Preparing for Enhanced Regulatory Supervision of Operational Resilience

Operational disruptions are impacting the financial sector with greater frequency and severity, and with each disruptive episode, the focus on managing operational threats is changing from how financial institutions (FIs) can prevent events from happening to what they can do to minimize their impact or to restore services as quickly as possible.

While more regulators are demanding that firms and financial market infrastructures (FMIs) demonstrate greater resiliency, they are also considering regulatory approaches that are significantly different from those used to address capital, liquidity and the other financial risks. Operational resilience, which describes the ability of a firm to withstand an adverse event and continue to provide goods and services, is now at the forefront of regulatory scrutiny around the world.

Following is a framework firms can leverage to understand, prevent and recover from extreme but plausible events. The framework identifies key components firms must consider when formalizing and managing the resilience of their critical business services.

Improving the Standards of Operational Resilience

Operational risks are increasing for all FIs but remain exponentially higher for those operating in multiple jurisdictions or outsourcing a significant number of services to third parties. Depending on the jurisdiction, multinational FIs contend with varying governance structures, organizational processes, IT systems, cultural issues and regulatory obligations– factors that can complicate efforts to build operational resilience.

The key components of operational resilience, which include defining critical business services, impact tolerance and economic impact, require FIs to have a complete understanding of all business services, functions and third-party relationships. To achieve better standards of operational resilience, companies – regardless of size – should:

• Understand and prioritize the criticality of the business lines or services they provide to various stakeholders.
• Determine the impact tolerance of the organization for each business line and assess how a prolonged disruption will affect the organization’s various stakeholders.
• Consider the effects of business disruptions not only on the institution’s stakeholders, but also on the financial sector at large.

The interdependency of markets and among participants creates additional vulnerabilities. For example, FIs generally rely on third-party vendors for different aspects of business-as-usual operations. These FIs should have processes in place to ensure that third-party operational resilience is part of the initial vetting and ongoing vendor relationships.

Overlapping and inconsistent regulations can also undermine FIs’ efforts to build resiliency. Specifically, inconsistent rules may cause lapses in compliance, which could result in regulatory sanctions, reputational damage and, ultimately, customer defections. Given these concerns, a number of leading financial institutions are advocating for a principles-based regulatory approach to operational resilience – one that is firm-led, flexible in design and not overly prescriptive.

The Future of Resilience Supervision

In the United Kingdom, supervisory authorities have made it clear that operational resilience of firms and FMIs is no less important than financial resilience. In the July 2018 discussion paper, “Building the U.K. Financial Sector’s Operational Resilience,” the supervisory authorities expressed concern over the potential harm to consumers and market participants from operational disruptions and signaled how they intend to hold firms accountable for these events and their ability to recover from them.

The U.K. regulators have been reexamining current supervisory approaches to operational resilience with the goal of developing a framework that aligns better with the assumption that failures are bound to happen, and companies need to be better prepared for when – not if – those adverse events occur. The regulators are reviewing existing policies, including those on risk management, outsourcing, controls and communication and business continuity plans. Where possible, they intend to build on existing supervisory approaches or supplement existing policies to improve the resilience of the financial system.

According to the Bank of England (BoE), a future supervisory approach could cover these four broad areas:

• Sector-wide work, including any potential stress testing developed by the BoE and others.
• Supervisory assessment of how firms and FMIs set and use impact tolerances.
• Analysis of systems and processes that support business services.
• Assurance that firms and FMIs have the capabilities to deliver operational resilience and follow existing rules, principles, expectations and guidance.

In the United States, the Federal Reserve has indicated its preference for a more harmonized regulatory approach that incorporates leading industry standards and best practices and reflect significantly more input from firms. The Fed is taking this approach to incentivize firms to adjust their behaviors and make investments that achieve the Fed’s safety and soundness and financial stability objectives, according to a senior Fed official.^[1] Nonetheless, the Fed has not ruled out the possibility of establishing specific resiliency tolerances or a regulatory-driven approach.

In the Asia-Pacific region, regulators are also working to strengthen resilience supervision. The Monetary Authority of Singapore (MAS), for example, has proposed changes that will require financial institutions to put in place enhanced measures to strengthen operational resilience. The measures include developing business continuity plans that better account for interdependencies across operational units and linkages with external service providers. The MAS proposals also include guidance on effective cyber surveillance, secure software development, adversarial attack simulation and management of cyber risks posed by the internet of things.

MAS is one of many regulatory bodies focused on cyber risk management. The BoE is working with the G-7 Cyber Expert Group, which represents 23 financial authorities, to develop a cyber stress testing program. Also, the Basel Committee on Banking Supervision, which established the Operational Resilience Working Group (ORG), is working on integrating a cyber dimension into its broader operational resilience work.

Preparing for Enhanced Supervision

As regulators reassess their approach to resilience supervision, FIs should prepare for a future where their resilience practices are heavily scrutinized. Future regulatory regimes are likely to demand assurances that firms are setting appropriate impact tolerances – meaning being able to create metrics around the level of disruption they can tolerate if their most important business services fail due to a severe but plausible stress event.

Firms should also be prepared to demonstrate that they have identified critical business services and functions and are monitoring and testing their resilience against worst-case scenarios. They should be able to show that they have implemented systems and processes that would allow them to continue to provide services in an extreme but plausible event.

Larger firms and FMIs are likely to face greater scrutiny; in the United Kingdom, the supervisory authorities are considering reviewing the operational resilience efforts of larger firms on a regular basis and taking targeted actions if serious concerns are identified. For smaller or mid-sized firms, regulators intend to review their resilience efforts on a periodic basis.

While the growing focus on operational resilience may create burdensome obligations for some organizations, it also provides an opportunity for FIs to stay ahead of the regulatory curve. There is an opportunity to take proactive measures, such as self-assessing the resilience of back-up systems, redundancies and substitutability arrangements while working toward building a culture of resiliency throughout the enterprise.

[1] Comments by Art Lindo, Federal Reserve Board, May 1, 2019