Simon Morgan, Client Director, CSI Ltd
In the intricate tapestry of today’s digital economy, financial organisations face a myriad of threats ranging from cyber incursions to global health crises and economic fluctuations. Consequently, regulatory bodies have intensified their mandates to fortify the digital resilience of these institutions. The emphasis is on operational resilience, business continuity, and disaster recovery.
No one wants to see devastating cyber attacks like that of Captial One in 2019 repeated when 100 million credit card applications were accessed by a hacker. It’s a given now that all financial institutions will be attacked, so ensuring operational resilience is key to maintaining market stability.
The EU’s Digital Operational Resilience Act (DORA) is poised to be a seminal regulation, affecting EU banks and their clientele profoundly. Compliance is mandated by January 2025. Meanwhile, the Bank of England and other regulatory entities are deliberating on adopting analogous measures. For UK national banks devoid of EU subsidiaries, DORA may not apply directly, yet the principles of operational resilience remain pertinent, sharing common ground with existing UK regulations.
The UK’s Financial Conduct Authority (FCA) presides over a spectrum of financial institutions, but DORA casts a wider net, encompassing explicit directives for ICT and third-party risk management that are more stringent than those in the UK. The FCA, together with the Prudential Regulation Authority (PRA), is contemplating regulations that would encompass provisions for third-party technology providers. It seems the UK is gravitating towards a regulatory framework that could harmonise with DORA.
Regardless of EU operations, it’s prudent for financial services organisations to evaluate their operational resilience now. Here are some of my top tips for doing this.
Identify Important Services
From the leading merchant banks to challenger banks such as Monzo and Revolut who have disrupted traditional banking with their digital-first approach, financial institutions must pinpoint their critical business services and establish impact tolerances to prioritise investment decisions. Understanding what constitutes an ‘important business service’ is crucial, involving a thorough analysis of services whose disruption could harm consumers, jeopardize the firm’s viability, or destabilise the financial system. Services must be appraised based on their significance to the organisation’s operations and stakeholder impact.
Once critical services are identified, firms must set impact tolerances for each, defining the maximum disruption level a firm can endure before incurring severe damage. This encompasses factors like disruption duration and the volume of business impacted. Establishing these tolerances necessitates an in-depth comprehension of the firm’s operations, interdependencies, and potential systemic risks all with the context of the financial services market.
With defined impact tolerances, firms can allocate resources and investments to bolster the resilience of their most crucial services. This entails investing in systems, processes, and controls capable of preventing, addressing, and recuperating from operational disruptions.
Engage in Scenario Testing
Data integrity, the assurance of data’s consistency, accuracy, and reliability throughout its lifecycle, is paramount. Scenario testing for data integrity involves creating simulations of events that could compromise data, such as cyber-attacks, system failures, or human errors. FSI firms must devise realistic scenarios that test their capacity to maintain data integrity. A critical aspect is testing backup and recovery procedures to guarantee prompt and accurate data restoration – a practice still overlooked by many organisations. Additionally, the impact of data loss or corruption from third-party suppliers on business operations must be evaluated.
Scenario testing should mimic outages of both internal and third-party services, identifying a spectrum of potential failures, from minor issues to catastrophic events. By gauging the likelihood and impact of each scenario on the firm’s operations, contingency plans can be tailored accordingly. These plans must be tested in real-time to confirm the efficacy of backup and recovery strategies. Regular updates and refinements to these plans are necessary to adapt to the evolving risk landscape. Continual scenario testing is essential to maintain operational resilience.
Build Resilience
Entities like PayPal and Stripe facilitate online transactions and must maintain high levels of operational resilience to handle the vast volumes of payments securely and reliably. Investing in resilience is imperative for financial services organisations to ensure the continuity and reliability of service delivery. Developing substitutable service delivery methods, such as alternative customer interaction channels—online platforms, call centres, and physical locations—can provide redundancy if one fails. Adapting outsourcing arrangements to include multiple vendors or cloud-based solutions enhances flexibility and reduces reliance on a single source, mitigating third-party failure risks.
Modernising legacy systems is another critical aspect of building resilience. Outdated technology and lack of support in legacy systems pose significant risks. Strategic investments in updating these systems can enhance efficiency, security, and integration with new technologies, significantly impacting the organisation’s overall resilience and operational capabilities. For example, companies like Allianz and AXA, which manage risk for individuals and businesses, rely on robust operational frameworks to ensure they can meet claims and maintain service continuity during crises.
Policy Compliance
Adhering to operational resilience policy by January 2025 is a strategic imperative for financial institutions that operate across the EU. It is also important for homegrown financial institutions that are likely to be subjected to similar regulations by the UK authorities in the future. Active engagement from senior management and boards is required as their leadership is vital for embedding resilience into the corporate ethos. Boards must spearhead resilience initiatives, judiciously allocate resources, and ensure comprehensive organisational understanding and involvement in resilience goals.
A methodical and logical approach to operational resilience will not only align with regulatory expectations but also fortify financial institutions’ capacity to endure and swiftly recover from operational disruptions, thus protecting customers and the broader financial markets.
