UK financial sector operational resilience consultation: BCM nirvana or nemesis?
- Published: Tuesday, 27 November 2018 23:25
Steve Dance looks at how the ‘Building the UK financial sector’s operational resilience’ Discussion Paper (DP) could impact BC managers in the UK financial sector.
Earlier in 2018, the UK Bank of England, Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) published a joint Discussion Paper on an approach to improve the operational resilience of firms and financial market infrastructures (FMIs). The consultation closed in October.
You might think that the above Discussion Paper constitutes manna from heaven for business continuity managers in the financial sector – at last a good slug of regulation to add weight and focus to a financial firm’s business continuity programme. A reading of the DP, however, soon reveals that the regulatory direction of travel could marginalise business continuity and evolve it into something else. Regardless of what name we might want to give it, the thrust toward resilience as an overarching goal will require different thinking within the financial sector business continuity community.
The nirvana effect will come from the fact that the regulatory agenda naturally becomes part of the management agenda, which will create a trickle-down focus on the subject. This is (probably) a good thing for the business continuity function because it will achieve some mindshare in the upper echelons of management. The word ‘probably’ is used because the nirvana depends on one thing – that the BCM function actually steps up to the plate and becomes a ‘player’ in preparing their organization to be ready to comply with any new regulations.
The nemesis option could manifest itself in a couple of ways:
- The business continuity management function becomes marginalised by some other function within the organization being primed to take the lead for regulatory preparations. This could happen if either Compliance or Operational Risk functions take the lead. Likewise, the BCM function could marginalise itself by being completely unaware of the impending regulations and thereby failing to take an active part – which would certainly cast doubt over the effectiveness and relevance of the BCM function.
- Trying to use the existing business continuity processes as the basis for compliance. Resilience is not business continuity and there are many aspects of this proposed new regulation which are unlikely to be encapsulated within existing business continuity processes.
The major challenges for financial firms in adopting and complying with the proposals contained in the current DP will include:
- Adopting a customer and market driven approach to designing a ‘joined up’ resilience and contingency strategy based on the prioritisation of services and market integrity. For many institutions their BIA will not be correctly focussed – many being organizationally, rather than service orientated - and the BIA may not be able to accommodate the wider perspective of resilience.
- Establishing metrics to monitor the operational health of the resilience programme. The type of metrics used for oversight of the business continuity programme may be too narrowly focussed to provide meaningful, actionable intelligence for resilience.
- New methods of assurance will be required. Except for the most advanced organizations, new approaches to assessment and verification are likely. The Discussion Paper in its current form alludes to an expectation of operational stress testing (similar to the financial stress tests that have been normal practice for some time now). The scope of these tests in terms of the institutions that will be covered is not yet clear, although it would probably be safe to say that those institutions who are currently ‘in-scope’ for financial stress tests will also be in-scope for operational stress testing. Operational stress tests may not be conducted in the same way as financial stress tests – there is just not enough data on the impacts of operational disruptions to support Monte-Carlo or similar simulations. The alternative may be an approach based on chaos engineering principles targeted at one or more operational dependencies. Nevertheless, the traditional business continuity exercise will probably be too narrow in scope to give the necessary level of assurances that regulators will be looking for.
- Change impact could become part of the operational risk radar. The introduction of the customer and market driven approach to assessing services’ priority will require that significant IT changes form part of the risk radar for operational risk. The significant effect of large IT changes that fail following live implementation has been dramatically demonstrated several times and, whilst not specifically highlighted in the DP, clearly pose a risk to operational resilience and, for that reason, may well fall under regulatory scrutiny.
The response stage for the Discussion Paper is now complete and it is now moving towards its next stage which is the Consultation Paper: the clock is ticking…
Steve Dance is Managing Partner of RiskCentric.