A lighthouse being buffeted by waves in a storm.

Image: Getty Images

Regulators in the UK and further afield are homing in on the operational resilience of firms in the financial services sector and those that serve it, write Bradley Rice, Adam Jamieson and Nisha Sanghani.

The financial services sector has always been characterised by complex and evolving risks. Firms are facing novel, unanticipated and more systemic risks from a new era of geopolitical volatility, the current economic climate and a renewed focus on the digitalisation of financial services following the Covid-19 pandemic.

These are, as the saying goes, unprecedented times and these organisations are sailing in uncharted territory. With the regulatory lens firmly fixed on operational resilience, it is clear to see why new defence mechanisms and a step change are required. 

Recent history and a series of high-profile outages have demonstrated that, as well as causing business disruption, a lack of focus on operational resilience can cause wide-reaching harm to customer outcomes, threaten the viability of firms and severely undermine market integrity.

It is no wonder the Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) say that ensuring the UK financial sector is operationally resilient is important for consumers, firms and financial markets.

Efforts to establish operational resilience within financial services businesses have often been haphazard or poorly co-ordinated. The complexity of managing operational resilience across important business services in scenarios that cover business as usual, as well as periods of change, is no easy feat.

Operational resilience requires the ability to prevent, adapt, respond to, recover from and learn from operational disruptions, and so the key is to consider it in a holistic way. One must contemplate the interconnectedness between and alignment of operational risk, technology risk, third-party risk and financial resilience.

These elements cannot be considered in isolation, though this is too often the case. After all, sound operational risk management practices lead to resilience, and operational risk management covers various types of risk, including technology, third-party, data and continuity risks. 

Accountable executives and senior management are often unaware of the unacceptably high levels of risk to which their institutions are exposed. Perhaps most importantly, many have failed to appreciate – and mitigate – risks introduced through protracted supply chains, outsource providers and operations that extend across multiple jurisdictions. 

Under the new operational resilience requirements now effective in the UK, this is no longer acceptable. Senior managers will likely be held to account if they fall foul of them, or if all vulnerabilities are not resolved by the 2025 deadline. We expect UK regulators to focus their attention on senior managers with responsibility for core infrastructure and operations, including oversight of outsourcing arrangements. 

We have already seen the PRA and FCA take enforcement action against a large bank at the end of last year relating to failings associated with an IT upgrade programme. This is a clear warning to the sector that operational resilience is not just a supervisory priority but also an enforcement priority for regulators, particularly in the event of a crystallised risk that adversely affects markets or customers.

Beyond the UK

The focus on operational resilience is a G7 commitment. It is therefore fair to say that the problem is a global one. In the EU, the Digital Operational Resilience Act (Dora) solves an important problem in that EU financial regulation has previously not kept up with the pace of technological advancement and the new categories of information communications technology (ICT) risk and cyber risk that this brings. 

The focus on operational resilience is a G7 commitment. It is therefore fair to say that the problem is a global one

Before Dora, financial institutions managed the main categories of operational risk mainly with the allocation of capital, but they did not manage all components of operational resilience. After Dora, they must also follow rules for the protection, detection, containment, recovery and repair of ICT-related incidents. 

Dora explicitly refers to ICT risk and sets rules on ICT risk management, incident reporting, operational resilience testing and ICT third-party risk monitoring. The regulation acknowledges that ICT incidents and a lack of operational resilience have the possibility to jeopardise the soundness of the entire financial system, even if there is adequate capital for the traditional risk categories. 

Running in parallel to the Dora implementation, EU supervisory authorities, such as the European Central Bank, will continue to expand their capabilities in cyber and IT risk and carry out further targeted investigations into cyber resilience. This is a sobering thought and puts even greater pressure on organisations to build this knowledge among senior management, who will clearly be held to account. 

In Europe and the UK, regulators will increasingly look at the sectoral resilience of financial services more broadly, particularly in relation to critical third parties (CTPs). For the first time, non-financial services providers who provide vital services to large parts of the financial system will be subject to regulatory oversight. This is widely expected to include the biggest cloud providers, and will expand to other infrastructure and data providers. 

One of the key issues will be in setting a standard for the resilience of CTPs which allows for international alignment. There are already concerns in this space, with the UK potentially focussing on the oversight of significant services, and the EU opting for a broader definition. The US is also playing catch-up.

A key risk for senior managers to understand is that the development of CTP oversight frameworks will not replace their responsibility to conduct third-party risk management or manage the operational resilience vulnerabilities associated with third-party exposures. 

Recent market events, including the Covid-19 pandemic, various cyberattacks and enforcement cases, have shown why it is vital for firms to understand the services they provide and invest in their resilience. As we move further into an outcomes-based regulatory regime, where any poor customer outcomes or threats to market integrity will not be tolerated, it is anticipated that senior managers will be held to account for any failings in this regard.

Supervisors are set to be on the lookout for tangible evidence to demonstrate that senior managers and the board have been pivotal in constructing resilience. 

On the basis that maintaining robust defences against operational and technology risks does not come naturally to many financial services businesses, and given that achieving resilience requires some smart thinking around the interconnectedness of various risks, it is likely to be a long road ahead for any organisations without the right advice.

 

Bradley Rice, Adam Jamieson and Nisha Sanghani

Bradley Rice and Adam Jamieson are partners at Ashurst LLP, and Nisha Sanghani is a partner at Ashurst Risk Advisory LLP.

PLEASE ENTER YOUR DETAILS TO WATCH THIS VIDEO

All fields are mandatory

The Banker is a service from the Financial Times. The Financial Times Ltd takes your privacy seriously.

Choose how you want us to contact you.

Invites and Offers from The Banker

Receive exclusive personalised event invitations, carefully curated offers and promotions from The Banker



For more information about how we use your data, please refer to our privacy and cookie policies.

Terms and conditions

Join our community

The Banker on Twitter