Parliament keeps the spotlight on operational resilience
15 July 2019
When you enter the Houses of Parliament it is impossible not to be impressed by the historical significance of the setting. But despite the Victorian grandeur of the location we were there last week to discuss a very modern phenomenon - IT and other operational failures in the financial services sector. Following a number of high profile operational incidents in the financial services sector in recent years, the Treasury Select Committee (TSC) has launched an inquiry into this topic. We were very privileged to be called to give evidence to the first public session of the inquiry to discuss a recent report we produced with TheCityUK on operational resilience.
The inquiry, and our discussion with the Committee, reinforces (once again) the importance that policy makers in the UK are placing on operational resilience. This is unsurprising in light of the impact operational outages have on customers and the growing risk of an operational incident causing serious harm to an individual firm or a severe operational event even impacting on financial stability. Last year saw the publication of the joint discussion paper from the BoE, PRA and FCA on operational resilience. A consultation paper is expected in the autumn, meaning the regulatory focus is not letting up. The TSC’s inquiry may still be in an early stage, but it has the potential to be highly significant for the financial services sector. Based on previous Parliamentary inquiries the outcome is likely to be a range of recommendations to Government, industry and the regulators. So the views of the TSC may influence and shape the regulators’ future approach to operational resilience.
As we have said many times operational resilience is an outcome, and achieving it means being able to react to a diverse range of risks and challenges. So it’s unsurprising that the range of topics we discussed with the TSC was very broad, but some key ones included:
- The role good governance and accountability plays in ensuring operational resilience. It is vital that boards and senior leaders take responsibility for driving improvements in resilience. We stressed the importance of the right culture in firms, one that encourages openness in raising issues, curiosity to ask the right questions and seek answers and humility to identify risks and learn lessons from issues that do occur.
- The impact the technology revolution is having on the sector’s resilience. Technology represents a huge opportunity to improve customer experience, drive efficiencies and to increase the sector’s resilience. But new innovations and increased digitalisation also bring new vulnerabilities. Developments such as an increased reliance on cloud computing providers bring significant benefits to firms’ IT capabilities, but also challenges such as concentration risk and vendor management that need to be identified and mitigated.
- The importance of having individuals with the right skills to meet the operational resilience challenge was a theme which came up repeatedly. Does the sector have access to the right skills? Do boards have the expertise to understand and scrutinise technical topics such as IT change programs? What extra skills and resources do the regulators need in this area? It is clear that more needs to be done across the industry, and in fact across the wider economy, to build the skills needed.
- The fact that building operational resilience is a business, as well as a regulatory imperative. The expectations of customers and counterparts are increasing and we see considerable scope for competitive advantage for those firms that have embedded resilience throughout their operations.
- Finally, the question of the appropriate role that regulation and supervision should play in building the sector’s resilience. We are clear that having the UK regulators leading the debate on operational resilience at the global level is beneficial, but coordination with the public authorities in other major jurisdictions is key. The regulators also have a key role to play in encouraging greater cooperation and coordination in an inherently interconnected sector. It is in everyone's interest to develop a better understanding of the key channels of operational interdependency, something which will allow a fuller debate on where the regulatory perimeter should sit.
So what does all this mean for the financial services sector? It is too early to say what the outcome of the TSC’s inquiry might be, but some important themes may be emerging: the importance of good governance and senior level accountability, the impact of technology, the importance of having the right skills across the industry and regulators, and the role the regulators play. Whatever the outcome of the inquiry and future policy development by the regulators, what is certain is that firms and the sector as a whole needs to continue its focus on building operational resilience. Not only is this the expectation of policy makers in the UK, it is also increasingly a commercial imperative.