1. Setting impact tolerance
Although it may be difficult to define for very large institutions, setting impact tolerances may help boards and management to consider bank’s comfort level with their operational resilience.
It is the responsibility of the board to oversee what management has done in setting impact tolerances. A regulator said, “The board role pre-disaster is becoming more important. In the past, you were focusing on the board role in response. Firms haven’t always thought about recovery-time projections. Many firms don’t even have an estimate! You should ask your management about this. The role of the board is to be informed on what management has done in this area.”
Historically, firms focused on resilience of key assets, or specific functions or activities. Now, regulators want firms to identify the most critical business services that they deliver to their customers and to the market, and map the entire process across customer, organization, and any third parties that support that process.
2. Managing third-party relationships are increasingly important
Part of the “end-to-end” review of resilience must take into account third-party providers, on which firms are increasingly reliant, for both upgrades and new technology platforms. One executive noted that the risk is also expanding beyond third parties to include “fourth parties, who our third-party providers might be heavily reliant upon, but about whom we may know very little.”
Firms have begun increasing due diligence with vendor partners, identifying opportunities to improve information sharing and collaboration on third-party risk management, including via industry-funded utilities.
Participants cautioned on sharing responsibilities with FinTech providers and cloud vendors, warning that the board should make certain that management has clearly defined what the firm will do and what aspects belong to these third-party providers.
3. Daunting challenge of data security
Data security remains one of the most daunting issues facing financial firms today. Protecting the integrity of the vast amounts of data banks hold is a grave concern. “Data corruption is the nightmare scenario we should all be thinking about. If a data set at a very large bank is compromised, that could actually spell the end of a country’s financial system,” one director warned.
But, there is also the challenge of migrating vast amounts of bank data; the goal is improved operations and resilience, but the transition can lead to systems failures, or the loss of service or data.
“Most of the challenges of migration are in the business domain and about defining how things will be migrated. When you think about migrating the design of your product, how many variants of the product you might migrate over…do you move them all over and what do you do with what you leave behind?” Several participants noted that migrating data incrementally is a good approach, but, within a bank, even one system at a time is fraught with trouble.