Renewed regulatory focus on operational resilience
Regulators are updating, consolidating and elevating their supervisory expectations.
Global regulators’ focus on resilience is not new, but the scope and emphasis has evolved over time in response to disruption events, changes in market infrastructure, emerging technologies and shifting supervisory priorities.
The recent regulatory focus on resilience should be viewed as a continuing evolution of standards and expectations across global regulators to foster safety, soundness and financial stability of the financial sector.
Origin of resilience standards
In the aftermath of 9/11 terrorist attacks, regulators initially focused on the recovery and resumption of critical Financial Market Infrastructures (FMIs) for systemically important wholesale payment systems. The scale and scope of these expectations have gradually expanded to include a broader range of banking activities (e.g., retail) as well as firms beyond FMIs.
The 2008 financial crisis raised concerns about the resilience and viability of the financial sector to withstand severe market stress and contagion. As a result, global regulators turned their attention toward ensuring financial resilience – through notable expansion in the scope and rigor of requirements on liquidity, capital, recovery and resolution – to address the scale and systemic impact of the crisis.
Operational and technology resilience in the limelight
Global regulators have renewed their focus on operational and technological resilience. Key drivers include: risks associated with operational complexity due to firms’ increased reliance on emerging technologies; highly publicized outages for financial services firms in the US and UK and concerns about firms’ vulnerability to cyber-attacks.
Embracing common themes and regulatory approaches
Risks associated with resilience are varied, dynamic and inter-related.
Global regulators will likely continue to support common principles related to enterprise resilience. Differences in approach exist mainly to incorporate actual and perceived risks within a jurisdiction rather than differences in objectives.
Risks associated with resilience cut across various operational risk dimensions, such as people, process, technology and third-parties – creating challenges in managing supervisory standards and expectations.
UK regulators have embraced a more holistic guidance around resilience to cover this broad range of risks. They have adopted a top-down, integrated approach that synthesizes relevant components of resilience under an “operational resilience” umbrella and ties it more explicitly to its financial stability objectives.
In contrast, the US regulators have taken a more bottoms-up and education-focused approach that leverages existing guidance and firm-specific information to understand current industry practices and identify areas requiring additional guidance.
Six areas most impacted by increased regulatory scrutiny
While approaches and emphasis may differ, regulators seem aligned on the core principles of resilience.
Regulators remain focused in making sure that risks caused by a firm’s operational complexity and interconnectedness with the broader ecosystem are not transmitted into the financial markets, and that the interests of the customers and market participants are safeguarded during business disruptions. The six areas most impacted by increased regulatory scrutiny of resilience include:
- Orientation to end-to-end business services. Regulators expect firms to take a business service view on resilience that prioritizes the resilience of its most critical business services, instead of focusing on individual systems and applications. The criteria for identifying these services should be inclusive of client and market impacts and should consider the firm’s interconnectedness with other market participants.
- Impact tolerances based on client and market impacts. Regulators expect firms to establish impact tolerances, with clear metrics and outcomes, for their most critical business services to quantify the amount of disruption that could be tolerated. They want firms to demonstrate that they can meet their impact tolerances under a range of scenarios.
- Alignment of coherent set of capabilities. Regulators want firms to move away from the traditional, siloed approaches for managing resilience to an integrated enterprise-wide framework that encompasses a comprehensive suite of capabilities required to resume and recover business services and meet objectives across various interrelated programs (e.g., BCP, DR, cyber or third-party risk management).
- Approach to respond cohesively to a range of disruptions. Regulators require firms to demonstrate greater integration between their incident management and crisis management protocols, and implement a risk-agnostic crisis management structure that is responsive to different types of disruption events. They expect firms to improve the speed, transparency and timeliness of communication to clients, market, regulators and internal stakeholders to rebuild customer trust and market confidence through business disruptions.
- Integrated testing strategy and framework. Regulators expect firms to demonstrate end-to-end resilience of their most critical business services, including: people, process, technology, data and third-party components. Firms should be able to implement an integrated testing framework that gradually increases in rigor, complexity and scope of tests conducted, pressure-tests key assumptions and strategies, and allows for continuous improvement, by embedding key learnings into resilience plans and capabilities.
- Board and senior management oversight. Regulators want the board and senior management to take an active role in establishing the firm’s resilience strategy in alignment with the enterprise strategy and risk appetite. They expect the board and senior management to receive periodic reporting on the firm’s resilience risk profile, including emerging risks and trends (market and firm-specific) that may pose a threat to the continuity of critical business services.
Next steps expected from regulators
Regulatory scrutiny and focus expected to continue on enterprise resilience.
Firms can expect to see continued regulatory scrutiny and focus on resilience. The industry is looking forward to seeing how UK regulators update their views on resilience in the next discussion paper expected to be released in Q4 2019.
US regulators are anticipated to articulate their expectations on resilience as direct feedback to regulatory exam. As firms respond to the regulatory line of questioning and showcase their current and target state capabilities, they have an opportunity to shape-up the regulatory agenda and define the bar on “what good looks like” for key capabilities and focus areas.
The working group study by the Basel Committee on Banking Supervision is expected to articulate the core principles of resilience, which may provide a basis for global regulators to come together on a common core regulatory approach to resilience.
How much the global regulators will converge on their resilience approaches in the future is yet to be seen. However, any divergence in regulatory expectations due to jurisdictional differences will have to be reconciled, especially for global firms, given the cross-jurisdictional nature of business services and the supporting infrastructure.
What firms can do to demonstrate greater enterprise resilience
Firms can take these measures to enhance and transform their existing framework and capabilities:
- Assess maturity: Perform a maturity assessment on current state of resilience capabilities against regulatory expectations and industry leading practices
- Strategize: Define an enterprise strategy and framework for resilience
- Map course: Identify and map the most critical business services
- Test tolerance: Establish and test impact tolerances for the most critical business services
In the face of evolving regulatory focus on operational resilience, improving enterprise resilience is a critical requirement for firms to remain competitive, maintain market confidence and support financial stability. Enterprises must look at a wide range of regulatory approaches in at least six different areas impacted by regulatory scrutiny.