Series 4 Episode 2: Reaping the rewards of Operational Resilience

Transcript

Andrew Strange: Hi, everyone, and welcome to our latest episode of Risk and Regulation Rundown giving you the latest insights and analysis on hot topics in financial services risk and regulation. I'm Andrew Strange and I lead our financial services regulatory insights team, and I'm your usual host. In this month's episode we're going to be talking about the operation resilience agenda. With increased regulatory scrutiny over the last number of years, and recent economic and market conditions reminding us of the volatility that firms can face, we're going to explore what's new in this area. Today, I'm joined by two guests, Duncan Scott from PwC's crisis and resilience practice, and Paul Williams, a specialist adviser on operational resilience for PwC, and formerly from the PRA. Hello to you both.

Paul Williams: Hello.

Duncan Scott: Hello.

Andrew: So, Paul, let me start with you first. As I mentioned at the top, you've had experience of working on both sides of the operational resilience regulatory process, developing the rules as a regulator, and then also working with clients to help implement them. Let's start with your regulator hat. Do you just want to take a moment to remind our listeners of the history of operational resilience, where it came from, what problems regulators were trying to fix, the key requirements, and I'm sure all the firms are totally on top of this, but maybe just a reminder of the deadlines and timelines that people should be working to?

Paul: Okay, will do. So, I guess the roots of this go back almost a decade actually. We started to see increasing numbers of operational failures, mainly within banks. So, the roots are probably within the banking sector specifically. Operational failures that were occurring within firms that were having significant external impacts on customers or markets. That was sufficient, let's remember, to prompt Parliament, and the Treasury Select Committee to conduct a review into IT failures in the banking sector, which ran alongside the policy development work that we were doing. And that was despite the existence of a number of existing non-financial risk management requirements that firms had, IT risk management, business continuity risk management, operational risk management. So, the observation was that despite all of those things already existing a further public policy intervention was required in order to get firms thinking about non-financial risk, or operational resilience in a slightly different way. That was the purpose of the policy. The two key dates associated with its implementation.

The first was March '22 where firms needed to have established essentially a baseline analytical and reporting capability that helped them understand where they had gaps in their operational resilience through the lens of that policy. Then March '25, which is where firms should have then plugged all of the gaps that were identified by that previous reporting deadline.

Andrew: Okay, so we're very much in the middle of that at the moment. So, this is therefore very topical, I agree. So, I mean, let's pick up on a few things that you mentioned there, and let's go into a bit more detail. Can you give us your perspectives on the policy approach that regulators have taken on this, and crucially, I guess, for firms, what are some of the challenges you've seen with this approach?

Paul: There are two key things to note, I guess. One is that no two firms are going to be the same in terms of where they are on their operational resilience journey, and the challenges that they face. There are many challenges. It's a complex problem covering a number of areas. The vertical silos, if you like, of people, property, technology, third parties, are all areas that firms will need to address as part of implementing an operational resilience approach. So, it's very difficult to prescribe how you fix that problem in detail. It's fortunate then that the UK financial services regulatory approach is one that's based on principles and outcomes rather than standards per se. The defining characteristic I think of this policy is it is very principles and outcomes based. In fact, it's probably one of the most principles and outcomes based policies that the UK regulators have issued in a very long time. That's relevant for firms, particularly where there are various ways of addressing this, because it creates the space for firms to stop, to think, to reflect, and to innovate, and to implement a solution which works best for them. Of course, the downside of that approach is it requires firms to stop, to think, to innovate, and to work out what works best for them. So, where firms might be predisposed to a regulatory compliance based approach they're going to run into challenges with that.

Andrew: Yes, some creative thinking rather than box ticking is certainly going to be part of that. Okay, that's interesting. I mean, clearly at the moment in the current market we're seeing some volatility. So, I think it is pretty obvious that some global events and crises are making life pretty challenging for firms. Duncan, what is it about the nature of the environment right now that makes it even more disruptive, and therefore crucial that firms embrace operational resilience?

Duncan: I think you started to make the point there already, Andrew. It's a really disrupted time at the moment and this comes from someone who started their career at the pop of the dot com bubble, lived through the financial crisis.

Andrew: It's your fault then.

Duncan: Not specifically my fault, but I've seen quite a lot over the years. Looking at the last five or six years I would say I haven't seen this level of disruption in the previous fourteen, fifteen. So, as you mentioned, we've had the likes of Brexit, we've had to deal with COVID, the geopolitical issues of late, and then the market volatility of right now. All of those things mean that firms have to be agile, and they need to be resilient. So, taking practical approaches to it is all important because it's a practical problem that needs solving. So, I mean, bring that a little bit further to life. In having conversations earlier this year with a lot of firms who are seeking to understand the impacts of geopolitical change, and volatility, actually relatively few, perhaps the minority of firms were using what they'd created and were starting to build around resilience to address those points. That's something that needs to change. So, as you asked the question, it is a really volatile time which brings even more emphasis on the need to be resilient.

Andrew: Okay, and clearly you've been talking to lots of our clients about this topic. I know you've been helping lots of our clients with it. What are you seeing from firms to date in responding to those regulatory requirements, and what are some of the areas of challenge that our firms have experienced, thinking particularly about some of those deadlines maybe that Paul mentioned?

Duncan: Yes, so I think on the positive side of things, I think the nature of what it means to be resilient and thinking about what is most important actually is an intuitive concept. It makes a lot of sense. Actually, in 2018 when Paul and his colleagues launched the discussion paper, firms actually started working at that point, which I think, Andrew, you and I have worked on various regulations over time, that doesn't always happen.

Andrew: Not at all. Not even when the final rules come out really.

Duncan: Yes. Well, it's more brinkmanship, and hoping it might get pushed out, and there'll be delays. In this case it made sense because it has a commercial imperative alongside a regulatory one. So, on the good side, firms engaged with it and recognised some of those benefits. The challenges, however, are some of those restraining factors within firms around feeling it is a compliance exercise and something that needs to be box ticked as you mention. That doesn't lead to the right sort of outcomes here. Paul and I often talk to clients about being focused on outcomes, and what that actually means. By taking a compliance based approach you really fail to deliver those benefits. Some of the other challenges are around getting that ownership in the first line of the organisation. For those that own the most important services to feel accountable. The challenge there is that they're revenue generating, they're focused on developing the organisation, and actually the operational delivery has largely been a shared responsibility. It remains shared, but there's a focal point for it now, and that's one of the changes that exists.

Actually, one of the bits of feedback we've had across the industry, and we've seen, is that there is quite a lot of reliance on existing testing measures without making the step change towards operational resilience- based testing. So, what that means is business continuity is something that people will spring back towards, or they will look at operational risk type testing, so ICAP, and others, at the expense of really focusing on operational resilience, and those scenarios that are going to cause them problems to respond to and are actually going to be more enlightening.

Andrew: Okay. It's interesting when I think about some of the recent podcasts we've done around things like consumer duty, where again it's avoiding that compliance tick box approach, and actually thinking about the outcomes of what you're trying to achieve. That's really interesting. So, I mean, to all those lovely people out there listening to this podcast, what advice do you have for them? What are some of the key things they should be focused on? I don't mind who goes first on that.

Paul: Why don't I go first? So, I think it's important to just reflect on the previous points that Duncan and I have both made, and this comes up in lots of the conversations we have with clients at the moment, which is lots of the client questions are always, what does the regulator want? When have we done sufficient testing? Have we got the granularity of important business services right? What's the right answer to the impact tolerance question? The answers to all of these questions are probably best answered with another question, at least that's what's likely to happen if you ask supervisors those questions, which is, 'Well, why do you think this is the right answer as a firm?' So, my advice to firms is to put yourself, as far as you are able, into the minds of the regulator, and think about the problem they were trying to fix. This was a thoughtful intervention, public policy intervention, to try and set out some cornerstone concepts that firms should pick up on, which will allow them to fundamentally think differently about non-financial risk within their firm and how it's managed.

The temptation will be to focus on policy compliance obviously, and you're going to have to lean against that, and focus on your journey from an operational resilience point of view and recognise there are many ways of addressing this problem. You've got to think thoughtfully about that and be prepared to engage with supervisors in a way that allows you to demonstrate how you've really taken this to the heart of your business. So, supervisors will be really alert to any sniff that this looks like regulatory compliance and actually, will be asking leading questions to try and see has this really been taken to the heart of how you think about non-financial risk within your firm in the long-term.

Andrew: Yes, I agree. Duncan, is there anything you want to add to that?

Duncan: Yes, just a couple of quick points I would say. So, one is that there has been a lot of work in the industry to get to the point that we're at now. So, identifying what's important, setting impact tolerances, and many of those things. Actually, those in of themselves don't create resilience. They're a lens to place over your organisation to understand how it operates if you think about the mapping element of it, or the point at which intolerable harm could manifest. Actually, they don't change the dial. They don't make the step change that the regulators were seeking to achieve on their own. It's the next step that does, and that is investment decision making, and using insight from that information. I think there's a slight disconnect in some cases where work has been done, methodologies created, frameworks that exist that are embedding, but they're not actually driving resilience as an agenda for firms. So, really focusing on that, and what happens next is what's really important. Then allied to that is the fact that Paul has spoken about this March '25 deadline, that's going to be upon us sooner than we think. It's going to come very fast, and to bring that further to front of mind is the fact that that's probably two investment cycles for firms.

Andrew: Yes, barely.

Duncan: Unless they change their way of operating, which some firms have done in response to this. So, it's had quite far-reaching implications for firms, but two investment cycles, it's a very short time in banking.

Andrew: Yes, it is. That's very interesting. I'm also drawn slightly here to Paul's point around the, because you referenced it a couple of times, the public policy agenda that sits behind this as well. This isn't just a regulatory own initiative type thing. Actually, there are multiple levels to this in terms of public policy objectives, regulators doing stuff, and then as you say, Duncan, it's the first stage is one, and then going that extra step as well. So, it's really multi-level compared to some of the more traditional compliance type topics that we've maybe covered on this podcast before. So, it feels very different. A bit scary, but different. I don't like change, that's what it is. So, I mean, clearly a lot of our clients obviously have presence in the UK, but this must be something that people are thinking about globally, you know, the global financial crisis, I think the clue is in the title. So, there must be an international angle to this that firms are also having to think about. Is there any particular progress in other jurisdictions that's interesting for us in terms of operational resilience, and to what extent has there been any coordination on this, or are we seeing that slightly awkward divergent approach?

Duncan: Well, perhaps I can give a bit of an overview, and Paul might want to add a bit around that, sort of, convergence and the dialogue between regulators. I'm really fortunate in the fact that I get to chair a particular group across the PwC network of FS operational resilience specialists. So, we've got people from, sort of, fourteen, fifteen countries that come together to talk about operational resilience. So, we get a good perspective on this subject. I think the things that I would pick up on are that actually there’s a surprising level of harmonisation internationally from my own perspective. I'm surprised quite by where we've got to. There are some differences, and I'll highlight those, but in general there's an understanding that this is about outcomes as we've emphasised many times, and there are different ways of getting there, but some similarities. So, the differences perhaps is worth pulling on. So, if you think about somewhere like the UK and Ireland where they have very similar approaches, Ireland having followed the UK's approach, there's a big focus on the consumer, and harm on the basis of being focused on conduct agendas.

In some other locations actually that part is less prevalent, and it's more about the safety and soundness of the firm, and the integrity of markets, which it is also the case in the UK and Ireland, but the emphasis is slightly less on consumers in other locations. The other differences that can come through as well are around the source of the regulation. So, in the UK it's stand-alone, or it's separate. It's very clear that it's operational resilience. In others, so if you look at Hong Kong, for example, it's weaved in through business continuity, and the same with the MAS in Singapore. So, it may just be that regulators are finding the easier way, or the path, to get that into their agendas in the right way, but what you can tell is that in the UK there's a step change being asked for. In others that may well still be the case, but it's perhaps not represented in quite the same way. One thing that has happened is by virtue of the UK going first, we've got first mover advantage, or that could be disadvantage depending on how it turns out. Everyone is looking to the UK for how it's working and operating, and largely looking to follow, or emulate, or change on that basis. So, it's an interesting time for us to innovate as Paul mentioned, to come up with ways of doing things that others can then look to leverage and use.

Andrew: It's interesting I think about the growth plan that we have in the UK from the UK government around financial services, and, you know, in September the growth plan specifically referenced the deregulatory agenda, for example. This doesn't feel like something where deregulation is going to be part of the answer though, you know, we're ahead of the curve. Actually, the safety and soundness of our market gives us a competitive advantage, and therefore it's going to remain important, if not be more important actually over time.

Duncan: I think as you expressed it, Andrew, the way we tend to look at this is that operational resilience isn't just its own specific regulation there to be ticked off. It is more like a wave of regulations. So, if you were to go back to the financial crisis the response was capital and liquidity based prudential regulation. Then as the regulators decoupled there was a strong consumer agenda. Now we're moving into the operational phase. So, it's at that level that the regulation operates rather than at a specific, 'You need to tick this one off.'

Paul: The strength of the regulation I think lies in its simplicity. There's a level of deceptive simplicity about it. That's why I think there's a high degree of international coordination, or consensus around operational resilience policy. Lots of jurisdictions will have their own business case if you like. They won't all have experienced the UK's banking technology resilience issues perhaps. The policy requirements have identified what you care most about, know how much disruption you could absorb, test that, change it, retest from it. It's all a bit motherhood and apple pie, isn't it? So, it's very difficult to look at that and say, 'Well, that's a bad thing to do.' Therefore, I think that's why it's easy to get international consensus. The devil's in the detail around how you actually implement that on a jurisdictional basis. Whilst you might see variations in how those requirements are articulated across jurisdictions, that will typically be either a product of the journey that those jurisdictions have been on, and how hard the resilience business case is biting, or the objectives, the statutory objectives, that are driving those regulatory agendas, and how they need to articulate them.

So, you know, if you compare the UK's operational resilience policy requirements with the Basel requirements, for example, which were very close together in terms of their implementation, there's nothing in the Basel requirement that contradicts what's in the UK requirement. They are articulated in quite a different way relative to that.

Andrew: Yes, okay, and we see that from international bodies, versus domestic regulators, and European regulators, and things in other areas too. Okay, interesting. I mean, so clearly lots already happened in this space in terms of regulation. I was thinking back, there was a paper we produced around impact tolerances which feels like it was about 200 years ago, but was probably only a few years ago. We've talked about the 2022 deadline, and obviously the 2025 deadline coming up, but what else is happening? I mean, what's the next couple of years look like in terms of regulation, and what should we expect to see from UK regulators?

Duncan: Two things come to mind from my point of view. One is already visible. There's an active discussion paper on critical third parties which is highly relevant to the overall topic of operational resilience. That's worth paying attention to. Although, I guess, the headline from that, from my point of view, is there is nothing in that discussion paper which alleviates the accountability on firms to do their own due diligence on third party assurance. So, firms should be careful when reading that, that they don't read too much into the objectives of that. That discussion paper, my reading of it, is very much about addressing the systemic concentration risk that's arising from the digitalisation and use of third parties across our industry. Then I think the second one is going to be how well our firm's doing on actually addressing what the policy we're seeking, which is material improvements in firm's own self-awareness of their operation resilience capability and fixing the gaps that come from that. That's what supervisors will be seeking, and that's what the public opinion and appetite will be seeking. By the time we get to 2025, are we more resilient than we were?

So, expect supervisors to be doubling down on, it's all well and good talking about frameworks, and governance, and processes, and how you're thinking about it, the 'so what' of that will be really important, which is can you demonstrate that that's having a meaningful impact on the operational resilience of your firm particularly through the lens of externally delivered services.

Andrew: That's really interesting. I guess the other thing that springs to my mind is clearly in the Financial Services and Markets Bill we also have the potential ability of the Treasury to designate into the scope of the bank, and the FCA certain third party outsource functions too, which again, kind of, just expands that remit slightly more for the regulators, and I guess continues that focus. It's interesting. Okay, thank you both. I mean, typically at the end of these things I ask for just a very short, brief, final message from you, but, I mean, what one piece of advice, what one thought would you leave with our listeners today? Duncan, let's start with you?

Duncan: Well, I think my main point here is that the need to be resilient isn't going away, and in fact the case for being resilient is getting stronger than ever. It provides real benefits to firms. I think there's a need to embed what's been created, but not just do that, but live and make them sustainable. That's one of the biggest challenges we're finding across the market is making this work overtime and exist well beyond 2025 when we get to that particular deadline. So, in a dynamic and challenging environment which we have here, responding well to disruption is going to be important, and in fact could well turn out to be a differentiator where others are failing and you're able to stay live.

Andrew: Brilliant. Paul?

Paul: It doesn't matter how enthusiastic or knowledgeable the practitioner, the operational resilience practitioners are within firms, there is only so far that those practitioners can take the organisation on the successful implementation of operational resilience, building on Duncan's point. That needs to be met with top-down executive level engagement on operational resilience to create the environment within which those practitioners can be successful. There's a heavy element of organisational culture about this. One of the innovations in the policy is a requirement to acknowledge that bad things will happen, failure is inevitable, if you like. Organisational cultures don't necessarily allow that to happen. In fact, might perversely incentivise not having those conversations. So, getting top-down engagement is really important. Then related to that I think those organisations that are going to be most successful will work out how to pivot this conversation from being what can instinctively be a very negative risk management-based conversation into an opportunistic conversation. So, how do you generate value, business agility, innovation from understanding your own organisation better, and having an operational resilience capability?

Andrew: Brilliant. Thank you. That's a great way to end on how we can turn this into a positive. So, thank you so much. Thank you both, that was a really interesting discussion. Clearly, a lot going on here. It's not going to disappear. So, I warn you now, you may well be invited back to another podcast over the next year or two to hear more about this. To our listeners, I hope you've also found this conversation really interesting today. As always, please subscribe to future episodes, and do rate and review the series as it helps others to find us. If you'd like to hear more from us on risk and regulation, please also look out for our regular publications on our website where you can also subscribe to our monthly newsletter on regulatory developments. We'll be back next month with our next episode. Thank you.