The Global Operational Resilience Conundrum

By Guy Warren, CEO of ITRS Group

Globally, the pandemic brought about a period of rapid digitalisation. As firms made the overnight shift to remote working, in many cases businesses had to quickly overhaul their operations to ensure that employees could work from home.

Nowhere was this more prevalent than in the financial services sector, where companies rely on legacy technology to manage the day to day. However, whilst employees and customers rejoiced in the fact that the financial services industry was meeting everyone else in the 21st century, they didn’t enjoy the increase in IT meltdowns and cyberattacks that such a rapid shift would bring.

Rushed cloud migrations, automation of core processes, infrastructure upgrades and third-party outsourcing have all introduced new vulnerabilities to firms’ IT estates; vulnerabilities that may only be revealed when a system is under pressure – aka when it’s needed most.

Gratefully, before the pandemic induced digital system overhaul, in the UK the regulator and subsequently the industry had operational resilience on the agenda, with wheels in motion for the introduction of new operational resilience regulations. The FCA, PRA and Bank of England released their first joint Discussion Paper on the topic in July 2018, followed by the Consultation Papers on Operational Resilience in December the follow year. By March 2025 at the latest, firms will have to be able to demonstrate that they are meeting the policy outcomes laid out, including remaining within the impact tolerances, or ‘Service Level Agreements’ (SLAs), they were required to set earlier this year.

In Europe, a similar story can be told. The European Commission’s Digital Operational Resilience Act (DORA), has recently been approved for adoption by European Union lawmakers, meaning the starting gun has been fired for financial institutions. Similar to the UK, firms will have two years to comply.

Across the pond, however, US regulators appear to be moving more slowly. This is despite US financial services firms facing a similar if not greater existential threat from the risks posed by operational overwhelm, with a survey by ITRS Group earlier this year revealing that they are the most likely to experience more than two days of unplanned downtime per year compared with their European and APAC counterparts.

That said, whilst US regulators may be taking their time when it comes to operational resilience, US firms cannot sit and wait, whilst simultaneously UK and European based banks can’t assume that they can operate without fear state-side. Here’s why.

1. It’s a global playing field

With the current lack of specific operational resilience requirements in the country, US firms may think it’s up to them if and how they decide to address operational risk – and in a country of exceptionalism, there’s a prevailing ‘it won’t happen to me’ mindset. As a result, they might be willing to take the gamble – to wear the reputational and financial cost of downtime if, and when, their IT fails.

Yet many aren’t aware that they’re not quite as in the clear when it comes to operational resilience regulations as they might think. Given how interlinked the financial system is across the world, most firms have at least some level of exposure to countries outside the US, particularly the UK and EU. For example, a bank might be working within the remits of the US regulation, but because of the presence in the UK, could be unexpectedly stung by the FCA.

For this reason, UK firms also need to be extra diligent when it comes to operating on the same systems as their friends’ state-side, recognising that they very likely won’t be as up to date on the latest operational resilience requirements. In the evolving regulatory environment, personal responsibility is front and centre – turning a blind eye, and blaming a counterpart operating overseas is not acceptable.

1. Operational resilience will be a global priority

Foreign exposure aside, every US financial services firm will have to face the music regarding operational resilience sooner or later. It’s simply now just a countdown until the mandate comes their way, especially since the Fed itself was exposed to a four-hour outage last year, which left systems that execute millions of transactions a day down and out.

And if the new requirements on mirror that of the UK’s, they may have the scope to hold firms and individuals retrospectively accountable for their actions, meaning no one is safe, and getting on the front foot of compliance is essential.

They are also likely to include similar obligations around SLAs – that is, mandating that businesses declare the level of uptime they are prepared to commit to, and stick to it. This is another thing that firms should start thinking about today as it will require significant historic data to accurately calculate and feed into predictive analysis.

US firms have the unique advantage of being able to watch and learn from the UK and EU as they seek to meet regulatory obligations, and better understand what to expect when their time comes.

Whilst UK and EU based institutions are ahead, and with regulations in the US likely to be similar, we can’t assume they will be a perfect match – taking a one size fits all to meeting operational resilience regulations globally will result in there being shortfalls somewhere. As such, its essential that institutions are aware of where rules diverge and how they tailor their operations accordingly.

1. Benefits exceed just compliance

With the financial services sector facing extreme pressure to improve margins, any regulations that do come in to compel firms to spend more on strengthening their operational resilience will most likely be complied with at minimum cost.

This is a classic dilemma: the danger that something becoming a regulatory question overshadows all the very real reasons that firms should actually want to get things in order, regulations or no

However, its essential that we don’t lose sight of the benefits that can be achieved from better operational resilience. While it will require a certain level of initial investment, gaining the capacity for comprehensive oversight over the health of all IT systems will pay back in dividends over time through improved efficiencies and minimised downtime.

Best practice compliance

Over the last five years of discussion surrounding operational risk and resilience, what has become obvious is the desperate need to break down communication barriers between business roles, functions, teams, jurisdictions, partners and vendors. The silver lining is that firms who are able to manage this will also reap significant rewards in terms of efficiency and cost savings.

Of course, this is no easy task. In an incredibly competitive, fast-paced market, US firms – even more so than their European and UK based counterparts – have been a particularly big fan of the “grow as you go” approach to digital transformation, meaning there’s a number of quickly built, IT systems out there.

But what customers want today isn’t new features and applications, so much as minimum friction. They need to be able to transfer and receive funds, check balances, apply for loans all by simply clicking a button.

Therefore, the essential first step all firms should take is to begin mapping their level of operational risk in their ICT systems and critical vendors, determining whether their current recovery strategies align with the standards being evolved in the UK and EU, and then map out where they need to improve.

For some institutions, particularly smaller ones or those on tighter budgets, the solution may lie in core banking systems and consolidated platform vendors, who can provide and manage channel integration and comprehensive monitoring across the IT estate. This is a low-touch, cost-effective way to ensure problems are identified and mitigate before they occur, while those that do slip through are quickly picked up and resolved.

Regulators can and should help the process along by producing clear guidelines and standardising the information they demand of the financial services sector. But at the end of the day, firms shouldn’t be depending on the regulator to coerce them into meeting solid operational standards, institutions themselves, regardless of their geographical footprint should be taking responsibility when it comes to maintaining safe and secure operating systems – if not for their customers safety, then for their own sake.

References

https://www.itrsgroup.com/a-global-operational-resilience-survey

https://www.bloomberg.com/news/articles/2021-02-24/fed-investigating-outage-in-interbank-payment-system

https://technologymagazine.com/cloud-and-cybersecurity/companies-waste-dollar10bn-over-12-months-cloud-spending