Taking accountability for operational resilience
20 February 2019
The operational resilience of the financial services sector, and particularly the banking sector, has rarely been out of the news in recent years. How are senior industry leaders feeling as yet another operational failure hits the front pages? What is clear is that the impact of outages on consumers means industry, regulators and other policy makers are increasingly prioritising the topic.
At the heart of the regulators’ philosophy on operational resilience is a view that boards are responsible for ensuring the resiliency of their institutions but that senior individuals, in the form of senior manager function 24 (SMF24) should also be held to account for operational failings. The SMF24 has been in force as part of the Senior Managers & Certification Regime (SM&CR) for over a year now, so what impact is it having on the way firms manage operational resilience? How are firms approaching the role? What are the broader governance challenges around operational resilience? Below we set out some of our thoughts on these key questions based on our experience in working with banks and a recent roundtable we hosted with SMF24s for a number of leading financial institutions.
SMF24s have ‘responsibility for managing the internal operations and technology of a firm’. The scope of the role is clearly very broad and we know that many SMF24s find the potential scale of the issues they could be held to account for daunting. But our view is that the introduction of the role has had a positive impact in driving a greater focus on operational resilience across the banking sector.
While the impact of the role has been positive, SMF24s on their own will not be able to solve the problem. For firms to reach the level of resilience the regulators, customers, society and they themselves seek to achieve will require a concerted effort by all, from the boardroom down. The BoE/FCA Discussion Paper from July 2018 makes clear the importance of governance in addressing operational resilience and with a consultation paper expected to follow later this year broader governance is likely to remain a key theme for the regulators in the context of operational resilience.
The SMF 24 is unusual in that it was introduced into the SM&CR after the regime came into force and is the only role that may be split (rather than shared). Where the SMF24 is split, the PRA does not expect it to be split among more than three individuals.
The majority of firms have chosen to split the role- typically between the Chief Operating Officer (COO) and a Chief Information Officer (CIO) with overall responsibility for its internal operations and technology being assigned respectively. In light of the breadth of the responsibilities assigned to SMF24s splitting it is perhaps necessary, but splitting the role does give rise to some important questions in our interactions with our clients. For example does the fact that a COO may sit on the firm’s board but a CIO not, create a hierarchy of SMFs? Does a split between COO and CIO reinforce a silo between technology and ‘the business’? Are SMF24s able to ensure a firm’s strategy is properly informed by operational resilience considerations, particularly where strategic decisions may be made outside of the UK? In the event of a failure who will be held to account by the regulators?
What is clear is that for the renewed focus on operational resilience to have the required effect in firms senior leaders throughout the business need to embrace the philosophy of operational resilience and embed it in the processes that support them in delivering their commercial goals. Firms should ensure that accountability for operational resilience sits not just with SMF24 holders but also other key senior individuals throughout the firm, including those captured by the certification regime. In our discussions with firms we often find there are broader challenges in ensuring governance oversight of operational resilience. These include; ensuring adequate management information on key risks, getting the right skills and experience on boards and ensuring an understanding of the end to end processes which are required to deliver services.
It is inevitable that as a new requirement, such as SMF24, beds in that there will be questions around how it functions, but 15 months after its introduction our view is that the regulators made the right choice in bringing it into the regime. With the SM&CR applying to insurers from December 2018, the rest of the financial sector from the end of 2019 and the PRA’s SM&CR rules to EEA bank branches after Brexit, a much broader set of financial institutions and individuals will have to apply the requirement in future. For these firms, important lessons can be learnt from the experiences of the banks since late 2017.
All firms should consider how they can improve their approach towards the governance of operational resilience. In particular in ensuring boards and other key decision makers understand the end to end delivery of a critical business service and that risk information supports this understanding. Our experience of working with firms dealing with operational incidents shows gaining this understanding before a crisis event pays significant dividends. A customer-centric view of operational risk and resilience also allows board-level leaders to make better investment and risk decisions. For SMF24 holders, both current and future, there must a clear focus on clarity of responsibilities, how these are discharged and ensuring the right steps are taken to address risks in their area of accountability.
