6 minute read 16 Mar 2020
Trieste lightning strikes sea night

Why enterprise resilience is more critical to banks than ever before

Authors
Marc Saidenberg

EY Financial Services Global Regulatory Network Co-Lead, Principal US Financial Services Consulting, Ernst & Young LLP

Financial services advisor. Facilitating active dialogue between industry and the public sector. Public speaker and thought leader. Husband and father.

John Liver

EY Global Financial Services Regulatory Network Co-Lead and EY EMEIA Financial Services Compliance and Conduct Leader

Transformation of financial services regulatory capabilities, resilience and conduct. Facilitator of industry and regulator dialogue. Mental health charity trustee. Husband and father.

Eugene Goyne

EY Asia-Pacific Financial Services Regulatory Lead

Regulatory compliance advisor. Public policy advocate. Fitness and arts fanatic.

6 minute read 16 Mar 2020

Building and improving enterprise resilience is no longer a choice. It is an imperative.

Enterprise resilience is a firm’s ability to respond to, recover from and resume operations at acceptable levels of service to customers, clients and counterparties through significant disruptions.

Business disruptions are on the rise, including increased risks from cyber-attacks, natural disasters, pandemics and critical service provider failures.

These, together with higher expectations from customers and market participants for firms to deliver continuous services to the marketplace, are drawing increased scrutiny from regulators worldwide.

Improving enterprise resilience is no longer a choice; it is a board-level imperative across the financial service industry. It is a critical requirement for firms to remain competitive, maintain market confidence and support financial stability.

Aerial View Plowing Fields
(Chapter breaker)
1

Chapter 1

Renewed regulatory focus on operational resilience

Regulators are updating, consolidating and elevating their supervisory expectations.

Global regulators’ focus on resilience is not new, but the scope and emphasis has evolved over time in response to disruption events, changes in market infrastructure, emerging technologies and shifting supervisory priorities.

The recent regulatory focus on resilience should be viewed as a continuing evolution of standards and expectations across global regulators to foster safety, soundness and financial stability of the financial sector.

Regulatory evolution graphic

Origin of resilience standards

In the aftermath of 9/11 terrorist attacks, regulators initially focused on the recovery and resumption of critical Financial Market Infrastructures (FMIs) for systemically important wholesale payment systems. The scale and scope of these expectations have gradually expanded to include a broader range of banking activities (e.g., retail) as well as firms beyond FMIs.

Post-crisis reforms

The 2008 financial crisis raised concerns about the resilience and viability of the financial sector to withstand severe market stress and contagion. As a result, global regulators turned their attention toward ensuring financial resilience – through notable expansion in the scope and rigor of requirements on liquidity, capital, recovery and resolution – to address the scale and systemic impact of the crisis.

Operational and technology resilience in the limelight

Global regulators have renewed their focus on operational and technological resilience. Key drivers include: risks associated with operational complexity due to firms’ increased reliance on emerging technologies; highly publicized outages for financial services firms in the US and UK and concerns about firms’ vulnerability to cyber-attacks.

Two people playing chess
(Chapter breaker)
2

Chapter 2

Embracing common themes and regulatory approaches

Risks associated with resilience are varied, dynamic and inter-related.

Global regulators will likely continue to support common principles related to enterprise resilience. Differences in approach exist mainly to incorporate actual and perceived risks within a jurisdiction rather than differences in objectives.

Risks associated with resilience cut across various operational risk dimensions, such as people, process, technology and third-parties – creating challenges in managing supervisory standards and expectations.

UK regulators have embraced a more holistic guidance around resilience to cover this broad range of risks. They have adopted a top-down, integrated approach that synthesizes relevant components of resilience under an “operational resilience” umbrella and ties it more explicitly to its financial stability objectives.

In contrast, the US regulators have taken a more bottoms-up and education-focused approach that leverages existing guidance and firm-specific information to understand current industry practices and identify areas requiring additional guidance.  

Workers production line industrial clutch factory
(Chapter breaker)
3

Chapter 3

Six areas most impacted by increased regulatory scrutiny

While approaches and emphasis may differ, regulators seem aligned on the core principles of resilience.

Regulators remain focused in making sure that risks caused by a firm’s operational complexity and interconnectedness with the broader ecosystem are not transmitted into the financial markets, and that the interests of the customers and market participants are safeguarded during business disruptions. The six areas most impacted by increased regulatory scrutiny of resilience include:

  1. Orientation to end-to-end business services. Regulators expect firms to take a business service view on resilience that prioritizes the resilience of its most critical business services, instead of focusing on individual systems and applications. The criteria for identifying these services should be inclusive of client and market impacts and should consider the firm’s interconnectedness with other market participants.

  2. Impact tolerances based on client and market impacts. Regulators expect firms to establish impact tolerances, with clear metrics and outcomes, for their most critical business services to quantify the amount of disruption that could be tolerated. They want firms to demonstrate that they can meet their impact tolerances under a range of scenarios.

  3. Alignment of coherent set of capabilities. Regulators want firms to move away from the traditional, siloed approaches for managing resilience to an integrated enterprise-wide framework that encompasses a comprehensive suite of capabilities required to resume and recover business services and meet objectives across various interrelated programs (e.g., BCP, DR, cyber or third-party risk management).

  4. Approach to respond cohesively to a range of disruptions. Regulators require firms to demonstrate greater integration between their incident management and crisis management protocols, and implement a risk-agnostic crisis management structure that is responsive to different types of disruption events. They expect firms to improve the speed, transparency and timeliness of communication to clients, market, regulators and internal stakeholders to rebuild customer trust and market confidence through business disruptions.

  5. Integrated testing strategy and framework. Regulators expect firms to demonstrate end-to-end resilience of their most critical business services, including: people, process, technology, data and third-party components. Firms should be able to implement an integrated testing framework that gradually increases in rigor, complexity and scope of tests conducted, pressure-tests key assumptions and strategies, and allows for continuous improvement, by embedding key learnings into resilience plans and capabilities.

  6. Board and senior management oversight. Regulators want the board and senior management to take an active role in establishing the firm’s resilience strategy in alignment with the enterprise strategy and risk appetite. They expect the board and senior management to receive periodic reporting on the firm’s resilience risk profile, including emerging risks and trends (market and firm-specific) that may pose a threat to the continuity of critical business services.
City workers at sunrise against London skyline
(Chapter breaker)
4

Chapter 4

Next steps expected from regulators

Regulatory scrutiny and focus expected to continue on enterprise resilience.

Firms can expect to see continued regulatory scrutiny and focus on resilience. The industry is looking forward to seeing how UK regulators update their views on resilience in the next discussion paper expected to be released in Q4 2019.

US regulators are anticipated to articulate their expectations on resilience as direct feedback to regulatory exam. As firms respond to the regulatory line of questioning and showcase their current and target state capabilities, they have an opportunity to shape-up the regulatory agenda and define the bar on “what good looks like” for key capabilities and focus areas.

The working group study by the Basel Committee on Banking Supervision is expected to articulate the core principles of resilience, which may provide a basis for global regulators to come together on a common core regulatory approach to resilience.

How much the global regulators will converge on their resilience approaches in the future is yet to be seen. However, any divergence in regulatory expectations due to jurisdictional differences will have to be reconciled, especially for global firms, given the cross-jurisdictional nature of business services and the supporting infrastructure.

What firms can do to demonstrate greater enterprise resilience

Firms can take these measures to enhance and transform their existing framework and capabilities: 

  1. Assess maturity: Perform a maturity assessment on current state of resilience capabilities against regulatory expectations and industry leading practices
  2. Strategize: Define an enterprise strategy and framework for resilience
  3. Map course: Identify and map the most critical business services
  4. Test tolerance: Establish and test impact tolerances for the most critical business services

Lead through the COVID-19 crisis

We have a clear view of the critical questions and new answers required for effective business continuity and resilience.

Explore

Contact us for immediate support

Gain access to our help with crisis management, business continuity and enterprise resilience.

 

Contact

Summary

In the face of evolving regulatory focus on operational resilience, improving enterprise resilience is a critical requirement for firms to remain competitive, maintain market confidence and support financial stability. Enterprises must look at a wide range of regulatory approaches in at least six different areas impacted by regulatory scrutiny.

About this article

Authors
Marc Saidenberg

EY Financial Services Global Regulatory Network Co-Lead, Principal US Financial Services Consulting, Ernst & Young LLP

Financial services advisor. Facilitating active dialogue between industry and the public sector. Public speaker and thought leader. Husband and father.

John Liver

EY Global Financial Services Regulatory Network Co-Lead and EY EMEIA Financial Services Compliance and Conduct Leader

Transformation of financial services regulatory capabilities, resilience and conduct. Facilitator of industry and regulator dialogue. Mental health charity trustee. Husband and father.

Eugene Goyne

EY Asia-Pacific Financial Services Regulatory Lead

Regulatory compliance advisor. Public policy advocate. Fitness and arts fanatic.