Funds Europe talks to Calastone’s Michael Davies about the growing importance of operational resilience in the asset management market.
In April 2021, the UK financial regulators issued rules to all UK financial services firms, including asset managers, requiring them to enhance their operational resilience. The policy statement (PS21/3) was jointly issued by the Prudential Regulation Authority, the Financial Conduct Authority (FCA), and the Bank of England. The rules came into effect on March 31, 2022, by which time firms were required to identify vulnerabilities in their operational resilience and set impact tolerance levels for their most important business lines. They were given three years in which to perform mapping and testing and make the necessary investment to operate consistently within their impact tolerances.
The fact that the announcement was made almost a year to the day after the UK and elsewhere went into a lockdown as a result of a global pandemic was not lost on the regulators. “The disruption caused by coronavirus (Covid-19) has shown why it is critically important for firms to understand the services they provide and invest in their resilience,” stated the FCA. “Operational disruptions can cause wide-reaching harm to consumers and pose a risk to market integrity, threaten the viability of firms, and cause instability in the financial system,” added the statement. In acknowledgement of the way that operational risk has risen up the agenda, the FCA has also stated that it “retains the view that operational resilience is at least as important as financial resilience.”
Welcome regulatory action
The importance placed on operational resilience by the FCA is an opinion shared by Michael Davies, head of global operations at Calastone. “We welcome the regulators’ actions. In addition to ensuring asset managers enhance their business continuity plans, the regulation will also ensure firms are asking questions of their suppliers and service providers (including tech vendors) in terms of operational resilience, business continuity, and disaster recovery.”
The increased importance of operational resilience has also been a result of situational and not just regulatory developments, from the global pandemic to the war in Ukraine and the resulting market volatility that results from geopolitical or macroeconomic shocks. There is also the threat of cyber attacks, an area that continues to become more sophisticated and more threatening. But it was the global lockdown and the move to working from home that revealed to Davies the sliding scale of preparedness among market participants. “As a tech company and a financial network, we had planned for these kinds of scenarios. We moved to work from home two weeks before the UK government’s imposition because we were confident of our ability to make that migration.”
“Many firms struggled”
One of the reasons that so many firms failed was an unwillingness to widen the scope of their scenarios in their operational resilience planning. “Many firms struggled because they hadn’t foreseen or modelled a scenario like a global pandemic,” says Davies. Calastone has adopted a very formal risk management approach when it comes to scenario-planning. “There are questions about volumes; we want to make sure that our systems are able to manage volatility and the impact on trading volumes during moments of market stress – such as the SVB collapse, the UK mini-budget of 2022, or the outbreak of war between Russia and Ukraine,” says Davies.
“For us, the market-wide focus on operational resilience has been a reinforcement of the steps we have already taken and the processes that we already have in place. We always aim to deliver a robust service and to ensure that if there is an outage or a spike in traffic, our clients notice no change and suffer no impact. The biggest change for Calastone as a result of the regulations is the need to evidence everything we do and ensure that all our clients are comfortable with our BC plan, says Davies. “Implementing ISO23001, the international standard for business continuity, was a key step here. It specifies that not only should a BC plan exist, but it should be regularly communicated, evaluated, and updated. Our clients want that reassurance, so you need those lines of communication and that interoperability.”
Successful business continuity
Calastone’s system is set up to ensure clients are never impacted by a market event, says Davies. On the technical side, the platform runs an active/active environment from a combination of physical data centres and cloud-based infrastructure. Each data centre is capable of running the system independently and managing a full day’s traffic. This is regularly tested by taking at least one data centre offline. Calastone also performs rigorous system monitoring, not just of Calastone’s platform but also of client behaviours and systems. Alerts are triggered if a server CPU or any other app or hardware is running at an excessively high level for longer than advised or if system performance drops below the expected level. “This ensures that the majority of action taken is pre-emptive, with potential system issues identified and resolved before they ever threaten to impact a customer,” says Davies.
Successful business continuity is also about collaboration, and there are measures firms can take to ensure that if their counterparties experience a period of disruption, any impact is mitigated. “For example, we put a timestamp on any trades so that they can be retroactively executed at the intended time,” says Davies. Calastone is also part of an FCA working group dedicated to operational resilience and encouraging best practices – such as ensuring there are secondary lines of communication should a primary connection go down.”
As BC manager for the Calastone group, Davies is also responsible for overseeing testing and training for all staff. “Resilience is front and centre of everything we do at Calastone,” he says. “We have been increasing our focus every year and expanding our scope and our budget so it is drilled into staff at all levels because operational resilience is not just about technology; it is about people. You need to commit to it as a business, and you need to prepare for all eventualities.”
First published 25/10/23 in Funds Europe: https://www.funds-europe.com/industry-comment/the-importance-of-operational-resilience
