Parliament raises the bar on operational resilience
30 October 2019
On 9 July we gave evidence to the Treasury Select Committee (TSC) on its review of IT failures and the broader operational resilience challenges within financial services. We wrote about the experience here. The TSC published its final report on 28 October with a clear message: Parliament expects the sector and regulators to take urgent action to build operational resilience.
With an increased number of operational outages in recent years the debate on operational resilience has intensified. In July 2018 the BoE, PRA and FCA published a discussion paper on operational resilience. In June 2019 PwC published a report Operational resilience: time to act in partnership with TheCityUK. There we identified the key threats to operational resilience and made a number of recommendations to industry and the regulators on how these can be mitigated; many of these have been drawn through into the TSC report.
The TSC’s report confirms that it places as much importance on operational resilience as it does on conduct and prudential risks. So it is no surprise that there are some strongly worded recommendations largely for the regulators and industry, and also for the Government. So what does the report say and how might it influence the discussion on operational resilience?
The headline for firms is unequivocal. Parliament expects to see an increased investment in building operational resilience. This includes addressing the prevalence of legacy systems in the financial system. At the same time the TSC expects firms to apply a resilience lens prior to the adoption of new technologies, to ensure a balanced view of both the threats and opportunities they present.
The TSC is looking for a strong regulatory regime on this topic and has thrown open the doors on what this could look like. Oversight of firms may, it suggests, require a change to the current supervisory approach to ensure there is sufficient rigour in holding firms to account on aspects such as large-scale change programmes, customer communications and incident management. There is also a suggestion that regulators may need to be more forthcoming in setting out their ‘tolerance levels for failure’ (impact tolerances) within the industry, given concern that firms may accept more disruption than they should.
While the Senior Management and Certification Regime (SM&CR) is widely acknowledged to have brought about significant change in terms of individual accountability, the TSC is looking for more evidence that it can be used effectively in enforcement cases to hold individuals to account. In spite of this, in our view the regime has already driven real change in the way operational resilience is managed in firms, particularly since the introduction of the Senior Manager Function for operations (SMF24). So the TSC’s recommendation that the regime should be extended further to include the Financial Market Infrastructures supervised by the BoE is to be welcomed.
No examination of operational resilience would be complete without a view on interconnectedness. Concentration risk and interdependencies, if not managed correctly, are profound threats to operational resilience at a systemic level. It is in this context that the TSC recommends, firstly, that the regulators reconsider a decision to map in one place the key dependencies within the industry, to understand these channels of contagion. This is an important step in being able to test the operational resilience for the financial services ecosystem as a whole. Secondly, it is also notable that the TSC has joined the growing chorus of voices internationally calling for greater regulatory scrutiny of Cloud service providers, something which may require the regulatory perimeter to be extended.
All of this, and more, may need a larger regulatory team, so the TSC has suggested the authorities consider increasing industry levies to fund this investment. In the near term it expects the regulators to build their own skills and capabilities in operational resilience. We think this can come in part through secondments from private sector firms (e.g. technology firms) and the appointment of skilled senior advisors.
Those of us who have been talking to the TSC on operational resilience over the past two years will be unsurprised by the tone and focus of its report. Of course at this stage the proposals in the report are just recommendations, and they will require the regulators and in some cases the Government to accept them. But the report represents another highly influential voice in the ongoing debate on operational resilience, and the call for a tougher regulatory stance is likely to have an impact. Firms should follow this discussion closely but also take steps to address Parliament’s concerns where possible. If you are looking for help on the journey please reach out, or start things off by reading our recent white paper on how to set and test impact tolerances.