Becoming operationally resilient - the imperatives: Part 1 - The regulatory imperative
31 May 2019
How can you say you’re good at change management when it’s the most common cause of IT failure?
How are you able to manage the relationships with your growing network of third parties?
Forget questionnaires, how will you perform when we put your cyber framework to the test?
These are the frank questions the FCA is likely to ask financial services firms this year based on a reading of its 2019/20 business plan, published in April. This is the latest publication showing that regulators have their sights squarely set on ensuring that firms are operationally resilient, and comes after the PRA published its own business plan. In the first of a two-part blog looking at the drivers for firms’ action on operational resilience we consider the regulatory imperative; part two will cover the commercial imperative.
You may have been eagerly waiting for the regulatory business plans to help you understand how to pass the “regulatory test”. The snapshot above shows that there are indeed some big questions on this particular test, while you wait for the “final exam”, in the form of the joint authorities’ consultation paper due later this year.
Together the FCA, PRA and Bank of England have a strong voice on this topic and are seen to be leading the thinking on a framework to improve operational resilience. What do we mean by operational resilience? PwC defines it as “the embedding of capabilities, processes, behaviours and systems, which allow a firm to continue to carry out its mission in the face of disruption regardless of its source”.
Firstly, it should come as no surprise to firms that the FCA will train its eye on their change management methodologies, and this is not just limited to regulatory change programmes but wider business change. We all know by now the paradox reported in the FCA’s cyber resilience survey: that firms, in general, assess their change management practices as ‘mature’ and yet they are attributed as a major cause of operational incidents. The FCA rightly wants to understand this better but this topic is more complex than that. The industry must recognise that change management methodologies cannot stand still - they need to adapt to support innovation and resilience agendas. How? Some firms are doing this already in getting the business and IT function to work more closely together, or working on smaller, more frequent technology releases. Regulators also have their part to play in looking at how the sum of all regulatory change itself impacts on a firm’s operational risk profile.
Secondly, firms’ management of third party risk is also getting greater attention, not just in the UK but on the European stage. There is now an active public debate on the regulatory perimeter and whether critical service providers (such as some technology firms) should fall under specific requirements, as the ESAs have suggested recently. The FCA is right to form an understanding of where the dependencies lie. Regulators are arguably best placed to create such a map showing dependencies inside and outside the perimeter, though they are clearly reliant on information that firms provide. By contrast in the US, eight banks have taken the initiative in setting up an organisation looking at systemic risks to the US financial system caused by cyber threats (see FSARC). Either way, industry and regulators have to work together to move this debate forward.
Thirdly, so far the regulators have relied mainly on self-assessment surveys and reviews of major incidents to inform their view of firms’ resilience. The FCA’s business plan signals a shift to more cyber tests with “priority” firms to build a more informed view of the readiness of firms to withstand an attack. Supplement this with some multi-firm supervisory work and the regulators start to gain a much richer insight.
While the business plans may not shed further light on the detail to be included within the future policy statement, we can be clear from the FCA’s messages that regulatory focus will sharpen on holding firms to account against existing principles and rules in this space.
However, the regulatory imperative is only one part of this story. Part 2 of this blog, next week, will consider the commercial imperative to becoming operationally resilient…