9 minute read 18 Jun 2019
overhead-engineers-inspecting-gears-generator-turbine-hall

Why banks must view operational resilience as a strategic imperative

By

Tapestry Networks

Professional services firm

Tapestry Networks creates an environment where leaders learn from one another, explore new ideas, and collaborate to solve problems.

Contributors
9 minute read 18 Jun 2019

As digitization reshapes financial services, new vulnerabilities are prompting an increased urgency to achieve operational resilience.

Becoming a fully digital financial institution creates new challenges to operational resilience in terms of relationships with third-party platform providers, further digitization of customer interactions and ongoing threats to cybersecurity. Information technology (IT) outages and system migration failures have captured the attention of frustrated customers, the media, politicians, and regulators. As banks maintain and replace their systems architecture, it will be critically important to embed operational resilience into planning and implementation.

Bank Governance Leadership Network (BGLN) participants met on 27 February 2019 in London and on 7 March 2019 in New York to discuss ways in which incumbent banks are approaching operational resilience:

  • Why is operational resilience emerging as a rising priority?
  • A four-point holistic approach to achieving operational resilience
  • Three crucial challenges are emerging
  • Improved testing is required
landscape-motocross-bikes-runs-wilderness
(Chapter breaker)
1

Chapter 1

Why is operational resilience emerging as a rising priority?

Technology, regulation and customer demand are pressuring banks to deliver continuous service.

Three factors are driving the focus on resilience and the need to oversee new risks.

1. Shift in regulatory focus from financial resilience to operational resilience. 

Regulators globally are shifting their focus to make certain that banks can continuously deliver services to their customers and withstand disruptions. Different regulatory regimes are establishing their own definitions and expectations around operational resilience and are taking different approaches to overseeing the underlying issues.

What people need from a financial system has changed over the years. Operational hiccups that nobody would’ve noticed years ago now are immediately noticed and amplified.
– BGLN participant

In the UK in July 2018, the Bank of England, the UK Prudential Regulation Authority, and The Financial Conduct Authority (FCA) published a joint discussion paper entitled Building the UK Financial Sector’s Operational Resilience, which noted: “firms’ and [financial market infrastructures’] boards, and senior management are crucial in setting the business and operational strategies, and overseeing their execution in order to ensure operational resilience.”

2. Changing customer preferences and increased focus on customer centricity, the further digitization of financial services, and concomitant risks. 

In February 2019, the UK regulator the FCA announced a year-on-year increase of over 500% in technology outages at UK financial firms during 2018, as firms reported 145 breaches throughout the year, compared with 25 in the previous year. This is an example of how banks regularly find themselves in the headlines for outages, breaches and downtime.

The changing customer preferences are driving banks to provide more connected, and increasingly digitized processes, creating new expectations and new risks. These are driving the focus on resilience in banks.

3. Internal pressure to protect against reputation risk. 

Concern about damage to firms’ reputations from outages and downtime is also a driver. One director said, “Our own standard in protecting against reputation risk is higher than what regulators will ask of us.” Customers are demanding 24/7 access, and new innovative digital technologies require continual operations. New business models require even greater dependency on third parties. 

Continuous interaction between banks and customers means that when something goes wrong, the public outcry is more immediate and demanding, pushing firms to respond to service interruptions faster than ever before.

businesswoman-talking-colleague-office-glass
(Chapter breaker)
2

Chapter2

A four-point holistic approach to achieving operational resilience

Today’s discussions around resilience go beyond cyber-security and outage prevention.

Regulators and industry specialists are urging banks to think more comprehensively about resilience. The breadth of this concept can make it difficult for boards to develop effective oversight practices.

Participants cited some areas of focus for boards to help them develop effective oversight practices:

1. Resilience must be baked into digital transformation efforts. 

Institutions must make certain that any new initiatives or partnerships have been appropriately vetted and assessed for risk and that controls are in place.

People always talk about the problems with legacy; sometimes that makes me laugh because—more often than not—it’s the shiny new application that’s causing the problems.
– Regulator

2. IT upgrades carry risk, but are nonetheless necessary for long-term resilience. 

Firms cannot simply delay replacing legacy systems. It may be tempting to be cautious, in an atmosphere where banks continue regularly to make the headlines for IT and cyber concerns, but this very approach could induce resilience issues. While the transition to new systems brings migration and execution risks, upgrades should ultimately create greater resiliency. 

3. Response strategy, recovery and ongoing learning drives improvements.

As banks have improved digital offerings and given client the scope to interface with bank services in real time, downtime and response mechanisms are under pressure. 

You need to plan with failure in mind. Cyber makes that obvious, but the mindset needs to be pushed into operational business as well.
– Regulator

After disruptions occur, firms need robust recovery plans that bring systems and data back online in a well-controlled, reconciled manner. Each disruption provides an opportunity to learn and improve.

4. Timely board involvement is critical.

An EY subject matter authority (SMA) noted that boards should be informed early on when an incident occurs: “In almost every investigation we’ve seen, communications have not worked properly, and the board was not informed in a timely manner.”

ey-friends-catching-popcorn-sofa
(Chapter breaker)
3

Chapter3

Three crucial challenges are emerging

To improve resilience, banks need to address business operations, services and relationships.

1. Setting impact tolerance

Although it may be difficult to define for very large institutions, setting impact tolerances may help boards and management to consider bank’s comfort level with their operational resilience.

It is the responsibility of the board to oversee what management has done in setting impact tolerances. A regulator said, “The board role pre-disaster is becoming more important. In the past, you were focusing on the board role in response. Firms haven’t always thought about recovery-time projections. Many firms don’t even have an estimate! You should ask your management about this. The role of the board is to be informed on what management has done in this area.”

Historically, firms focused on resilience of key assets, or specific functions or activities. Now, regulators want firms to identify the most critical business services that they deliver to their customers and to the market, and map the entire process across customer, organization, and any third parties that support that process.

2. Managing third-party relationships are increasingly important

Part of the “end-to-end” review of resilience must take into account third-party providers, on which firms are increasingly reliant, for both upgrades and new technology platforms. One executive noted that the risk is also expanding beyond third parties to include “fourth parties, who our third-party providers might be heavily reliant upon, but about whom we may know very little.”

Firms have begun increasing due diligence with vendor partners, identifying opportunities to improve information sharing and collaboration on third-party risk management, including via industry-funded utilities.

Participants cautioned on sharing responsibilities with FinTech providers and cloud vendors, warning that the board should make certain that management has clearly defined what the firm will do and what aspects belong to these third-party providers.

3. Daunting challenge of data security

Data security remains one of the most daunting issues facing financial firms today. Protecting the integrity of the vast amounts of data banks hold is a grave concern. “Data corruption is the nightmare scenario we should all be thinking about. If a data set at a very large bank is compromised, that could actually spell the end of a country’s financial system,” one director warned.

But, there is also the challenge of migrating vast amounts of bank data; the goal is improved operations and resilience, but the transition can lead to systems failures, or the loss of service or data.

 “Most of the challenges of migration are in the business domain and about defining how things will be migrated. When you think about migrating the design of your product, how many variants of the product you might migrate over…do you move them all over and what do you do with what you leave behind?” Several participants noted that migrating data incrementally is a good approach, but, within a bank, even one system at a time is fraught with trouble.

engineer-checking-machine
(Chapter breaker)
4

Chapter4

Improved testing is required

With regulators saying current testing in even the largest firms is insufficient, what’s needed?

Banks must improve their scenario testing as regulators say it does not correspond to the need for rapid recovery after a crisis. And, supervisory expectations are becoming more demanding.

A participant suggested banks will be expected to demonstrate:

  • What testing is being conducted.
  • What is being tested and how frequently.
  • How comprehensive the testing is.
  • What the testing has revealed.
  • What plans are in place to respond to issues identified.
  • Our SMA suggested boards consider five questions regarding their oversight of operational and IT resiliency:

    1. Does the board know the firm’s resilience strategy and how management is organized to manage resilience risk? Does the board know the roles of the COO/CAO, CTO, CISO, line-of-business leaders, and heads of resilience or business continuity? What is risk management’s role? What is the role of internal audit?

    2. How should the board oversee resilience? The risks related to resilience cut across risk, audit, and IT committees, demanding the attention of the full board to distinguish between resilience, cybersecurity, and privacy risks, and where these risks intersect.

    3. How can reporting to the board improve? Is the board getting actionable, understandable information on significant initiatives and investments, major regulatory and supervisory matters, and emerging risks related to resilience?

    4. What is the role of the board in crisis? How will communication between management and the board will work in crisis, and when will management will seek board input or approval.

    5. Does the board understand how resilience risk is going to be addressed as the firm transforms its business and operating models, and technology? Care is needed as firms transition away from core legacy technology platforms to new technologies. As firms increasingly depend on more and more third—and fourth, and fifth parties—to operate. Some may enhance resilience, others may create new resilience risks. Some new technologies may bring their own resilience challenges: as firms depend more on automation, machine learning, artificial intelligence, straight-through processing and other emerging technology applications, making certain that resilience is built into those processes will be essential.

Addressing operational resilience challenges will take time. Adopting shared terminology, defining roles and responsibilities, and integrating issues that cross so many parts of the organization, will require a coherent strategy with board support and executive support.

This article is based on the Viewpoints from the Bank Governance Leadership Network (BGLN) meetings held on 27 February 2019 in London, and on 7 March 2019 in New York, and aims to capture the essence of these discussions and associated research.

Summary

Operational resilience is a rising priority for banks. The Bank Governance Leadership Network (BGLN) met to discuss the challenges that are emerging as a result of digitization and how banks are tackling these challenges to holistically address operational resilience.

About this article

By

Tapestry Networks

Professional services firm

Tapestry Networks creates an environment where leaders learn from one another, explore new ideas, and collaborate to solve problems.

Contributors