Building operational resilience in financial services
Operational resilience within the financial services industry helps to mitigate financial risk and ensure organisational viability.
What is operational resilience in financial services?
Predicting operational risk in our interconnected global economy is becoming increasingly difficult, if not downright impossible. And this is particularly true in the financial services sector, which is why operational resilience in financial services has become such a hot topic.
​
The global economic environment is uncertain and volatile, with slower economic growth and declining margins. Strategic financial risks such as capital adequacy and liquidity are increasing under external pressures. The geopolitical environment and associated financial impacts are changing day-to-day. And fraud and cyber crimes remain on the rise.
​
To counteract this environment, we need to turn our focus away from “predictions” and towards “expectations”, accepting that now and into the future there will be disruptions to operations in the financial services sector. And though we continue to struggle to see what those disruptions may look like, we can still prepare a robust operational resilience strategy to help us manage and overcome any negative impacts.
Operational resilience in financial services
The UK Financial Conduct Authority (FCA) has defined operational resilience as “the ability of firms and financial market infrastructures, and the financial sector as a whole, to prevent, adapt, respond to, recover and learn from operational disruptions.”
Changing regulatory requirements
Financial regulators, particularly in the UK, are well aware of the importance of a robust approach to operational resilience, especially in light of growing global connections and increasing financial sector complexity. While operational resilience is a relatively new term, regulators now see it as essential because its failure alone could lead to extreme financial volatility.
​
Because of this, the Prudential Regulation Authority (PRA) and the FCA have been forming an extensive regulatory framework around operational resilience. This new framework, which has been approved and came into force on 31 March 2022, allows operational resilience to be analysed in a holistic manner. For example, the following can be assessed:
-
Connections between functions, operations and third-party providers that could pose operational risks
-
Cyberattacks and financial frauds that could potentially disrupt financial services organisations, banks, or entire industries or markets
-
Commercial pressures around climate change and the global sustainability agenda
-
Risks arising from the concentration of the market around favoured providers
The first year of the new framework, March 2022 through March 2023, was an implementation period where organisations who fell under the framework would be able to start actioning the elements.
The ultimate goal is that by 31 March 2025, each organisation must be able to ensure that in the event of a disruption, they have the processes, procedures, and strategies in place to ensure their important business services remain within their impact tolerances to operational disruption. As part of that process each organisation will need to identify both their “important business services” and their “impact tolerances”.
New operational resilience framework
Defining 'Important
Business Services'
'Important business services' are a vital part of the regulatory requirements, and are the services that, if disrupted, could cause intolerable harm to a client or clients of that organisation or risk the stability, resilience, or orderly operation of the UK financial system or financial markets.
The Bank of England defines impact tolerance as, “the maximum tolerable level of disruption to an important business service.”
​
This definition accepts that disruptive events will happen to and within an organisation. These disruptions then need to be analysed and quantified to determine the severity and duration of that particular disruption the organisation can tolerate. This analysis includes three main steps:
​
-
Identify the key business services, products, and systems to understand how the particular disruption will impact the overall business viability and the larger market.
-
Set the maximum acceptable downtime for key business services, products, and systems (this is your organisation’s tolerance).
-
Implement a process to ensure you can continue to provide core services and stay within your impact tolerances when you face severe disruption.
Defining 'impact tolerances'
Importance of operational resilience
in financial services
Increasing regulatory activities within the industry, competitive pressure to switch to digital-first business models, transformative technology, and digital tools that are introducing efficiency, but also creating avenues for greater risk, digitised banking and financial operations – these factors all have an impact on an organisation’s ability to adjust and recuperate from operational disruptions.
Forward-looking organisations are focusing on operational resilience with a greater sense of urgency, particularly in light of the key role that the industry plays globally, and the devastating impacts it could have should the industry fail to function well.
​
Here are a few reasons why banks and financial services organisations should be focusing on operational resilience:
01
To prepare for inevitable security threats
Rapid digitisation and an increasing reliance on third parties, means that financial services organisations are more vulnerable to cyber attacks and frauds, which are on the rise.
02
To eliminate risks and mitigate their impacts
Building an operational resilience framework helps to protect vulnerable core business functions. Organisations can shift from the traditional “recovery” model and move towards the “mitigation” model, where operational resilience serves to both eliminate and mitigate continuity and disaster risks.
03
To integrate a market-wide operational resilience net
When integrated with other actors in the financial services sector and third-party partners, operational resilience becomes a market-wide net that is continuously on the watch for disruptions or shocks, leading to a more agile and reactive system overall.
How to build operational resilience
in the financial services sector
Building operational resilience in the financial services sector operates in much the same way as in any other sector, except that the regulatory framework must also be followed.
1. Define your 'Important Business Services'
As discussed above, you’ll need to define the 'Important Business Services' (IBS) to the operation of your business. This is the first step in undertaking holistic business mapping that aligns your IBS with your overall business objectives, your organisation’s risk appetite and your impact tolerances (which you’ll define in the next step).
A GRC compliance software system like Drova can help you to identify and analyse relational data so you can define your important business services.
2. Define impact tolerances
Defining your impact tolerances is the next step, and as discussed previously, this is a required element of the regulatory framework. From a purely operational standpoint, it also helps you to understand the risks and disruption levels that your organisation is equipped to handle and so will inform every subsequent element of your resilience strategy as well as your operational risk strategy in general.
​
A strong software solution like Drova can bring all of these elements together in a compliant, efficient, and effective way.
3. Map your dependencies
The financial services sector is highly dependent on third-party suppliers, providers, and outsourcers, as well as on other members of the industry. Mapping these interlocking dependencies is critical to building a resilient business model
4. Wide-ranging scenario testing
Scenario testing is the next step in developing your operational resilience. In order to have a robust scenario-based testing protocol you need to ensure that you are gathering data from every level within your organisation and getting cross-organisational information. This information will allow your risk management teams to understand the weak links in their resilience plan and set protocols to better respond to possible disruptions.
5. Communication plan
As an organisation, you must be able to effectively communicate to both internal and external stakeholders, as well as to the wider industry, in times of crisis, change, or disruption making this an essential part of your operational resilience strategy. To accomplish this, you’ll need to map your stakeholders, so you understand where to focus and how to frame your communications.
Importantly in the financial services industry, you need to include regulators who will want to understand your impact tolerances and mitigation efforts, which should be included in your plan.
​
See also: Examples of Operational Resilience
A note on the importance of digital transformation
for robust operational resilience
Digital transformation is part of the financial services environment. Banks and other lending and financial institutions are pressured by competition to find new, easier, tech-forward integrations to please customers, and interlocking systems to create more seamless funds dissemination is becoming a central element of the industry. This means new partnerships and new technologies are being introduced every day.
​
Financial institutions must ensure that all new technologies, partnerships, or digital initiatives are analysed and reviewed for risk to ensure that the right controls and protocols are in place. These risks could include cyber, information security, business continuity, anti-corruption, and more.
​
How a GRC platform helps build operational resilience in financial services
Operational resilience in financial services must integrate the management of operational risk with the requirements of the regulatory framework. The Drova platform helps you do that by:
​
-
Ensuring you have accurate and timely data visibility to define your important business services
-
Improving the way governance, risk and compliance data is gathered, stored, curated and linked, and then compiling it into a single source for the entire organisation
-
Providing you with the data necessary to accurately define your impact tolerances and ensure you’re meeting your regulatory framework requirements
-
Enabling rich scenario testing
-
Mapping external and internal stakeholders, including all required regulator
-
Enhancing your communications via fast and accurate reactions to data flows