Although financial institutions – including wholesale banks and asset managers – navigated the pandemic successfully, regulators and investors are increasingly scrutinising their operational resilience and approaches to scenario planning. Stephen Leggett, COO at Calastone, participated in an Investment Association webinar- Severe but Plausible – which examined how the financial services industry is strengthening its operational resiliency processes along with some of the drivers behind it.
Under pressure from regulators
One of the main reasons as to why financial services coped better with COVID-19 than – say the retail industry – is because the former has been subject to stringent regulations around business resolution and operational resilience for a long time now. For example, the outsourcing arrangements of fund managers have been an area of intense interest for the UK’s Financial Conduct Authority (FCA) for almost a decade. Even so, this has not precluded the FCA – together with the Prudential Regulation Authority (PRA)) and the Bank of England from instructing major financial institutions to strengthen their operational resilience processes and preparations. As part of this exercise, financial institutions must identify their core business services, establish impact tolerances for the maximum tolerable disruption; undertake mapping and testing; and identify any vulnerabilities in operational resilience. Firms must complete this exercise by no later than March 31, 2022. In coalition with investor pressure, this will force financial institutions to up the ante on their operational resilience and continuity plans.
In many cases, I expect this will encourage firms to think more laterally about scenario planning moving forward. While the risk of a global pandemic – a once in a century crisis – was always there and understood – at least in some quarters, most people still viewed it as a fairly marginal threat. David Alexander, Professor of Risk and Disaster Reduction at University College London, said that financial institutions, having been blindsided by COVID-19, should do their best to prepare for other potential risks – including a devastating influenza outbreak, a massive cyber-attack or a long-term loss of electricity. While rare, Professor Alexander noted that space storms do indeed happen with the last one being recorded back in 1857. In short, I believe that financial institutions need to make sure their businesses are prepared for any number of black swan events beyond just a pandemic.
Building in resiliency
In order to ensure resiliency is watertight , financial institutions must get some of the basics right first. Fiona Ghosh, partner at Addleshaw Goddard, highlighted there was a strong correlation between robust governance and effective change management and resiliency strategies. Having a board of directors which simply checks the box – when overseeing activities like technology systems and BCP – is counterintuitive. Similarly, she noted firms with legacy technologies are more likely to suffer from resiliency or change management failures than those organisations who embrace automation. To me, this just reinforces how important it is for firms to automate their systems and eschew manual processes. Simply papering new technology over old or antiquated systems is not sustainable, and risks making it harder for financial institutions to execute their operational resilience plans.
It is equally vital for financial firms to oversee the resiliency of their third parties . This again is being reinforced by new regulations , including the EU’s DORA (Digital Operational Resilience Act). Under the rules, financial institutions must have in place measures to mitigate the risk of disruption should a critical IT vendor (e.g. cloud service provider) fail. Ghosh noted this is prompting financial institutions to look beyond just third party risk but further down the supply chain at fourth and fifth party risk. “As we move from legacy systems to agile platforms, it introduces new risks and complexities,” she added.
A new era begins
Few would ever have predicted that a global pandemic would cause such sheer disruption , but it has. Accordingly, financial institutions of all stripes need to think more widely about what other risks could potentially destabilise their businesses. Again, this is something regulators are already looking into. With strong corporate governance, effective oversight and adoption of best in class technologies, firms will be in a strong position – in terms of their ability to faciliate business continuity during crises.