Friday 5 Round-Up: Operational Resilience in Financial Services - Episode 5

Published by Ben Saunders - OpRes Founder

Roughly a 2-minute read

Welcome to the 5th publication of our weekly operational resilience round-up for financial services. With Q4 just around the corner and many workers returning from their summer vacations, we suspect there will no doubt be a flurry of activity with firms looking to close out many of their large program milestones before the close of 2021. Where has the year gone! 

Speaking of milestones, we are now just under 6-months away from the FCA and PRA’s operational resilience deadlines. By which point firms are expected to have mapped their important business services, set impact tolerances, and conducted scenario testing for their extreme, yet plausible disruption events. Whilst it feels like March 2022 is still quite some way away, experience tells us that it will come around faster than we all expect! 

With that, this week has seen a plethora of operational resilience news bites and this will probably be the most jam-packed Friday Five to date. 

Enjoy the read! 

Monday 13th September: The March 2022 Operational Resilience Deadline looms. Are you ready?

It is almost like we read the operational resilience tea leaves this week! Finextra published a blog discussing the March 2022 looming deadlines and reiterated many of the same points that we have been discussing for some time here at OpRes. We agree with many of the points raised in the post. Specifically, “If there’s one positive we can take from the pandemic, it’s that it has massively accelerated the innovation cycle for both in-house IT teams and third-party software providers seeking to ensure operational resilience, and this is a trend we expect to continue”. 

We’ve always seen operational resilience and regulation as a whole as a catalyst for digital change. Whilst the pandemic has certainly been a sudden wake-up call for many enterprises to reimagine their digital agendas. Not just those in financial services!

Monday 13th September: Big Tech cloud services could face resilience test, says Bank of England

For the last few weeks, we’ve been speaking a lot about third-party risk management. With a deep focus on material outsourcing of critical technology functions to the public cloud. Just this week, Reuters reported on that the BoE, along with regulators in Europe and the United States, is worried about the reliance of banks on a handful of Big Tech firms for cloud computing in increasingly critical banking services, and the impact an outage at one of them could have on financial stability. 

We have been stressing to anybody that will listen that this is going to be a hot topic of focus for regulators in the coming years. Whilst firms will likely continue to leverage the public cloud and third-party software providers to accelerate their digital transformation efforts in an increasingly competitive financial environment. 

Tuesday 14th September: Operational resilience checklist: have you covered everything?

It’s as if everyone is aware that March 2022 is just around the corner and is sounding the operational resilience fog-horn! Burgess Salmon has published a handy operational resilience checklist. It’s equally handy that our impending Alpha release also helps firms address many of these requirements in a single solution.

Tuesday 14th September: Building Resilience Through Procurement Analytics

McKinsey & Co published a neat blog explaining how organisations can increase the operational resilience of their supply chains by implementing a four-stage approach that is built on a data-first strategy, end-to-end insights, cultural change and automation.  

Wednesday 15th September: Cyberpion Reveals A Quarter of Fortune 500 Companies Have Exploitable Vulnerabilities in their External IT Network

Resilience is a far-ranging topic. Covering each facet of a firms, people, processes and technology. Research published by Cyberpion suggests that nearly three-quarters of Fortune 500 companies' IT infrastructure exists outside their organization, a quarter of which was found to have a known vulnerability that threat actors could infiltrate to access sensitive employee or customer data. This brings to life the importance that third-party risk management has on operational resilience and firms must tighten their controls in this space to ensure their important business services remain available for customers. 

Thursday 16th September: Cloud Security Alliance Releases New Guidelines Providing Insight Into Effectively Using Its Industry-Leading Security Assessment, Assurance Tools

Cloud adoption is increasing at an accelerated rate across financial services. Many firms are leveraging SaaS-based FinTech propositions to round off their new digital products. Whilst many are also leveraging the public cloud in a “lift and shift” approach where they are opting to migrate heritage systems to the public cloud to remove the burden of running and operating their own data centres. In doing so, they are becoming heavily reliant on IaaS compute resources for hosting their applications. 

Whilst the premise of having a solid security strategy is no different in the cloud, versus the corporate data centre. The methods and engineering steps used to secure a firms control plane are often very different in their implementation. As such, it’s a timely release by the Cloud Security Alliance to publish their most recent set of best practices for implementing cloud security controls. 

Thursday 16th September: BofE Warns Banks About Regulatory Reporting Failures

Nobody likes getting a Dear CEO letter. Especially when it comes in the form of a stern warning from the Bank of England. Finextra reported on how The Bank of England has chided some banks and building societies for failing to supply accurate and reliable data to help regulators identify risks to the financial system. With the long-term target for operational resilience to become a dynamic requirement for firms. They will need to implement a dramatic step-change from focusing on "tactical fixes" and relying on "significant manual intervention to fill data and system gaps” in order to achieve this objective. You can read the full Dear CEO letter here.

Thanks for Reading

To close things off a recent study by EY and the Institute of International Finance (IIF) titled Resilient banking: Capturing opportunities and managing risks over the long term reported that 80% of APAC bank CROs expect to see the introduction of new or additional regulatory requirements on operational resilience. The operational resilience agenda is certainly picking up a lot of traction across markets and we will be sure to cover perspectives from other regional regulatory bodies in the coming weeks. 

That’s it for this week’s round-up. 

Thanks for reading and if you want to have Operational Resilience news beats sent directly to your mailbox, then feel free to register your details via our online form.

Have a great weekend! 

Ben