the growing regulatory focus on operational resilience to financial services leaders. many financial...
TRANSCRIPT
The Growing Regulatory Focus On Operational Resilience
Global regulators are focused on the financial services industry’s
response preparedness for operational disruptions and
whether firms are doing enough to increase operational
resilience. Their growing interest is expected to usher in a new
era of enhanced resilience supervision.
The Growing Regulatory Focus on Operational Resilience · 1protiviti.com
Information technology failures. Digital
transformation. Outsourcing. Industry
consolidation. Extreme weather. Recession
fears. What do these global trends have in
common? They are fueling global interest
in operational resilience, and the financial
services industry, given its criticality to the
stability of the global economy, is bearing a
fair share of the scrutiny.
1 blog.protiviti.com/2019/12/12/operational-resilience-supervision-moves-into-high-gear-with-latest-consultation-papers-for-uk-institutions/
2 www.bankofengland.co.uk/prudential-regulation/publication/2018/building-the-uk-financial-sectors-operational-resilience-discussion-paper
Increasingly, regulators are concerned about the
financial industry’s ability to respond quickly and
effectively to disruptive events before they significantly
affect consumers, other businesses, and the economy.
The regulators’ interest in the industry’s capabilities
is shifting from how effectively institutions can
prevent events from occurring to how quickly they can
recover and remain viable following major disruptions,
including severe but plausible stress events.1
The most significant effort to date by any financial
regulator to create formal rules around the topic of
operational resilience occurred on December 5, 20192,
when the UK supervisory authorities proposed new rules
and expectations aimed at strengthening the operational
resilience of the UK financial services sector. The
proposals were released collectively by the Prudential
Regulation Authority (PRA), the Bank of England (BOE)
and the Financial Conduct Authority (FCA) through a
series of coordinated consultation papers.
In the consultation papers, the supervisory authorities
provide their view on key concepts essential to building
operational resilience. Their proposals emphasize the
Firms Should Act Now to Become Operationally Resilient
need for boards and senior managers to improve their
understanding of the criticality of their businesses; set
clear standards for resilience, including the maximum
level of disruption their businesses can tolerate;
and establish contingency arrangements to enable
the delivery of important business services when
disruptive events occur.
Given the UK development and the groundswell of
activity around operational resilience globally, companies
should act now to stay ahead of the regulatory curve. The
following are immediate actions that firms can take:
• Identify important business services and functions
and their reliance on third-party providers.
• Quantify the maximum acceptable level of
disruption, referred to as “impact tolerance,” by
establishing a point in time when the viability
of an important business service is irrevocably
threatened.
• Monitor and test the resilience of important
business services and business lines against worst-
case scenarios.
• Identify and document (also known as mapping) the
necessary people, processes, technology, facilities
and information required to deliver each of their
important business services.
• Communicate resilience discussions and practices
across the organization.
The action items above are discussed in greater detail
later in this report. In addition, we provide a high-level
overview of how operational resilience became a key
agenda topic and highlight several recent and significant
proposals aimed at enhancing resilience supervision.
2 · Protiviti
The Resurgence of Interest in Operational Resilience
Operational resilience represents an
organization’s ability to withstand adverse
changes in its operating environment and
continue the delivery of business services
and economic functions. The number of
financial institutions that have suffered
severe financial and reputational harm
from major disruptive events in recent
years continues to increase, renewing
the urgency around building operational
resilience. As a result of these events and
growing regulatory concerns, financial
industry trade groups are working with
their members to consolidate their views
on operational resilience and to elevate
their resilience capabilities to a broad
range of threats.
The key components of operational resilience include
defining important business services, impact tolerance
and economic impact, and developing a complete
understanding of all business services, functions and
third-party relationships. Specifically, it requires
that firms develop a process of prioritizing the
important business lines or services they provide to
various stakeholders; assessing the impact tolerance
of the organization for each business line and how a
prolonged disruption will affect various stakeholders;
and considering the effects of business disruptions not
only on the institution’s stakeholders, but also on the
financial sector at large.
Requirements to support resilient operations are not
new to financial services leaders. Many financial
institutions have long addressed key aspects of
operational resilience under the guise of business
continuity, disaster recovery, information technology
change management, and cybersecurity risk
management. Nonetheless, in the seminal July 2018
joint discussion paper issued by the BoE, the PRA
and the FCA, “Building the U.K. Financial Sector’s
Operational Resilience,” the supervisory authorities
asserted that management of operational resilience
is best viewed in the context of business services —
versus distinct systems and processes.3 The discussion
paper not only jump-started interest in operational
resilience but also signaled regulators’ interest in
holding financial institutions and financial market
infrastructures (FMIs) accountable both for disruption
and for failing to recover rapidly from those events.
3 www.bankofengland.co.uk/news/2018/july/discussion-paper-building-the-uk-financial-sectors-operational-resilience
The Growing Regulatory Focus on Operational Resilience · 3protiviti.com
Regulators in various jurisdictions are weighing
different approaches to operational resilience
supervision. Many are revising existing policies,
including those on risk management, outsourcing,
controls and communication, and business continuity
plans. Others intend to build on existing supervisory
approaches or to supplement existing policies to
improve the resilience of the financial system. Some
jurisdictions are weighing a more prescriptive approach
to resilience supervision, such as establishing specific
resilience tolerances for institutions, and others have
signaled their openness to a rules-based approach
that incorporates leading industry standards and best
practices. The latter approach was raised in May 20194
by a senior U.S. Federal Reserve Bank official. The
Federal Reserve Bank’s intent is to incentivize new
behaviors and investments to support the industry’s
progress toward financial stability objectives. However,
it has not ruled out the option of establishing specific
tolerances and thresholds related to operational
resilience for certain key business services.
The differing approaches under consideration imply that
multinational institutions may be obligated to comply
with varying operational resilience rules from various
regulatory authorities. Many leading financial institutions
have also voiced support for a principles-based regulatory
approach to operational resilience — one that is firm-led,
flexible in design, and not overly prescriptive.
Additionally, the financial industry is engaged in
direct dialogue with regulators on several of its main
concerns, including the need for global harmonization
of operational resilience regulations. The discussions are
already having an impact; the UK supervisory authorities
said the industry’s feedback helped reshape some of the
proposals in the December consultation papers.
4 www.corporatecomplianceinsights.com/regulatory-supervision-operational-resilience/
5 www.bankofengland.co.uk/news/2019/june/mas-and-uk-financial-authorities-announce-collaboration-on-cyber-security
6 www.mas.gov.sg/news/media-releases/2019/singapore-and-uk-to-enhance-cooperation
7 www.fsb.org/work-of-the-fsb/implementation-monitoring/monitoring-of-priority-areas/basel-iii/
8 www.investopedia.com/articles/economics/10/understanding-basel-3-regulations.asp
9 www.bis.org/bcbs/events/icbs20/ws6.pdf
Conversations on Operational Resilience Around the World
Signs of Emerging Cross-Jurisdictional Collaboration
Hopeful signs of broader cross-jurisdictional collaboration on operational resilience regulation are emerging.
These early signs suggest various regulatory bodies and professional organizations see the value in working
to consolidate global standards.
• Singapore and UK: In June 2019,5 the Monetary Authority of Singapore and the UK financial authorities announced agreements to collaborate on strengthening cybersecurity and resilience in their financial sectors. Both parties will cooperate on facilitating data flows, enhancing cross-border Know Your Customer (KYC) processes, and developing skills and competencies in the financial sector.6
• The Basel Committee on Banking Supervision: In January 2022,7 the member countries of the Basel Committee on Banking Supervision (BCBS) will begin a five-year phase in of Basel III reforms. These reforms will protect world economies from damage by banks that assume undue risk.8 At the beginning of 2018,9 the BCBS established the Operational Resilience Working Group, whose initial task has been to assess gaps and identify potential policy measures to strengthen operational resilience. The BCBS strengthens regulation and supervision of banks to enhance global financial stability. Its membership draws from 28 jurisdictions worldwide.
4 · Protiviti
There has been a flurry of activity around operational resilience in recent months and over the past year. The following
are a few recent major proposals and developments.
United Kingdom
The aforementioned December 5, 2019 proposals spell
out the supervisory authorities’ clear expectations
for regulated UK institutions, including the need
for firms to take ownership of their operational
resilience, prioritize plans and investment choices
based on their impacts on the public interest, and
communicate clearly to customers when disruptions
occur. While key concepts essential to building
operational resilience, such as defining important
business services and impact tolerance, are clarified, the
supervisory authorities stayed away from proposing
taxonomies and prescriptive definitions relating to
operational resilience.
Here are additional key takeaways from the
consultation papers:
• Regulated institutions are expected to take a group-
level view of operational resilience to ensure the
risks of the whole group or organization, including
parts or subsidiaries that are not subject to individual
requirements, are considered.
• The supervisory authorities migrated from the
term “critical business services” to “important
business services,” expanding the number of
services a regulated institution would have to
validate as resilient. This change is expected to
result in increased mapping of more processes and
systems (possibly data flows), using a front-to-back
approach to identify important business services.
• Regulated institutions are expected to use a time-
based metric to define their impact tolerance or when
the viability of a service is irrevocably threatened and
be able to identify the stakeholders that would create
the point of irrevocability.
UK regulators are under pressure to hold institutions
and their executives more accountable for operational
failures. In October 2019, the UK government’s Treasury
Select Committee (Treasury Committee) published a
report10 decrying the current level and frequency of
operational disruptions and consumer harm and urged
regulators to act to reduce the “unacceptable” number
of IT failures in the financial services sector. In the
report,11 the Treasury Committee called for banks and
responsible individuals within the sector to be held
more accountable. It urged regulators (specifically, the
FCA, PRA and BOE) to apply their enforcement powers
to ensure failures do not go unpunished.
10 www.publications.parliament.uk/pa/cm201920/cmselect/cmtreasy/224/224.pdf
11 www.protiviti.com/UK-en/insights/it-failures
Recent Regulatory Proposals on Operational Resilience
The Growing Regulatory Focus on Operational Resilience · 5protiviti.com
United States
In November 2019, the Federal Financial Institutions
Examination Council (FFIEC) released12 an updated
business continuity management booklet designed
to make it easier for financial institutions to comply
with its guidance and to help examiners determine
whether management is addressing risks related
to the availability of critical financial products and
services. Among the notable changes from the earlier
(2015) version, the booklet emphasizes operational
resilience concepts such as the importance of
understanding comprehensive process flows,
potential systemic impacts, the need for more
robust end-to-end testing, and maximum tolerable
downtime (MTD). Also, as part of their examination
objectives, FFIEC examiners will determine if
management documented and implemented, as
appropriate, resilience measures for third-party
service providers. Specifically, the examiners will
also consider disruptive events that threaten the
operational resilience and viability of the entity’s
third-party service providers.
Cybersecurity and operational resilience also feature
prominently in the Office of the Comptroller of
the Currency’s (OCC) Fall 2019 Semiannual Risk
Perspective13 and 2020 fiscal year Bank Supervision
Operating Plan.14 While these topics have been on
the OCC’s supervisory radar for several years, the
emphasis has expanded. According to the OCC, banks’
exposure to operational risks is on the rise as they
adapt to a changing and increasingly complex operating
environment. A key factor driving the elevation in
operational risk is the need to adapt and evolve current
technology systems for ongoing cybersecurity threats.
Canada
In June 2019, the Bank of Canada launched15 the
Canadian Financial Sector Resiliency Group (CFRG), a
public-private partnership to strengthen the resilience
of Canada’s financial sector in the face of risks to
business operations, including cyber incidents. CFRG,
which brings together the Department of Finance
Canada, the Office of the Superintendent of Financial
Institutions (OSFI), Canada’s systemically important
banks, and designated Canadian FMIs, will be
responsible for coordinating a sectorwide response to
systemic-level operational incidents. CFRG will also
support ongoing resilience initiatives, such as regular
crisis simulation and benchmarking exercises. The
partnership replaces the Joint Operational Resilience
Management Program (JORM), which played a similar
role but had a different membership base and did not
have the mandate to look at resilience coordination for
cyber events.
12 blog.protiviti.com/2019/12/03/ffiecs-updated-bcm-booklet-highlights-operational-resilience-concepts/
13 www.occ.treas.gov/publications-and-resources/publications/semiannual-risk-perspective/index-semiannual-risk-perspective.html
14 www.occ.gov/news-issuances/news-releases/2019/2019-111a.pdf
15 www.bankofcanada.ca/2019/06/bank-of-canada-announces-partnership-improve-resilience-financial-sector/
6 · Protiviti
European Union
In December 2019, the European Commission launched
a public consultation16 on a proposed digital operational
resilience framework for the EU financial sector. The
Commission aims to gather the public’s views on
strengthening the digital operational resilience of the
financial sector, particularly in the areas of information
and communications technology (ICT) and security risk,
and the potential impacts of such policies. The public
consultation will remain open until March 18, 2020.
In the paper, the Commission states that the financial
sector is the largest user of ICT in the world, accounting
for about a fifth of all ICT expenditure. The sector’s
operational resilience will continue to hinge on ICT,
given the growing use of emerging models, concepts
or technologies such as distributed ledger and artificial
intelligence. In the Commission’s view, the increased use
of artificial intelligence in financial services may generate
a need for stronger operational resilience and, accordingly,
increased regulatory supervision.
This latest paper follows earlier efforts by the European
Supervisory Authorities (ESAs) to address the need for
improvements to ICT risk management requirements in
the EU’s financial services industry. In April 2019,17 the
ESAs clarified their requirements on ICT governance and
sought to ensure secure delivery of regulated services.
The ESAs’ proposals (Joint Advice) promote operational
resilience of the EU’s financial sector.18 They point out
that as financial services firms’ reliance on technology
increases, exposure to cyber risk also grows. The
European supervisors continue to suggest changes to
harmonize risk management rules throughout the EU.
Singapore
In March 2019,19 MAS released a pair of consultation
papers. The first paper proposed expanding Technology
Risk Management (TRM) guidelines to include
direction on cyber surveillance, software development
security, adversarial attack simulation, and cyber risk
management connected to the Internet of Things. The
second paper proposed updates to Business Continuity
Management (BCM) guidelines that will increase
financial institution business continuity plans’ focus
on interdependencies across operational units and with
third-party service providers.
16 https://ec.europa.eu/info/law/better-regulation/initiatives/financial-services-digital-resilience-2019/public-consultation_en
17 https://eba.europa.eu/-/esas-publish-joint-advice-on-information-and-communication-technology-risk-management-and-cybersecurity
18 www.linklaters.com/en-us/insights/blogs/fintechlinks/2019/april/eu-supervisors-propose-writing-operational-resilience-and-cybersecurity-standards
19 www.mas.gov.sg/news/media-releases/2019/mas-consults-on-proposed-enhancements-to-trm-and-bcm-guidelines
The Growing Regulatory Focus on Operational Resilience · 7protiviti.com
The pressure to comply with operational resilience
requirements and/or guidance and the desire to avoid
the consequences of operational failures are strong
motivations for institutions to strengthen operational
resilience. The benefits extend beyond mere compliance;
companies can protect their profits and reputations by
staying on top of the industry best practices.
Here are a few initiatives that institutions can
take immediately:
• Given that most organizations already have an idea
of what their important business services are, they
should not wait for future requirements requiring
a formal approach to defining “important business
services.” Acting now to gain internal consensus on
which services are important will help firms increase
their understanding of the scope and impact of any
future operational resilience regulations focused on
important business services.
• Institutions should develop action plans to address
known operational risks or gaps, whether self-
identified, noted by internal audit, communicated
by regulators in a matter requiring attention
(MRA) or ordered by a court. Focusing on and
addressing known gaps is a crucial step for firms to
demonstrate resilience and their ability to respond
to or recover from severe-but-plausible scenarios.
• Building a robust operational resilience program
will require investment in technical and human
resources. It is therefore important for firms to
immediately begin the process of weighing the
impact on budget and other resources. Clearly,
budgetary considerations may vary, depending
on a specific institution’s existing capabilities.
Operational resilience professionals can help
institutions assess resources required to support
implementation and the budgetary impacts
and benchmark.
• While institutions have invested significant
resources in the foundational elements, providing a
true front-to-back mapping of important business
services — inclusive of all processes, systems,
and third parties involved — is a challenge for
many institutions. Mapping is critical, as it will
help institutions identify vulnerabilities in the
delivery of important business services within an
impact tolerance and take action to remedy the
discovered vulnerabilities.
How Financial Institutions Can Respond Now
8 · Protiviti
ABOUT PROTIVITI
Protiviti (www.protiviti.com) is a global consulting firm that delivers deep expertise, objective insights, a tailored approach and unparalleled collaboration to help leaders confidently face the future. Through its network of more than 85 offices in over 25 countries, Protiviti and its independent and locally owned Member Firms provide clients with consulting solutions in finance, technology, operations, data, analytics, governance, risk and internal audit.
Named to the 2020 Fortune 100 Best Companies to Work For® list, Protiviti has served more than 60% of Fortune 1000® and 35% of Fortune Global 500® companies. The firm also works with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.
To learn more about operational resilience, and how Protiviti is helping clients improve their resilience practices, visit: https://www.protiviti.com/US-en/operational-resilience
Patrick Scott Executive Vice President +1.312.476.6397 [email protected]
Carol Beaumier Senior Managing Director and Asia-Pacific Financial Services Leader +1.212.603.8337 [email protected]
Michael Brauneis Managing Director and Americas Financial Services Industry Leader +1.312.476.6327 [email protected]
Ron Lefferts Managing Director, Global Leader, Protiviti Technology Consulting +1.212.603.8317 [email protected]
Andrew Retrum Managing Director, Global Operational Resilience Leader, Technology Consulting +1.312.476.6353 [email protected]
Douglas Wilbert Managing Director, US Operational Resilience Leader, Risk & Compliance +1.212.708.6399 [email protected]
Matthew Moore Managing Director, Global Risk and Compliance Leader +1.704.972.9615 [email protected]
Bernadine Reese Managing Director, Risk and Compliance +44.20.7024.7589 [email protected]
Matt Taylor Managing Director, Risk and Compliance +44.20.7930.8808 [email protected]
CONTACTS
© 2020 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. PRO-0320-103145
THE AMERICAS UNITED STATES
Alexandria
Atlanta
Baltimore
Boston
Charlotte
Chicago
Cincinnati
Cleveland
Dallas
Denver
Fort Lauderdale
Houston
Kansas City
Los Angeles
Milwaukee
Minneapolis
New York
Orlando
Philadelphia
Phoenix
Pittsburgh
Portland
Richmond
Sacramento
Salt Lake City
San Francisco
San Jose
Seattle
Stamford
St. Louis
Tampa
Washington, D.C.
Winchester
Woodbridge
ARGENTINA*
Buenos Aires
BRAZIL*
Rio de Janeiro Sao Paulo
CANADA
Kitchener-Waterloo Toronto
CHILE*
Santiago
COLOMBIA*
Bogota
MEXICO*
Mexico City
PERU*
Lima
VENEZUELA*
Caracas
EUROPE, MIDDLE EAST & AFRICA
FRANCE
Paris
GERMANY
Berlin
Dusseldorf
Frankfurt
Munich
ITALY
Milan
Rome
Turin
NETHERLANDS
Amsterdam
SWITZERLAND
Zurich
UNITED KINGDOM
Birmingham
Bristol
Leeds
London
Manchester
Milton Keynes
Swindon
BAHRAIN*
Manama
KUWAIT*
Kuwait City
OMAN*
Muscat
QATAR*
Doha
SAUDI ARABIA*
Riyadh
UNITED ARAB EMIRATES*
Abu Dhabi
Dubai
EGYPT*
Cairo
SOUTH AFRICA *
Durban
Johannesburg
ASIA-PACIFIC AUSTRALIA
Brisbane
Canberra
Melbourne
Sydney
CHINA
Beijing
Hong Kong
Shanghai
Shenzhen
INDIA*
Bengaluru
Hyderabad
Kolkata
Mumbai
New Delhi
JAPAN
Osaka
Tokyo
SINGAPORE
Singapore
*MEMBER FIRM
© 2
018
Proti
viti
Inc.
An
Equa
l Opp
ortu
nity
Em
ploy
er M
/F/D
isab
ility
/Vet
eran
s. P
RO-0
918