Facing the future with resilience

22 January 2018

As we summon our energy and resolve for the year ahead, one thing is for sure in an otherwise uncertain landscape: operational resilience is going to be at the heart of the regulatory agenda in 2018.

It is worth reflecting for a moment on the current regulatory context. After 2008, regulators understandably prioritised financial resilience to address the urgent and systemic issues that caused the financial crisis. They then focused on tackling the conduct issues that were such a key contributory factor. As MiFiD II finally comes into force, the last major piece of that jigsaw is now in place. 

But the world has changed since the financial crisis. The birth of Cloud technology, together with a proliferation of inter-dependencies across the financial ecosystem (some of them borne out of the regulatory response to the financial crisis) has meant that systemic risks have sprung up in new forms. For example, where security vulnerabilities further up the chain could result in significant disruption and financial loss across multiple institutions.

The prudential and conduct measures put in place since 2008 are not now enough to protect consumers and the sector from new, potentially greater threats. Regulators are rapidly turning their supervisory attention to operational resilience. They have recognised the similarities between operational resilience risk and the lack of financial resilience that caused the last financial crisis, and are responding by addressing both individual and systemic vulnerabilities.

 We’ve already seen several tangible examples of regulators responding to operational risks:

  • The Prudential Regulation Authority’s (PRA) ‘Dear Chairman exercise’ reviewing the technology and cyber resilience of the UK’s major banks.
  • The CBEST testing of cyber resilience.
  • The introduction of the chief operations senior manager function (SMF24) to the Senior Managers Regime and corresponding prescribed responsibilities.

But we expect much more to come.

The UK is arguably leading the way with this supervisory focus on operational resilience, but at an EU level, there are a number of key regulatory changes that will impact firms during 2018. For example, the General Data Protection Regulation (GDPR) that comes into force in May 2018 will expose firms to the potential for eye-watering fines for data breaches.

In addition, the Network Infrastructure Security Directive (NIS) needs to be transposed into national law by May 2018. It aims to improve Member States’ cybersecurity capability along with cross-border collaboration and to improve national oversight of “operators of essential services”. Member States have until November 2018 to identify all operators of essential services, which will include credit institutions, financial market infrastructure providers and digital providers.

What is both daunting and exciting about NIS is that it recognises the need for cross-border and cross-sector collaboration. It acknowledges that the systemic nature of today’s risks are not limited to one regulator, sector or jurisdiction and will require a truly global response.

An obvious consequence of this is to put third party risk in the spotlight. The nature of third party risk has changed beyond recognition over the last seven to ten years and how firms and regulators respond to this change will largely define how successful the sector is in ensuring resilience. While the principle that firms can’t outsource regulatory responsibility is well established, never before have the practical implications of adhering to this principle been so hard to manage. As supply chains become more complex, identifying your dependencies and their materiality becomes harder, not to mention the challenges of securing and exercising sufficient oversight. Add into the mix a profound change such as Brexit that may require rewiring your relationships and transitioning to new arrangements, and the opportunities for something going wrong multiply.

As outsourcing to the Cloud proliferates, regulators’ risk appetite is also developing. The Financial Conduct Authority (FCA) produced some early “Guidance for firms outsourcing to the ‘cloud’ and other third-party IT services” (FG 16/5) in July 2016, and the European Banking Authority (EBA) recently issued further guidance on Cloud outsourcing. The recommendations look at oversight and the importance of establishing effective monitoring.

Crucially, this isn’t just about having the right contractual arrangements in place. It also highlights the importance of retaining the right skills and capabilities to be able to tell if things are going wrong, and to ensure the board of directors has the right focus to be able to intervene where necessary.

Cyber security is obviously a key driver for firms to tackle resilience issues - the reputational, financial and systemic risks too great to ignore. Following the devastating but relatively unsophisticated ransomware attacks of 2017, we should be braced for more in 2018. We are only as strong as our weakest link and hackers will look to exploit vulnerabilities in our supply chains and undermine key relationships.

Given the geo-political situation and regulatory agenda over the next 12 months, firms would be right to view operational resilience with trepidation in 2018. But equally, it marks an exciting new chapter for the financial sector. Those firms that tackle resilience holistically and that innovate effectively, armed with the knowledge from the last few years around the importance of accountability, transparency, continuity and cooperation, will find that robust operational resilience could be a key differentiator for their business and enhance their relationships with their regulators.

Hannah Swain | Director
Profile | Email | +44 (0)20 7212 2433
Twitter
LinkedIn
Facebook
Google+

Comments

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated and will not appear until the author has approved them.