Why banks must view operational resilience as a strategic imperative

Three factors are driving the focus on resilience and the need to oversee new risks.

1. Shift in regulatory focus from financial resilience to operational resilience. 

Regulators globally are shifting their focus to make certain that banks can continuously deliver services to their customers and withstand disruptions. Different regulatory regimes are establishing their own definitions and expectations around operational resilience and are taking different approaches to overseeing the underlying issues.

In the UK in July 2018, the Bank of England, the UK Prudential Regulation Authority, and The Financial Conduct Authority (FCA) published a joint discussion paper entitled Building the UK Financial Sector’s Operational Resilience, which noted: “firms’ and [financial market infrastructures’] boards, and senior management are crucial in setting the business and operational strategies, and overseeing their execution in order to ensure operational resilience.”

2. Changing customer preferences and increased focus on customer centricity, the further digitization of financial services, and concomitant risks. 

In February 2019, the UK regulator the FCA announced a year-on-year increase of over 500% in technology outages at UK financial firms during 2018, as firms reported 145 breaches throughout the year, compared with 25 in the previous year. This is an example of how banks regularly find themselves in the headlines for outages, breaches and downtime.

The changing customer preferences are driving banks to provide more connected, and increasingly digitized processes, creating new expectations and new risks. These are driving the focus on resilience in banks.

3. Internal pressure to protect against reputation risk. 

Concern about damage to firms’ reputations from outages and downtime is also a driver. One director said, “Our own standard in protecting against reputation risk is higher than what regulators will ask of us.” Customers are demanding 24/7 access, and new innovative digital technologies require continual operations. New business models require even greater dependency on third parties. 

Continuous interaction between banks and customers means that when something goes wrong, the public outcry is more immediate and demanding, pushing firms to respond to service interruptions faster than ever before.

Regulators and industry specialists are urging banks to think more comprehensively about resilience. The breadth of this concept can make it difficult for boards to develop effective oversight practices.

Participants cited some areas of focus for boards to help them develop effective oversight practices:

1. Resilience must be baked into digital transformation efforts. 

Institutions must make certain that any new initiatives or partnerships have been appropriately vetted and assessed for risk and that controls are in place.

2. IT upgrades carry risk, but are nonetheless necessary for long-term resilience. 

Firms cannot simply delay replacing legacy systems. It may be tempting to be cautious, in an atmosphere where banks continue regularly to make the headlines for IT and cyber concerns, but this very approach could induce resilience issues. While the transition to new systems brings migration and execution risks, upgrades should ultimately create greater resiliency. 

3. Response strategy, recovery and ongoing learning drives improvements.

As banks have improved digital offerings and given client the scope to interface with bank services in real time, downtime and response mechanisms are under pressure. 

After disruptions occur, firms need robust recovery plans that bring systems and data back online in a well-controlled, reconciled manner. Each disruption provides an opportunity to learn and improve.

4. Timely board involvement is critical.

An EY subject matter authority (SMA) noted that boards should be informed early on when an incident occurs: “In almost every investigation we’ve seen, communications have not worked properly, and the board was not informed in a timely manner.”

1. Setting impact tolerance

Although it may be difficult to define for very large institutions, setting impact tolerances may help boards and management to consider bank’s comfort level with their operational resilience.

It is the responsibility of the board to oversee what management has done in setting impact tolerances. A regulator said, “The board role pre-disaster is becoming more important. In the past, you were focusing on the board role in response. Firms haven’t always thought about recovery-time projections. Many firms don’t even have an estimate! You should ask your management about this. The role of the board is to be informed on what management has done in this area.”

Historically, firms focused on resilience of key assets, or specific functions or activities. Now, regulators want firms to identify the most critical business services that they deliver to their customers and to the market, and map the entire process across customer, organization, and any third parties that support that process.

2. Managing third-party relationships are increasingly important

Part of the “end-to-end” review of resilience must take into account third-party providers, on which firms are increasingly reliant, for both upgrades and new technology platforms. One executive noted that the risk is also expanding beyond third parties to include “fourth parties, who our third-party providers might be heavily reliant upon, but about whom we may know very little.”

Firms have begun increasing due diligence with vendor partners, identifying opportunities to improve information sharing and collaboration on third-party risk management, including via industry-funded utilities.

Participants cautioned on sharing responsibilities with FinTech providers and cloud vendors, warning that the board should make certain that management has clearly defined what the firm will do and what aspects belong to these third-party providers.

3. Daunting challenge of data security

Data security remains one of the most daunting issues facing financial firms today. Protecting the integrity of the vast amounts of data banks hold is a grave concern. “Data corruption is the nightmare scenario we should all be thinking about. If a data set at a very large bank is compromised, that could actually spell the end of a country’s financial system,” one director warned.

But, there is also the challenge of migrating vast amounts of bank data; the goal is improved operations and resilience, but the transition can lead to systems failures, or the loss of service or data.

 “Most of the challenges of migration are in the business domain and about defining how things will be migrated. When you think about migrating the design of your product, how many variants of the product you might migrate over…do you move them all over and what do you do with what you leave behind?” Several participants noted that migrating data incrementally is a good approach, but, within a bank, even one system at a time is fraught with trouble.

Banks must improve their scenario testing as regulators say it does not correspond to the need for rapid recovery after a crisis. And, supervisory expectations are becoming more demanding.

A participant suggested banks will be expected to demonstrate:

• What testing is being conducted.
• What is being tested and how frequently.
• How comprehensive the testing is.
• What the testing has revealed.
• What plans are in place to respond to issues identified.

Addressing operational resilience challenges will take time. Adopting shared terminology, defining roles and responsibilities, and integrating issues that cross so many parts of the organization, will require a coherent strategy with board support and executive support.

This article is based on the Viewpoints from the Bank Governance Leadership Network (BGLN) meetings held on 27 February 2019 in London, and on 7 March 2019 in New York, and aims to capture the essence of these discussions and associated research.