Technology: Bringing your biggest Operational Risk exposure in from the cold
29 June 2017
The risks associated with the reliance on technology are significant and increasingly complex to manage. The threats the technology is exposed to are increasing in frequency and sophistication. European Banking Authority (EBA) guidelines on the assessment of Information and Communication Technology (ICT) risk under the Supervisory Review and Evaluation Process (SREP) published on 11 May 2017, signal an increasingly structured focus on technology risks by regulators.
To date, regulatory interventions following significant technology disruptions have tended to focus on the impacts to customer and market conduct outcomes. The EBA’s Guidelines now firmly establish ICT risk as a ‘risk to capital’.
Regulatory guidance is converging
Historically, the guidance issued by European regulators on technology risk has largely been principles based and these guidelines will provide some welcome insight into rapidly emerging expectations. They will also drive a common methodology across European regulators for assessing ICT risk. It is our expectation that the Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) will declare their intention to ‘comply’ with the guidelines and they will expect the minimum controls to be in place.
The EBA guidelines are consistent with the regulatory ‘direction of travel’ following the ‘Dear Chairman’ exercise focused on the retail banks a couple of years ago. This journey has continued with the following developments since October 2016:
- European Central Bank (ECB) ‘Stocktake and ICT risk supervisory practices’;
- Central Bank of Ireland guidance issued on IT and Cyber Security risk;
- FCA Technology and Cyber Resilience information request to firms across the sector preceded by their 2017/18 Business Plan which includes focus on market IT and Operational Resilience.
Areas of challenge
The ECB’s recent stocktake urged European regulators not to accept basic risk management capabilities with respect to technology and cyber risks. We are already seeing technology failures leading to regulatory enquiries or investigation. Under the new regime, firms should anticipate greater scope for the use of capital charges.
In our experience, there can be challenges identifying 'critical' systems in line with regulatory expectations. This is particularly with respect to how in-house, shadow IT and third party technology supports end-to-end process. Governance and oversight of ICT risks can also be a challenge across complex and legacy estates.
ICT risk management practices at firms will be at different levels of maturity and may not fully align to the expectations implied by the guidelines.
Meeting regulatory expectations
Financial institutions will already be focused on preparing for the Global Data Protection Regulation, Senior Managers and Certification Regime (SMCR) and, where applicable, ring fencing. This work should be built upon to meet the requirements of the EBA guidelines.
Ahead of 2018 implementation, firms should be assessing the existence and consistency of their current capabilities and how the evaluation of ICT risk is embedded within formal Operation Risk practices. With ICT risks increasingly being the poster child of Operational Risk (some firms expressing this as 50% or more of their exposure), mainstream risk processes should be leveraged into this technical area with purpose and priority.
Please read our recent blog on how financial institutions should prepare for regulatory assessment of ICT governance and risk management practices as part of broader operational risk.