Disruption - the new reality

28 November 2018

In a speech introducing the results of the FCA’s cross-sector survey of technology and cyber resilience, Megan Butler, Executive Director of Supervision, delivered a stark message:  firms must be braced for more IT and cyber incidents and do more to address the threats adequately.

The survey presents a number of interesting findings that suggest some firms have misplaced confidence when it comes to their ability to deal with disruption.  This could be the result of inaccurate data or a lack of a full appreciation of the risks. It is no coincidence the survey shows that those sectors which have experienced the most high profile incidents in the past, display the greatest level of operational resilience maturity.  Past events help concentrate the mind, and one of the challenges for the FCA and the PRA is to achieve this level of focus across the whole sector before something goes wrong.

And, as emphasised by Butler in her speech, there are many opportunities for things to go wrong.  Consider the pace of innovation and the growing interconnectedness of the financial ecosystem, together with the increased appetite and opportunity for both state-sponsored and rogue attacks, and it is easy to feel overwhelmed by the challenges firms face.  How do you effectively oversee your third party dependencies and understand what dependencies they have? How do you make sure your board has the right information upon which to make strategic and investment decisions? How do you manage the growing concentration risk posed by some of the “utility” providers such as AWS and Google?  How do you make sure your IT function speaks the same language as the rest of your business? The list is endless.

Regulators are painfully aware of these challenges and are responding robustly.  The Financial Policy Committee’s announcement of a pilot stress test and the joint regulator discussion paper on operational resilience, both published over the summer, clearly support the assertion that for regulators, operational resilience is as important as financial resilience.  

The fact that operational resilience is high up on policy makers’ agendas was again underlined by the announcement last Friday that the Treasury Select Committee has launched an inquiry into the operational resilience of the financial sector.

But while the FCA is in no doubt that the growing threats will lead to more enforcement actions, it doesn’t have an appetite for zero failure.  The regulatory response foresees that incidents will happen and its focus is as much on how firms respond and learn from the these incidents as it is on prevention.

While cyber threats may manifest themselves in a firm’s technology, the solutions largely lie with a firm’s people and culture.  Having strong leadership with a deep understanding of the culture and incentives that exist in an organisation, promoting transparency and demonstrating a humility and a willingness to learn from previous incidents are all needed to counter the growing risks.

When thinking about operational resilience, the letter “C” seems to have a disproportionate role to play.  It signals some of the key threats to resilience such as cyber, climate change, change programmes and concentration risk - but it also offers some of the most effective solutions: culture, collaboration and communication.  Firms need to break down silos in their own organisations and the sector as a whole needs to find ways of collaborating where appropriate. Above all, the sector and its regulators need to work together to improve dialogue, transparency and testing.  If the sector can achieve this, it will find that it is greater than the sum of its parts and will prove itself a force to be reckoned with.

Simon  Chard

Simon Chard | Partner
Profile | Email |  +44 (0)7740 241 051

Hannah  Swain

Hannah Swain | Director
Profile | Email | +44 (0)7803 590 553

Twitter
LinkedIn
Facebook
Google+

Comments

In my experience, the C-word that is the source of most operational incidents in the Financial Sector is “Change”. Planned change, on a relatively minor scale all the way to the large-scale, high risk business & technology integration weekends. The impact of failure at either end of this change spectrum can be very significant indeed. The focus on change governance & scrutiny has helped to reduce the frequency of poorly planned change being authorised. The actual execution of planned change, however, too often still relies on antiquated spreadsheets, combined with human intuition and experience.

As I type, PwC UAE are working on one of the largest technology integrations ever attempted in the UAE Financial sector. The complex cutover plan is being actively managed by PwC and Client staff using ICEFLO, which is our solution.

I don’t wish to hijack a discussion blog but wanted to share this fact to demonstrate that change, and the operational resilience risks associated with change, can be managed in a way that increases the other C-words that come into play. Calm, Control, Collaboration, Comfort.

I’d be delighted to connect up and have a conversation. Regards

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated and will not appear until the author has approved them.