Get ahead of operational resilience regulation in five steps

The deadline for financial services companies to respond to a Bank of England and FCA consultation paper on operational resilience passed at the start of October. The paper was triggered by concerns over the tolerance levels in the financial system in the aftermath of cyber attacks on banks including Eurofins and Tesco Bank as well as issues caused by TSB’s IT upgrade. 

The proposed regulation focuses on the business services that, if disrupted, could cause harm to consumers or market integrity. It will mandate that financial services companies ‘set impact tolerances for each of these services and test their ability to remain intact through a range of severe but plausible disruption scenarios.’ These include people, processes and technology. 

Although the regulation itself is not expected to come into force until 2022, now is the time for financial services companies to start taking steps to comply. COVID-19 has already laid bare the need for better resiliency planning and implementation. With Brexit promising even more unpredictable disruption in 2021, the case for taking action now is compelling. 

Below are some key tips for financial services companies on how to approach this exercise.

1. Design and document your existing processes – Without a solid understanding of your existing processes, it is impossible to build a first-class resiliency plan. Automated process-mining technology has a key role to play here, as it can help identify the root cause of poorly performing processes and identify hidden bottlenecks. 

2. Start with the most critical processes first – Don’t get deterred by the sheer volume of processes within the organisation. All problems are easier to solve when they’re broken down into chunks. Prioritise the most critical ones, and concentrate on building a smooth cadence of designing, simulating and mapping them. 

3. Ensure your plans are cost and resource-efficient – It’s always tempting to move ahead with the first resiliency plan that you build, but even in a crisis, it is critical to ensure that it is the most practical and most financially viable of all available options. Again, software can help to rapidly simulate and stress test its impact on budgets and human capital. 

4. Build a single source of truth – Too many resiliency plans get built and signed off, but then put in a drawer until the next audit comes around. The best way of demonstrating that your organisation is compliant, as well as ensuring that the whole business is ready to activate against the plan, is storing it on a platform that everyone can quickly access. 

5. Embed an annual review cycle – The financial services industry is a highly dynamic sector that is constantly reacting to changing technological, economic, societal and regulatory shifts. These shifts will often create subtle changes that impact the robustness of your resiliency plans. Make a point of simulating and reviewing them on a 12-month cycle. 

When the operational resiliency consultation opened in 2019, no one could have foreseen the unprecedented upheaval that was about to take place in every sector and country as a result of the COVID-19 pandemic. 

However, in its aftermath financial services companies must act quickly to build and embed operational resilience into their business in a deeper and more fundamental way than ever before.

Henry Bush is Regional Manager, EMEA, at Signavio.

The views and opinions expressed in this Viewpoint article are solely those of the author(s) and do not reflect the views and opinions of Fintech Bulletin.