As technology advances, the capacity for damaging operational failures increases, particularly as banks look to upgrade their legacy systems by migrating to new network infrastructure. Changing business models and increased outsourcing has also amplified the dependence of participants on others, giving rise to concentrations of risk and cyber security challenges.
Operational resilience in the financial services sector is now a priority for the supervisory authorities and is viewed as no less important than financial resilience. As well as the ability to prevent disruption, operational resilience refers to the ability to respond to, recover and learn from operational disruption. System disruption when it occurs impacts not just customers but overall confidence in the financial system. One of the most high profile examples was TSB's disastrous move of its customer accounts from Lloyds to a new banking platform but there have been many others including the service disruption of Visa Europe's authorisation system (VEAS) in June last year.
Building Operational Resilience
In July 2018 the Bank of England, PRA and FCA jointly issued a Discussion Paper ("Building the UK financial sector's operational resilience") which focused on the operational resilience of the financial system and the firms and financial market infrastructures (FMIs) within it. The purpose of the paper was to engage with the financial services industry and to share the supervisory authorities' thinking on how operational resilience in the sector could be enhanced. Responses to the paper will be used by the supervisory authorities to inform current supervisory activity and future policy making. The paper notes that "a resilient system is one that can absorb shocks rather than contribute to them" and managing operational resilience is seen as a key issue on which boards and senior management need to focus. The importance of concentrating on the continuity of business services, rather than on systems and processes, is seen as an essential component of operational resilience.
In November 2018 the Treasury Select Committee launched an inquiry to consider whether there should be more regulation in the financial services sector with the aim of improving operational resilience and protecting customers. As part of its inquiry the Committee sought information from various parties including Barclays, Cashplus, RBS and Visa following failures suffered by their IT systems. The deadline for submissions to the inquiry closed on 18 January 2019 and its conclusions are awaited.
The importance of operational resilience was also emphasised by the Bank of England in its supervision of financial market infrastructures annual report (14 February 2019). In particular, the report noted that a number of significant changes have been under way since 2018 to renew the infrastructure supporting payments in the UK. These changes are viewed as giving rise to both opportunities and risks: they provide an opportunity to ensure that the infrastructure supporting payments is able to remain robust, resilient and secure in a fast changing environment but they could also create risk if the programme of change is not well managed. The report stresses the importance of the payment system operator ensuring a robust approach to the migration to new infrastructure that minimises risk of discontinuity or degradation in service.
In our increasingly connected world operational resilience is just as important as financial resilience. So the importance of market participants having in place robust IT infrastructure cannot be underestimated. Quite apart from the significant financial and reputational fall-out that arises from systems failures, it is clear that there will be increased regulatory oversight and expectations with sanctions and penalties resulting where system failures occur.
Although the outcomes of the various consultations and discussion papers are awaited, the focus of the Regulators is already reasonably clear. In considering operational resilience planning and procedures businesses would therefore be wise to bear in mind the importance of the following:
- Ensuring continuity of business services, rather than focussing on particular systems or processes. Businesses are likely to be expected to understand clearly which business services are their most important and how they will be affected by failures of particular systems or processes, including those outside its direct control.
- Considering existing policies, including business continuity and communication and whether they are up to date This might include setting impact tolerances for disruption (eg a maximum acceptable outage time for a business service).
- Planning to minimise system disruption when making any IT infrastructure changes, at all stages from design through to delivery…
- … but in day-to-day operation, planning for an imperfect world where not every risk can be addressed. Assume that operational disruption can and will happen and plan accordingly.
- Having a process for responding to and recovering from disruption, but also for learning from it and implementing improvements.