In the UK and many other major economies, operational resilience remains a key regulatory focus area. The current and projected economic climate will likely be one in which many financial services firms will face external pressures, and firms need to carefully implement complex mapping and testing requirements to ensure they are able to remain within impact tolerances for each important business service.
As can be seen in the BNY Mellon graphic, operational resilience requirements in the EU and UK are due to apply for in scope firms from early 2025, making the next 24 months a period of significant preparation for financial institutions.
Firmin explains that during 2023, “operational resilience will remain a high priority – as economic downturn remains, financial pressures increase and organisations find themselves more susceptible to a range of risks, including those related to fraud – both external and internal threats. Operational resilience needs to factor the change in risk profile and be strengthened to enable the organisation to identify and manage these risks.”
Key operational risks that organisations need to consider include those relating to emerging and increased risks around sanctions, cyber threats and risks exacerbated by the cost of living crisis and economic recession. Firmin adds that there are also senior management arrangements, systems and controls (SYSC) requirements for firms to identify important business services and have measures in place to minimise consumer and market detriment cause by operational risks.
Sumit Indwar, partner at Linklaters’ Financial Regulation Group, expects regulators to be very interested in how procedures and contingency plans fare in the face of real-world pressures rather than simulated scenarios. “We may well see the crystallisation of latent risks, exacerbated by leverage and concentration. It’s in these sorts of times when the robustness of firms’ risk management platforms will be tested.”
The operational resilience rules require UK and EU firms to follow a more “prescriptive approach when preparing for disruption,” Indwar notes, as financial services authorities are becoming ever more interested in unregulated tech providers to monitor and mitigate concentration risk in the sector.
He continues that although the outcomes of the UK and EU regimes are largely aligned, the detailed requirements differ, and the challenge of implementing a global resilience strategy in a way which is compliant with local regimes is likely to present a significant headache for many firms.
For instance, the EU’s Digital Operational Resilience Act’s (DORA) concept of a risk tolerance limit is not the same as the UK definition for impact tolerance. Other jurisdictions are also developing rules aimed at building the operational resilience of their financial sectors.
As a resolution to resilience challenges, greater investment into skilled resources, technology and data will be required to meet operational resilience benchmarks.
Lauder explains: “Data will be driven by smarter, more enhanced risk management platforms, which will allow more enriched and real time data to allow better decisions to be made. All too often data is based on past events and looks back and not forward – risk management needs to be more proactive and forward looking.”
Managing consultant in fincrime at Valcon, Alistair Lauder’s key recommendations to achieving risk management include:
- ensuring risk assessments are up to date and factor in current operational risks and vulnerabilities;
- developing and implementing incident response plans to enable firms to respond swiftly to operational disruptions;
- enhancing IT infrastructures to withstand increasingly sophisticated cyberattacks from overseas organisations and state actors; and,
- conducting testing of operational resilience response plans, including disaster recovery and business continuity frameworks.
Operational resilience is not the only financial stability regulation demanding attention from banks in 2023, as Basel III begins its phasing-in period. The reforms were originally designed in response to the 2008 financial crisis, in efforts by the Financial Stability Board (FSB) to enhance prudential regulatory standards, supervision and risk management of banks.
Implementation of the measures faced a 12 month deferral, to allow banks and banks to respond to Covid-19, taking effect from the 1st of January 2021 over a five-year phasing in period. KPMG notes that banks across the EU are expressing the difficulties being faced in their efforts to balance their role of lending to the real economy, supporting transitions to green and digital finance, while meeting Basel III requirements.