Ensuring resilience - from Cloud to climate change
27 June 2019
Just as policemen seem to be getting younger, so the pace of change outlined by the Governor of the Bank of England in his annual Mansion House speech appears to accelerate every year, and this year has been no exception. Some of the statistics thrown out by Mark Carney at this year’s Mansion House event are extraordinary: last year, one fifth of sales were online, whereas this year it will be one quarter.
When it comes to Cloud, the data cited by the Governor is even more staggering: now a quarter of major banks’ activities and almost one third of UK payments activities are hosted in the Cloud, and - probably most astonishing of all - only two providers account for nearly half the revenues from cloud computing.
When you consider these developments together with the increasing consumer expectations that accompany them, the implications for firms’ operational resilience are profound. There is no doubt that the Bank of England recognises this and is trying to address it. It is interesting, for example, that when Mark Carney referred to Libra - the proposed cryptocurrency to be launched by Facebook and others - he cited operational resilience as one of five minimum standards that such a product would have to meet. The other standards were: prudential, consumer protection, data protection and anti-money laundering.
The PwC/TCUK joint report “Operational resilience in financial services - time to act” published earlier this month, explores the impact that technology and the Cloud in particular are having on firms’ operational resilience, and considers ways of addressing the concentration risk that this can lead to. Are existing contractual terms around audit, stress testing and governance adequate? Do firms understand the extent of their concentration risk? These are just a few of the questions firms need to grapple with to ensure they are sufficiently resilient, our report suggests.
The Bank of England’s response to Huw van Steenis’ report on the Future of Finance was published to coincide with the Governor’s Mansion House speech. This response announced, among other things, the publication of a supervisory statement this autumn, setting out the PRA’s modernised policy framework on outsourcing arrangements and setting out how firms can get adequate assurance over their use of Cloud. From the interviews conducted with c-suite individuals across financial services as part of our report, greater clarity and guidance on expectations around third party arrangements will be welcome. The Future of Finance report also explored potential data recovery mechanisms such as the Sheltered Harbour initiative in the US. Our report discusses these potential solutions too and finds that there would be an appetite among firms for this approach in principle. But it’s interesting that this topic was not referenced at all in Mark Carney’s speech.
The other area of focus of the Governor’s speech was climate change and he took the opportunity to announce the introduction of stress testing in 2021 to test the resilience of firms against different climate pathways. The impact that climate change poses to firms’ resilience may not be as obvious and immediate as cybercrime for example, but nonetheless should not be overlooked. Whether this impact comes from a physical event, such as flooding, or from a badly managed transition to a carbon neutral economy, the costs could be significant.
It is interesting to see how the regulatory response to climate change and operational resilience share much in common. This includes an emphasis on transparency, the introduction of stress testing, inclusion of responsibilities within the SM&CR regime and a call for a greater embedding of climate/operational risk management in decision-making. But in our report, we argue for even greater commonality of approach. The recommendations of the Financial Stability Board’s Task Force for Climate related Financial Disclosures provide a framework for analysis, with guidance across strategy, governance, risk management, and metrics and targets that we believe could be usefully applied to operational resilience.
A clear theme from the interviews we conducted as part of our report preparation was to ensure clarity around how existing regulatory initiatives overlap. As the regulatory responses to operational resilience and climate change unfold together, there is a real opportunity to achieve coordination and identify best practice. This will be key to ensuring firms can keep up with both the pace of change and regulators’ evolving expectations.