmes in earnest to follow regulatory guidance.
In the UK both the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) have made it clear that operational resilience is as important as financial resilience, and it is likely that the published policy at the end of Q1 will closely follow the principles and draft policy set out in the recent consultation papers. In 2020, global regulators and bodies increasingly issued equivalent expectations through consultation papers and guidance, a trend expected to continue in 2021.
While most firms we have worked with are using pragmatic, proportionate and repeatable methods to deliver operational resilience, there are significant areas that have been historically neglected, often due to the weight of competing regulatory programmes. These areas require rapid investment and inclusion to successfully address new regulatory focus.
To ensure these oversights are addressed properly, we believe there are three things firms need to do differently in 2021. First, start at the top with active ownership delivered through formalised governance structures. Second, manage third parties to align operational resilience requirements and existing programmes, while managing intra-group arrangements. Finally, firms should rapidly evolve their change controls and processes to assess the impact of operational resilience pillars.
Start at the top
Through a range of meetings and industry platforms, regulators have made clear that defined, board-level sponsorship and “hands on” engagement with the delivery of the programme will lead to a successful outcome. We have found operational resilience governance structures are broadly absent, and that where they are in place, key individuals do not have the detailed understanding required, and no plans for training are in place. Worryingly, we have also seen that a number of senior manager function 24 (SMF24) personnel – responsible for operational resilience under the UK’s Senior Managers & Certification Regime – are not equipped with the appropriate knowledge or resources to successfully deliver on their role.
To address this gap, firms must define the sponsorship and governance for operational resilience, and ensure that tailored and detailed training is provided to board members, SMF24s, important business service (IBS) owners and delivery leads. Delegation of responsibilities needs to be clear and coupled with clear levels of documented supervision.
Align operational resilience requirements
Third parties play an increasingly important part in delivering IBSs for firms. There is an expectation from the regulators that firms will do much more to manage these third parties’ performance, especially where there are operational resilience dependencies and risks.
Existing third-party arrangements and remedial programmes are not sufficient to meet operational resilience requirements. In most cases the requirements have not been communicated, and neither has the urgency to deliver been understood. Procurement teams are stretched and are not asking probing questions on what governance would be in place for each major outsourced contract. We have also observed that when something goes wrong, contractual clauses are not always in place to manage third parties rigorously.
Further, we have observed little awareness or proactive management of intra-group arrangements. Intra-group dependencies will need to consider how they govern operational resilience, especially where there are dependencies on entities in different parts of the world, and how influence can be demonstrated.
To address this, firms must define the third-party and intra-group operational resilience requirements and bake them into their delivery programmes. They must ensure that questionnaires and due diligence for critical third parties are probing and consider “fourth” parties as appropriate. Finally, they must consider governance, change control arrangements, and feedback mechanisms within intra-group arrangements.
Rapidly evolve change controls and processes
Change control processes will continue to be key in preventing disruption to services. Traditionally, change control is rooted in information technology (IT) change, and needs to evolve to include IBSs and mapping. From our recent work with a broad range of clients, we have observed that change control is not being considered or built into operational resilience work programmes. Regulators will be looking to review the change control process, including a focus on incidents, problems and changes, before any changes are implemented.
Firms must therefore take steps to identify gaps and the required improvements to the change control process and supporting impact assessments, and to build change control improvements into their operational resilience programme.
Finally, when the mapping activity for IBSs is completed, firms must test the captured interlinkages and interdependencies, to gain assurance that when a change is planned, the appropriate impacts on different parts of the business can be considered and form part of the testing process to minimise disruption.
Look beyond the lights – to the next junction
Mapping activity – while not yet so far underway to worry about stalling existing priorities – is already being given extensive consideration by regulators, who are already baking it into firm reviews. Therefore, we recommend that firms start to consider some preparatory actions in this area.
For example, firms should ensure there is sufficient mapping coverage, with a focus on interconnectedness and interdependencies, and the right policies, controls or technology in place, so as to ensure high data quality, accuracy and reporting.
In advance of regulatory policy being issued, operational resilience teams are working hard to interpret and deliver against expectations. There are key areas that are not to be forgotten and the initial steps recommended will contribute to the overall levels of resiliency.