The elements of approaching operational resilience
Operational resilience is defined in quite broad terms, with a focus on outcomes and an expectation around responsiveness and time. As UK regulators put it in December 2019, it is a firm’s ability to “prevent, adapt, respond to, recover and learn from operational disruptions.” The Basel Committee adds further detail, describing an operationally resilient firm (or more specifically, a bank) as one that can:
- identify and protect itself from threats and potential failures;
- respond and adapt quickly to a particular crisis or disruption;
- minimise impact on the delivery of critical operations; and
- maintain a sound business environment outside of the crisis.
At the most basic level, operational resilience means an organisation can get back up after it has fallen over and is more likely to survive once the storm has passed.
Operational resilience concerns the whole of the operation. – a firm’s financial resilience, the resilience of its governance and people, regulatory resilience, the resilience of its structures, and systems, and its security resilience (both physical and cyber). It is an evolution rather than a revolution; firms – or more specifically – firms’ senior managers – must “join the dots” across a range of risk management and governance activities.
It can be helpful at a conceptual level to identify five elements of a holistic framework:
- Financial resilience – capital, liquidity, prudence
- People resilience – governance, accountability, culture
- Structural resilience – clarity of operational and legal structures
- Regulatory resilience – maintaining regulatory compliance and flexibility to respond to evolving regulatory expectations
- Systems resilience – cyber and data security, including the ‘in the ether’ elements and the physical security of, for example, the premises of data centres and servers
The notion of financial resilience is very familiar. At a basic level, financial resilience is that the firm has enough capital and the right type of capital to operate sustainably for the long term.
However, it is notable that a significant element of the response to the 2007/08 financial crisis was the recognition of a gap in oversight of the financial stability of the financial system as a whole. Fast forward to today and financial resilience policy is well-developed with a raft of regulatory measures and interventions. International bodies such as the Basel Committee on Banking Supervision (BCBS), the International Organisation of Securities Commissions (IOSCO), and the International Association of Insurance Supervisors (IAIS) set global standards to help firm’s achieve robust operational resilience practices
Over and above regulatory compliance, calibrating financial resilience is a matter for individual firms and is multi-faceted. It is not simply a concept of having enough capital, but also of having the right kind of capital, the right mix of capital, and more. This calibration becomes ever more complex in an environment which poses increasingly sophisticated and nuanced challenges to firms’ leadership, particularly as a result of technological developments. Take virtual currencies, for example. The question is not simply a “yes or no” – it’s a “if and when”, “how much”, and “do we want to be a market leader or ‘in the peloton’”?
Our experts understand these complexities and know how responsibility and accountability rests with firms’ leadership. We work with you to ensure your approach to operational resilience meets not just regulatory expectations, but also the expectations of your customers, your people, your community, your stakeholders and partners, building on the foundations to deliver a sustainable and long-term business.
It is an organisation’s people that, if properly incentivised, can drive, ensure and advance operational resilience. People are a major intelligence asset. - They can identify changes in the operating environment early, from nuances in regulatory change to shifts in client behaviour and can identify the patterns and linkages to make improvements.
The financial crisis of 2007/08 highlighted a number of shortcomings in how the financial sector approached its people. For example, regulatory regimes were insufficiently robust on matters of personal accountability – this gap has been addressed in a number jurisdictions, from the UK’s Senior Managers and Certification Regime (SM&CR) through to the Hong Kong Manager-in- Charge regime to the Australian Banking Executive Accountability Regime (BEAR). Further development in this space is underway in a number of major financial services hubs, and it will continue to be a focus for regulators over the coming years.
Another area of focus has been on culture. It is acknowledged that culture does not easily lend itself to regulation or legislation; instead regulators have focused on mandating standards in respect of particular activities which may have an impact on culture, such as whistleblowing. But it is generally accepted that a good and open culture has a positive impact on business sustainability, on productivity, and on outcomes.
We have worked with global financial institutions on governance, accountability and culture. We understand both the regulatory requirements and expectations, and the outcomes which will help drive long term sustainability. We know how important people are to a firm’s ability to thrive, from those in leadership roles making strategic decisions, to those on the business frontline, to those in the back office teams that keep everything moving.
The US Volcker Rule, the EU Liikanen Report, and the UK’s Independent Commission on Banking all addressed a concern about the structures of banks, particularly the universal banking model. The concern is that the structure of banks – and of financial firms more generally – is not sufficiently clear to facilitate sensible, prudent management and informed, effective regulatory oversight.
A number of regulatory initiatives have sought to address this, including recovery and resolution initiatives, which while initially focused on banks have moved to encompass financial market infrastructures. They also include how regulators approach supervision of firms – entities in jurisdictions which have supervisory regimes disposed to regular constructive engagement are required to regularly explain to their supervisors the structure of their business. This has resulted in firms creating internal organisation charts, business plans and detailed legal entity mapping. A substantial section of annual reports and accounts are also dedicated to explaining the structure of the business to investors.
In a heavily regulated sector such as financial services, firms are responsible for ensuring that licences and permissions attached to legal entities are appropriate for the business being conducted. In Hong Kong, for example, firms should ensure that new business activities do not breach any conditions imposed on an entity’s licence or, for those firms with unconditional licences, they should still consider whether any new activities fall within the scope of the business plan originally submitted to the Securities and Futures Commission (SFC) and, if not, they should notify the SFC. In the UK, the Financial Conduct Authority (FCA) is taking a ‘use it or lose it’ approach to regulatory permissions – permissions not utilised for at least 12 months should be rescinded. Furthermore, failing to have the right permissions in the UK may call into question the firm’s compliance with threshold conditions for authorisation and individuals’ compliance with their responsibilities under the UK Senior Managers & Certification Regime (SM&CR).
Our team has extensive experience working across a range of businesses, from large established international banks, investment firms and insurers to new market entrants. Across borders or within local markets, from the traditional to the novel and innovative, we have a proven track record of working in step with our clients to efficiently and effectively achieve optimum outcomes for the business, its clients, and regulators.
“Regulations grow at the same rate as weeds,” is a quote attributed to Norman Ralph Augustine US aerospace businessman and statesman. The financial services industry has certainly experienced an increase in regulatory change in the past 20 years. As the events which led up to the 2007/08 financial crisis gained pace, the banking sector was preoccupied with the implementation of the 2004 Basel Accord on bank capital standards, broadly known as Basel 2.
In the wake of the financial crisis, the industry spoke of the “regulatory tsunami” which it faced as policy makers scrambled to address the shortcomings which the crisis laid bare. Part of that regulatory tsunami was Basel 3, the 2010 successor to the pre-crisis accord. Basel 3 represented the cutting edge of collective regulatory policy making, but almost at the same time that regulators started working on it, the currents which would drive further, significant regulatory changes were swirling (almost) unnoticed as the domain name bitcoin.org was quietly registered in August 2008.
In 2020, many regulators put planned interventions on temporary hold as they juggled an unexpected pandemic and unprecedented public policy interventions. Moving into 2021 and with some reprioritisation underway, regulators are turning back to their pre-coronavirus agendas, including to respond to the impact which technology – including distributed ledger technology (DLT), cloud computing and machine learning – are having on financial services.
The direction of travel is clear – regulation and regulatory expectations will continue to grow, evolve and develop. It is not enough to simply keep pace with regulatory change; firms need to help shape the agenda. Those firms which can embed how they contribute to regulatory policy debates and engage with policymakers into how they make strategic decisions about running their business are more likely to thrive. There is a potential leadership and reputational dividend to be had from setting a good example in the regulated community.
Our regulatory credentials are best in class. Our people have deep insights into the regulatory agenda and regulatory policy making, gained from years spent in both the public sectors and in business. Our team offers a diversity of experience and perspectives which clients value. We gather insights from across our global footprint to inform our engagement with clients at a local and regional level, and we draw expertise from across our practice areas to offer the most valuable strategic insights for our clients.
Regulatory and industry thinking around systems resilience is well-developed. Disaster recovery and business continuity planning are well-established disciplines which have provided a solid base on which to build the specialist areas of cyber resilience, information security and data protection.
There is an irrefutably strong business case for striving beyond regulatory expectations when it comes to ensuring systems resilience; from safeguarding the physical security of data servers to protecting information held in the cloud. The regulatory enforcement and censures which would arise from getting it wrong are only part of the argument; the impact of significant loss events arising from, for example a ransomware attack, go far above and beyond a regulatory fine.
The regulators’ agendas on operational resilience find solid ground on systems resilience. Regulators acknowledge that they need more skilled resources to conduct robust supervision of new technologies, but the underlying policy principles have not significantly changed. The principles applicable to outsourcing arrangements that were defined a decade or more ago and contemplated a more ‘bricks and mortar’ arrangement, are those which underscore the more recent guidelines and rules on outsourcing to cloud. While there is some tailoring, the over-arching mantra of “technology neutral” is still clung to by regulators in many major financial services hubs.
We offer our clients perspective – we have seen where the regulators are coming from and where they are headed. We closely track and help shape the regulatory agenda, applying our insights drawn from experts in financial services law and regulation, technology, data and intellectual property.