There is something perversely appropriate about conducting an overhaul of operational-resilience regulation in the middle of a pandemic. It may seem somewhat akin to updating safety protocols on a cruise liner in the midst of a Force 10, but nothing could have focused minds on the value of resilience more than grappling with the live challenges of disruption.
While the pandemic has enhanced awareness of the issues that organisations face in adapting to new rules (such as those recently issued by the UK’s PRA and FCA) the common experience has not been what a casual observer might have predicted.
It’s not so much that the pandemic has shone a light on how inter-connected we are as a global population. After all, operational connectivity has allowed financial services businesses to scale across borders, and as such, they are acutely aware of the challenges of encompassing a patchwork of local regulations (a challenge that may be further accentuated by Brexit.) By contrast, and contrary to initial concerns, the pervasive but consistent nature of the pandemic has made it more straightforward to deal with. For global institutions, the uniformity and lack of any significant time sensitivity have meant that recovery strategies have been relatively straightforward to execute.
On the other hand, the way in which the UK regulatory authorities have framed their resilience rules suggest there will be greater long-term complexity for global operating models. The PRA / FCA concepts of ‘Important Business Services’ and ‘Impact Tolerances’ are certainly welcome in explicitly tying the understanding and management of operational resilience to customer outcomes. However, the critical resources required to deliver these Important Business Services often span entities operating under different rules, serving customers and markets in a range of geographical locations.
When we then consider the UK requirements around defining and testing Impact Tolerances, we start to see the nature of the management challenge. Questions are immediately raised about the way in which Services are prioritised and restored during a ‘severe but plausible’ disruptive event – and consequently the value of consistent, cross-entity SLAs becomes less clear. If a more immediate or sizeable impact is identified for UK-facing services, does this mean that a bifurcated resource management approach is required? Or should resources operate to the shortest-duration/highest-volume impact identified across a global service offering?
It’s important to note that the principles that underpin the PRA/FCA requirements are not inconsistent with those seen in other jurisdictions, a selection of which are illustrated in the video below. It’s just that, as yet, only the Central Bank of Ireland (CBI) has sought to bring those principles to bear in the very specific way set out in the UK (see the table below).
Following the publication of the final PRA/FCA Policy Statements we have three key recommendations for firms thinking about maintaining a consistent, global framework:
1. Define your truly global Important Business Services at the outset and determine resilience thresholds for these for reporting purposes – you will want to operate to a single view of resilience for these Services.
2. Define the local vs. global capabilities in your operational resilience framework – which of these capabilities are truly managed or can be managed cohesively on a global basis and thus can adopt a global standard in terms of resilience management?
3. Scope the dependencies on your critical resources for any given Important Business Services – what are the competing demands on those resources in the event of disruption and do current SLAs reflect the demands of local regulatory requirements?
We may find that regulators in other major financial services centres follow the path developed by the UK authorities tightly enough for global resilience frameworks to be reasonably straightforward. That’s certainly not as far-fetched as it may sound, particularly given the recent CBI consultation and the extent to which pronouncements in the US, EU, Singapore and Australia have reflected the core concepts being formalised in the UK. Moreover, the shared experiences of the pandemic may accelerate that outcome. But until such a point where that is the case, global firms with customer and market facing entities in the UK need to find a way to anchor prevailing local requirements to a global framework. As the waters of the pandemic start to calm, so that challenge comes into stark focus.
Key global regulatory developments
There has been a consistent move by regulators globally to be more explicit about the principles underpinning the management of operational resilience: you can see the key developments around the globe below:
Watch our video summary of key developments in the global regulatory environment:
In addition to the regulatory developments set out in the video, a number of industry bodies have also been focussing on operational resilience, as follows:
In October 2020 the FSB published a report on effective practices for cyber incident recovery and response, which presented a toolkit of practices to support firms before, during and after a cyber incident.
In October 2020, AFMA, ASIFMA, FIA, IBA Japan, and ISDA issued a joint association letter to regulators, proposing reciprocal BCP arrangements between Australia, Hong Kong, Japan and Singapore to aid operational resilience and ensuring continuity of critical services.
In November 2020 the FSB published a discussion paper on regulatory and supervisory issues relating to outsourcing and third party relationships, noting that outsourcing and third party relationships can enhance operational resilience.
In May 2020, IOSCO issued a consultation on proposals to update its existing outsourcing principles, citing the fact that developments in markets and technology have increased regulatory attention on risks related to outsourcing and the need to ensure operational resilience of regulated entities.
In January 2021 the FSB set out its work programme for the year, which included a focus.