by Martin Langlands, Chief Risk Officer, Harpenden Building Society
Download the article as a PDF – Operational Resilience – More evidence of regulatory change
A short while ago, I wrote an article which explained how a discussion paper jointly issued by The Bank of England, The PRA and The FCA has the potential to change the way all financial
institutions might be asked to operate in the future. The paper goes by the name of DP 01/18 and aims to achieve a ‘step-change’ in the industry’s operational resilience.
The UK authorities’ involvement shows their concern about how the interconnectedness of the financial system makes it vulnerable, and that they recognise the continuing risk of cyber threats. The work will assess how the continuity of an organisation’s services might be maintained, no matter what has disrupted them.
Later on, the news highlighted how this was becoming a greater priority for the regulators. So what’s changed?
Treasury Select Committee
At the end of October 2019, the UK Treasury Committee reported that the frequency of online banking crashes and customer disruption had become unacceptable. Steve Baker, the Committee’s lead member for this inquiry was quoted as saying:
“The number of IT failures that have occurred in the financial services sector, including TSB, Visa and Barclays, and the harm caused to consumers is unacceptable. The regulators must take action to improve the operational resilience of financial services sector firms. They should increase the financial sector levies if greater resources are required, ensure individuals and firms are held to account for their role in IT failures, and ensure that firms resolve customer complaints and award compensation quickly. For too long, financial institutions issue hollow words after their systems have failed, which is of no help to customers left cashless and cut off.”
In addition there were other important recommendations, notably that financial sector levies should increase so that regulators can hire experienced staff; that regulators must use enforcement powers to ensure failures do not go unpunished, and that concentrated cloud services sector should be regulated.
Consequences and planning
In my original article I explained that the report’s motives are undoubtedly sound and the effect across the industry will be positive. The nation has to be confident that the economy as a whole can respond to a major operational crisis affecting either an individual company or the entire system. However, more regulation will add another level of governance and that means higher operational costs. At the start of October I suggested that this could lead to higher prices. Now we are beginning to see more detail and stronger language in the form of levies, punitive action against failure and added regulation for certain critical functions.
Planning
Large and medium organisations all have robust operational plans and many SMEs have thought through how they would operate in the event of a disaster. However, with more controls and rules designed to beef up this process, all organisations are going to have to apply more due diligence and put in place more controls and contingencies. Larger organisations though will have to analyse the reliability of their suppliers much more thoroughly, and define how they want them to operate if they want to continue the relationship.
I do not expect this to happen within the next few months but it’s likely that from the second quarter of 2020 we’ll be seeing this issue take front and centre stage. Most companies will be asking, ‘what do we need to do about it?’. The answer depends on their leaders’ attitude to risk. Without a plan, your company is exposed to operational and reputational risk if there is a failure, but the cost and time involved may be considered too much relative to the risk.
However, in future an individual’s attitude to risk will be less of a consideration. The regulation will define minimum standards and expectations. As the threat of cyber-attacks continues it could be wise to stay ahead of the regulation and put more time into planning.