UK banks’ annual reports show an emerging understanding of operational resilience that emphasises business continuity planning and conflates pandemic performance with high operational resilience. Banks have asked regulators for more guidance on what they want operational resilience work to look like. That safe harbour will not be forthcoming, and firms need to work on evolving the sophistication of their approach over time, said Lyndon Nelson, deputy chief executive and executive director, regulatory operations and supervisory risk specialists at the Prudential Regulation Authority (PRA), in a recent speech.
“Suddenly the stifling straight-jacket of rules appears more attractive and we see an avalanche of requests for detailed guidance. Should we set up an operational resilience committee? How many important business services should we have? I could go on and on. I would ask those of you who are seeking this guidance to pause and reflect,” Nelson told the UK Finance Operational Resilience webinar on May 5.
“The word in the policy documents that is doing a lot of work here is ‘sophistication’ — yes, we are asking and expecting firms to have done quite a bit by March 31, 2022, but is it ultimately going to be everything that we expect firms to do? No. We understand and expect that tasks such as mapping and testing will evolve and will grow in sophistication over time,” he said.
Operational resilience is an outcome, Nelson said. It is not necessarily a compliance task to be implemented against a regulator- supplied check list. Firms should do their own work to analyse their businesses’ vulnerabilities and do scenario testing to set out how to prevent or recover from an operational event.
“I would suggest that even if safe harbours were on offer, I would argue to you that this should be of little comfort. Rigid and overly prescribed regimes are just what we need to avoid for a risk that is constantly evolving, and where key parts of it (such as cyber-risk) actually has a conscious opponent seeking to do harm. Having a safe harbour might reduce your cyber insurance premium, but it will not do much to reduce the probability that you suffer from an operational incident,” said Nelson.
Pandemic performance is not necessarily down to operational resilience
Operational resilience is the ability to recover from an operational incident in a critical business line within a reasonable time to minimise customer disruption.
“Ensuring the UK financial sector is operationally resilient is important for consumers, firms and financial markets. It ensures firms and the sector can prevent, adapt, respond to, recover and learn from operational disruptions. … Operational disruptions can have many causes including system failures, changes to systems, people or processes. Some disruptions may be caused by matters outside of
a firm’s control, such as the pandemic, that lead to the unavailability of access to infrastructure or key people,” wrote the Financial Conduct Authority (FCA) in Policy Statement 21/3 ( PS21/3), Building operational resilience.
There is a difference between operational resilience and business continuity planning, regulators and consultants have emphasised. Keeping the lights on during the pandemic is not a sign firms do not require much more thinking about operational resilience. The IT outages which occurred last year — for example, when in November the announcement of a successful COVID-19 vaccine led to a spike in trading volumes causing several retail trading platforms to malfunction — were mainly related to well-known IT problems.
UK banks’ frequent IT outages signal their continued muddled thinking about operational resilience, because they consider it as a risk rather than an outcome to be achieved, consultants said. Firms should be trying to achieve resilience.
At the same time, however, working from home tested financial services firms’ resilience to cyber-attacks. The number of cyber incidents at UK banks, asset managers, wholesale brokers and exchanges rose from 21 in 2019 to 55 in 2020, a 161.9% increase, according to FCA data.
The pandemic exposed weaknesses in the resilience of firms’ back-office operations, said James Maxfield, a managing director at UK- based Ascendant Strategy. The Financial Times reported that more “than 270 of Wall Street’s key trading staff were summoned [in May 2020] for emergency weekend duty to clear a massive backlog of failed trades in March and April, highlighting the stress that built up in the financial system when the coronavirus crisis tore into markets” was a case in point, Maxfield said.
“What the pandemic also highlighted was the heavy reliance on manual tasks (people) across middle and back-office processes. This was evident through the disruption associated with specific countries going into lockdown, limiting staff attending the office and
causing a knock-on effect in capacity to support processes such as making margin calls. It was further highlighted by the intervention of regulators to convene weekend working groups, to resolve exceptions and clear backlogs,” he wrote in a recent TabbForum opinion piece.
The pandemic was not an operational resilience event as envisioned by regulators, Maxfield said. There was plenty of notice of approaching disruption, which gave firms time to prepare. Industry was able to collaborate to offset the impact and there was a huge amount of government intervention to shore up markets.
“There is no bail-out option if your firm is unable to function because of an operational incident. There is no operator of last resort function in Threadneedle Street. So we must find other tools to use. First of all, firms will seek to be self-reliant, but for many (perhaps all) there will, I hope, be an increasing realisation that investment in collective action is a better way forward for many of the challenges that they face,” Nelson said in his speech.
Regulatory Intelligence has examined a number of the large UK banks’ accounts of operational resilience work, set out in their annual reports. These accounts show efforts to slot operational resilience into broader risk management frameworks, which underscores Nelson’s observation they are clamouring for more guidance. Some are implementing operational resilience committees, establishing new operational and resilience risk functions, appointing heads of operational resilience and defining their understanding of operational resilience. One bank said its board now looks at operational resilience more frequently than carrying out a “set piece once a year”.
Descriptions of this work have not, however, gone much deeper than pointing out what an operational resilience issue might be — data management and information protection, cyber, new technology, people, for example. There is little discussion of how banks might go about fulfilling the obligations set out in UK regulators’ operational resilience policy statements. Firms continue to conflate
business continuity planning and operational risk with operational resilience. Work remains to identify critical businesses, set tolerances for disruption, and ensure delivery of their important business services and within their impact tolerances during “severe but plausible scenarios”.
Lloyds Banking Group’s annual report explicitly mentions the UK regulators’ operational resilience guidance publications and refers
to setting tolerances and the mapping of business activities. It talks about the operational risks associated with its group change agenda and “incorporating operational resilience into future design thinking”. It says it maintains and develops playbooks that guide its response to a range of interruptions from internal and external threats, and evaluates these through scenario-based testing and exercising.
Lloyds goes into some detail on plans to modernise its technology to improve operational resiliency which, as for many banks, will involve migrating systems to the cloud. Cloud is seen as an operational resilience solution, not a possible threat. It is a point Nelson raised in his speech.
“If correctly configured, there are clear resilience benefits to financial institutions from cloud adoption. There are also risks, of course. Some of these stem from the technological complexity, which is compounded by a shortage of relevant skilled resources in financial institutions. This can lead to shortcomings in the configuration of cloud solutions and inadequate oversight. Moreover, the public cloud market is concentrated on a small number of large, unregulated providers whose services are increasingly critical to substitute, which raises questions of potential systemic risk. The challenge for regulation and regulators is to find an appropriate balance between these risks and enabling firms to leverage the benefits of cloud solutions,” he said.
Banks’ mapping and testing is likely to evolve and “grow in sophistication”, Nelson said.
In the meantime, he is expecting to see a compelling gap analysis on his desk by March 31, 2022 which will show banks’ “major shortcomings” and areas that “need more work”.
Produced by Thomson Reuters Accelus Regulatory Intelligence on 14 May 2021