Cross Border Operational Resilience Policies: What Do Firms Need to Know?

Drafted by Ben Saunders: OpRes Founder

Over the last few blogs, we’ve spoken at length about the Financial Conduct Authority’s recent publication of its operational resilience policies in the form of PS21/3. Indeed, the FCA has not been alone in reviewing, consulting and publishing new standards for firms to follow when aiming to increase their operational resilience. On the 31st March 2021, the Basel Committee on Banking Supervision (the “BCBS”) published its Principles for Operational Resilience, aiming to promote a “principle-based approach” to improving the operational resilience of banks. With the intent of making them more able to withstand, adapt to, and recover from severe adverse disruptions. 

This follows a trend with bodies such as the Federal Reserve (Fed), Federal Deposit Insurance Corporation (FDIC), and Office of the Comptroller of the Currency (OCC) publishing joint standards in October 2020 outlining the practices which firms should administer in order to strengthen their operational resilience. Whilst the language of how each body refers to operational resilience differs slightly. The underlying tone and message is that firms must improve their approaches to improving operational resilience. 

A combination of policies, practices, and frameworks put forward by each regulatory body provide, to some extent, a consistent pattern for firms to reimagine how they priortise and implement resilience across people, process, and technology. Indeed, we’ve previously commented that addressing regulatory requirements in a single country is a challenging undertaking. Even with fairly vanilla retail banking products like current accounts or savings accounts. However, when these policies are extrapolated across multiple regions, countries, institutions and regulatory bodies the task becomes even more complex. 

That said, there are common themes across each of the publications outlined above, which allow firms of all sizes to adapt their approaches so that they can abide by both local and global regulatory needs. Over the course of this blog, we will analyse where there is a union and deviation in the policies published by the FCA, the PRA, the BCBS, and the combined Fed/OCC paper. Whilst we will also provide some recommendations as to what firms should do next in order to align with the policies. 

What Are The Common Themes? 

Each of the policies shares a commonality in their recommendations for firms to ascertain an end-to-end understanding of the key products and services which they deliver to customers. Whilst further mapping the team structures, key personas, operational processes and technology which powers them on a day-to-day basis. Furthermore, the policies stress the importance for firms to gain a holistic approach of the risks that exist across these domains in order to implement a sound operational resilience framework. 

One key example of this commonality is the expectations on material risk-takers and the Board of Directors across firms to define their important business services, document their criticality, whilst setting impact tolerances and risk thresholds for potential disruptions. 

Furthermore, each regulator's publication stresses the importance of having a consistent methodology for building and implementing scenario testing programs. Each policy reflects the need for these testing scenarios to stretch across a wide range of cases. However, there is a particular focus on testing the disruption of 3rd and ultimately 4th party suppliers across their systems dependency chains. 

In light of the global pandemic, third-party risk management (TPRM) has been a hot topic for global regulators across the last 12-18 months. Whilst there has been increasing focus on the wide-scale adoption of cloud-based resources across financial services for some time. Specifically, with the perspective from regulators that there is a concentration risk growing amongst a small set of preferred, yet reliable and trusted suppliers. 

Many firms have traditionally applied an active/active or active/passive resilience approach to their technology systems. Often by implementing fault-tolerant networks, middleware systems, database architectures or their underlying data center’s to maintain service levels. However, some disruptions cannot be avoided by a secondary system alone. In that vein, each publication highlights the need for firms to shift from a pure technology-first approach. Towards a multi-threaded service restoration approach. Which considers both internal processes, engagement with suppliers and the validation of normal operations post disruption to name but a few.

Where Are There Deviations in Themes? 

Whilst there is convergence in some of the foundational themes across regulatory borders, there are some differences across the various bodies. As an example, the guidance published by the FCA and PRA states that firms need to consider not only their internal risk appetite for setting impact tolerances. But, they also analyse the potential impact any disruption to their important business services could have on the wider financial markets and the end-users of their services. Whether these be internal consumers (e.g. Traders/Brokers) or their end customers. 

In comparison, the practices outlined by the BCBS and US bodies gravitate more towards a firm-first and market-centric approach. Namely, where organisatons set their internal risk appetites whilst understanding the criticality of key services and the role they play in supporting the stability of normal operations across financial markets. This may well be the direct result of a series of high-profile outages across the U.K. banking landscape over the last ~5-years. Many of which impacted end-customers and the normal functioning of retail banking products for sustained periods of time. 

Furthermore, UK regulators have adopted a stance that impact tolerances and risk appetite should be considered as two different practices to administer. Namely, an impact tolerance is a measurement that allows firms to understand when a breach in service disruption has occurred. Whilst risk appetite refers to the processes and controls firms should apply to manage and govern operational risks in the event that they do occur. Indeed, each regulatory body is unanimous in their expectations on firms to expect unexpected and appreciate that disruptions will occur outside of their current capabilities to recover normal service levels. 

In short, firms need to expect outages and be prepared for scenarios that stretch beyond previously experienced disruptions.

What Should Firms Do Next? 

For many firms, especially those of a global scale, the recent regulatory publications should not have come as a surprise. Many organisations have already invested significant effort and cost in improving their governance, technology, and operational oversight practices across mission-critical services. With these publications now being finalised, a line has been drawn in the sand which illustrates the importance for firms to dedicate ongoing investment to meet operational resilience targets. Whether these be from a localised or global perspective. 

For firms addressing cross-border operational resilience policies, it is imperative that they establish repeatable, yet flexible frameworks for defining their mission-critical business services. Whilst considering the potential harm to customers and the wider financial markets, amidst the onset of disruption. From there, the identification of resilience gaps across people, process, and technology considerations is imperative, whilst administering remediation steps as quickly as possible is also essential. Upon applying these fixes, firms need to ensure they can be embedded into their scenario testing programs and be capable of dealing with unexpected yet plausible scenarios. 

There is no doubt that meeting cross-border regulatory requirements is hard. However, firms must continue to match the expectations of all of their regulators even when they have distinctive definitions for similar concepts. As organisations begin to meet these various standards published by regulators, they should also start to consider how the different definitions can co-exist as part of an evidence-based framework. 

By understanding business services end to end and the critical technology operations and suppliers that power them - firms will be able to demonstrate relationships between “critical operations” and “important business services”. Thereby closely aligning with UK and US operational resilience policies. To successfully achieve this, firms need to have a consistent approach to mapping and breaking down business services, customer journeys, technology components, and processes across their institutions and entities.

In closing, the approaches that firms take in applying their operational resilience frameworks should be capable of scaling for global coverage. By applying a unified approach across regions as soon as possible, firms may avoid duplication of effort and potential mismatches across their internal understanding and implementation of operational resilience reporting and controls. Indeed, this will require much more upfront investment but should help alleviate further costs and rework in the future. Firms that are able to develop a unified approach may find themselves not only better armed for responding to regulatory feedback but better positioned to deliver new features and services to their customers faster. In turn, gaining a competitive advantage over their industry peers.