A guide to building business resilience in the financial services sector
Chris Huggett, Senior Vice President, Europe & India of business risk and resilience specialist Sungard AS, provides an overview of the four core imperatives which are outlined in the FCA’s recent report on building operational resilience in the financial services sector, which was published in December 2019.
Thanks to the UK’s new Open Banking initiative, the scale of IT problems within the financial services sector has been made public, with the BBC reporting major banks typically suffering well over one outage per month. With this in mind, the Financial Conduct Authority (FCA) published an updated discussion paper at the end of 2019, detailing new requirements to help strengthen operational resilience in the sector. The document encourages firms to consider the impact of disruption which can come in many forms (i.e. technology failures, cyber-related and other operational incidents) and the impact it has on the people and businesses (and financial markets) that rely on the products and business services. The four core imperatives from the report centre on: visibility, thresholds, testing and third-party management.
The report stipulates that firms need to identify and document the people, processes, technology, facilities and information that support their important business services (this is also known as mapping). By looking at systems and processes based on the business services they support, firms can bring more transparency to and improve the quality of decision making, thereby improving resilience.
The term ‘business service’ here refers to something that, if disrupted, would be most likely to cause intolerable levels of harm, for example:
The firm’s consumer base – including vulnerable consumers who are more susceptible to harm from a disruption
To the firm itself – through reputational damage, legal or regulatory censure or a loss of the firm’s financial position
To the UK financial system – i.e. knock-on effects for other market participants or industries crucial to UK infrastructure (such as government services or pension funds)
The FCA report also advises that organisations in the financial services sector must set ‘impact tolerances’ for each important business service; in other words, thresholds for the maximum level of disruption tolerable before consumer protection and market integrity is compromised.
Impact tolerance is expressed through specific outcomes and metrics, and should always include the maximum length of time that a disruption can continue. It can also comprise other considerations, such as the volume of disruption, i.e. the number and types of consumers affected or a measure of data which has been breached, stolen or lost. Another tip for firms setting impact tolerances is to consider different times of the day, different points in the year, or broader factors which may lead to activity within the important business services significantly increasing.
Once this has been set, organisations can set about finding ways of expanding their impact tolerance – for example, hosting private datacentres within co-located facilities or arranging for workplace recovery solutions.
Given the huge importance attributed to the ability to view and access funds by both business and consumers, the report states that firms must regularly simulate a range of severe but plausible disruption scenarios and conduct lessons-learned exercises to invest in their ability to respond to real-life disruptions. This shouldn’t only focus on preventing incidents from occurring or the probability of the incident taking place, but the response and recovery actions firms would take to protect the continuity of operations.
Scenarios can be based on anything from the loss or reduced provision of technology to the unavailability of facilities, key stakeholders or third-party services. An effective method of conducting tests is to base scenarios on previous incidents or near misses from across the financial sector and in other sectors and jurisdictions. Firms could also consider horizon risks, such as evolving cyber threats, technological developments and business model changes. An example of this can be seen in The Bank of England’s recent announcement of its plans to perform climate change-related stress tests on the UK’s top banks and insurers, to assess how firms would deal with more frequent weather events and mass sell-offs of “brown assets” – those considered detrimental to the environment.
Technology is driving huge change in the operational landscape of the financial services industry. This is perhaps best reflected in the rise of cloud-native challenger banks, that are quickly setting the agenda in terms of enterprise agility and customer experience, effectively redefining how firms in the sector compete and grow. However, the rapid adoption of new and revolutionary technologies like cloud computing have also caused the risk landscape in the financial services sector to expand at an unprecedented rate. Firms now not only have to be aware of the resilience of their own systems, but also must be able to trust in the resilience of third-party providers of the new technologies upon which their business runs.
Firms must take the due diligence to ensure the third parties they use to connect with their customers adhere to similar standards as they do. For example, third-party providers may exist outside of a firm’s regulatory perimeter or in multiple jurisdictions with different, or lower quality, resilience requirements. Firms should therefore thoroughly investigate how third-party relationships could undermine their ability to absorb disruption, asking questions such as: which legal jurisdiction is the provider subject to? What are the physical security characteristics offered by the provider (i.e. physical controls in the data centre or staff vetting)? Are there suitable arrangements for dispute resolution?
With the right backup and cloud storage provider effectively acting as a first line of defence against both expected and purely circumstantial disruption, businesses will be able to establish an infrastructure built with resilience and prepared for every eventuality.
In increasingly complex and fast changing business environments, organisations must be able to prevent, adapt, respond, recover and learn from disruptive operational incidents. The financial services sector must be aware not only of the threats to disruption which come from within and outside, but also the ability to tolerate scenarios. Nowhere is this more important than the financial services industry, where the consequences of disruption have the potential to cause severe knock-on effects to the functioning of the UK economy as a whole.
About Chris Huggett
Chris Huggett is the Senior Vice President, Europe & India at Sungard Availability Services and has over 20 years of experience working with leading technology firms including HP, Vodafone and Dell in providing critical production and recovery services to enterprise-level organisations.
About Sungard AS
Leaning on over 40 years of experience, Sungard Availability Services (Sungard AS) is an industry leader in the fields of Disaster Recovery and Business Continuity (DR/BC). From ultra-resilient cloud and data centre facilities, to workplace recovery solutions and consultancy services in business resilience, Sungard AS is a key partner for organisations in mitigating risk and ensuring the continuity of operations. Its experts specialise in streamlining and managing complexity, minimising risk and adapting to change, helping to capitalise on the opportunities that digital transformation offers.