Series 2 Episode 9: Operational resilience – the end of the beginning

Andrew Strange:

Hi everyone, and welcome to our latest Risk & Regulation Rundown podcast. I’m Andrew Strange, your regular host, and as usual, we are recording remotely, so please note this might impact the quality of the sound. In today's episode we are discussing operational resilience, a key pillar of the regulatory regime. I am delighted to be joined by Adam Stage, who leads PwC’s regulatory insights on operational resilience around the globe; and Kelechi Igboko, a Director who leads the operational resilience work we deliver to a range of our clients. Operational resilience has been near the top of regulators and firms’ agendas for some years now. We recently had final policy statements from the regulator, which I am sure we will talk about in more detail later on, but firstly, Adam, do you want to just start by setting the scene for us in terms of what the wider policy landscape looks like and how we got to where we are today?

Adam Stage:

Thanks Andrew, the timing of this podcast has worked really well, because there's been a lot of activity recently. At the end of March, we saw a flurry of papers come from the UK, 12 in total from the FCA, the PRA and the Bank of England, all on operational resilience, as well as a couple more on third-party risk management from the PRA. We also got on the 31st of March, a couple of papers from Basel. The Basel Committee on Banking Supervision published their final principles on operational resilience alongside their updated principles on the sound management of operational risk. So 16 papers in three days at the end of March, all on operational resilience.

How did we get here? Well, this podcast isn’t intended to be a full history lesson, but a quick potted history: the idea of operational resilience as a concept was created really in 2018 through the UK joint authority discussion paper. Since then, we've seen all around the world different standard setters and national competent authorities start to develop their own views on operational resilience and we will cover some of those today. For anyone who picks up any of those 12 papers on resilience from the UK on the 29th of March, it should all have felt pretty familiar from what you've seen over the last couple of years. The concepts introduced at the start around the idea of important business services, so these are services that are delivered to external end users, to clients, that's still central to this. The idea of setting standards of resilience, so impact tolerances as they're referred to, is also still there. Mapping scenario testing, so firms’ ability to test whether they can stay within the standards of resilience to really help prepare for when the inevitable happens. These are all still central to the theme. What we have seen, though, in this latest set of papers, is some really helpful clarifications from all of the UK authorities, as well as some examples which really bring to life what could otherwise feel like quite alien concepts to people when they engage with it for the first time. So lots of activity recently, and there is still more to come if we start to think about the European agenda as well.

Andrew:

Well, I was going to ask about that Adam because your potted history there talks about 12 papers from the UK perspective and some international bodies, but is there a European angle to this or has Brexit pretty much made that all irrelevant?

Adam:

No there very much is a European angle, but it's a slightly different beast. You are right, I focused on the UK and Basel, mainly because of the recent papers. I might also mention on a tangent the US paper - at the end of last year, this was the end of September or October, we saw a joint paper from the federal agencies. The Federal Reserve Board, the OCC, and the FDIC over in the US, published a paper on the sound practices of operational resilience. It was focused on banks, in fact it was focused on the largest and most complex banks, and it was a collection of papers, principles, good practice, things that already exist in their eyes. The reason why I mention that is because the UK, the US and Basel, they are all looking at resilience through this end-to-end lens. In the UK, we talk about important business services, and that has a focus on services that go to clients, and that could have an impact if disrupted on a firm's safety and soundness, or on financial stability, or on the clients themselves. In the US and Basel, they focus more on safety and soundness and financial stability, but it's the same sort of thing, it's critical operations and those things that you deliver externally that could have an impact on safety and soundness, and stability.

The European paper, and this is for anyone who's heard the familiar term, DORA, which isn't a name, but is an acronym, the Digital Operational Resilience Act. That is a slightly different beast, I would characterise that as being a natural evolution of the work that, say, the European Banking Authority, the EBA, has been doing in recent years on outsourcing and ICT guidelines. Of course, the others, EIOPA and ESMA, have also been developing guidelines, but a little bit behind, so that's why I refer to the EBA here. DORA is effectively focusing on technology resilience, ICT resilience. It talks about technology and it talks about third parties in the main, and aside from those two concepts, it does get into things like testing, but it's really around sort of penetration testing. Specific assets testing, rather than the testing of a service for a client that fails, and what do you do, and what are your plan B and plan C around that. I would characterise the Europe paper is being much more about advancing and evolving your existing risk management and harmonising that across the 22,000 firms that are in scope. Whereas the UK, the Basel and US papers for me are much more about this service view, and a more rounded approach, not just looking at technology, data and third parties, but also looking at people, and the premises and footprints that firms use to deliver those services.

Andrew:

Thanks Adam. Putting aside any terrible puns I can put in here about exploring DORA, you talk about 20,000 or 22,000 European firms there, from a sector perspective, is it all UK firms that need to take account of this, is it all 60,000 FCA firms or is it fewer?

Adam:

No, it's not. I don't think the final policy papers gave an exact number, but the consultation papers were talking around 2,000 firms. These are primarily what we would call dual regulated firms, so those firms that have both PRA and FCA supervision. You're thinking about credit institutions, banks, building societies, Solvency II firms. The FCA then also adds to that a large number, around 1,000 firms that are subject to the Payment Services Regulations or the E-money Regulations. Then it also includes things like enhanced scope Senior Managers & Certification Regime (SM&CR) firms. These firms could be in any financial services sector, but they've been deemed under the methodology for determining which SMR and SM&CR firm you are, they’ve been determined as being enhanced. Talking to firms across the whole industry, there will be people, there will be firms touching every sector, but ultimately, it's 2,000, which is a relatively small number out of the 60,000-odd that the FCA regulates in total.

Andrew:

By definition, the enhanced ones being pretty sizable firms and clearly the more complex ones on the whole, but that's really helpful Adam, thank you, great context.

Kelechi, can I bring you in here - we've had these final policy statements from the regulators, what's your take on the headline messages from them, and what practically do firms need to do to begin to comply?

Kelechi Igboko:

Thank you, Andrew. I'll start with timescales. There is a 12-month implementation period starting from March 2021, where firms need to have identified their important business services, set impact tolerances, which is effectively how much disruption they can accept, and identify their vulnerabilities with these important business services. Now following that, firms will have up to three years, the transitional period, where they will take the steps to address or fix those vulnerabilities they’ve found, which would allow them to remain within their impact tolerance as soon as it is practicable, but the aim is to be in full compliance by March 2025.

Generally these requirements have always been there, in terms of the consultation paper, but what's softened slightly with the new policies, is the expectation from the regulator in terms of the level of sophistication of certain activities like mapping and scenario testing that needs to be done to allow you to meet these key requirements. What does level of sophistication mean? It's still subjective, but ultimately it means that there is a little less pressure from firms, it's not heavily prescriptive and they are allowed to take a proportionate approach to how they go about this, which is actually do as much work as you need to do to identify what's important, set your standards for them, work out what's wrong, which will allow you to fix it in the future.

Practically what do firms need to do? One of the things I will say is, try as much as possible to leverage what you already have. Many firms have risk frameworks in place, and we are talking about the risk of disruption to your critical services. Your operational risk framework should have things that you can reuse. Firms are already doing work around business continuity, crisis management, and reporting. The extent to which you can take those existing capabilities framework, disciplines and reuse them to make your resilience framework stronger and more effective, can only be a plus. The only other thing I'll mention as well that has come through from the policy, is around the concept of prevention versus response. In the past, there was a heavy weighting towards the response and recovery side of resilience, so what you do when things go wrong. Now I feel there is a bit more of a rebalancing of the focus, where it's just as important to try and prevent incidents or withstand incidents when they do happen as it is to be able to respond and recover from them having gone wrong.

Andrew:

Thank you, that's really helpful, although really quite complex. In terms of your experience and what you're seeing with our clients, how are firms tackling this and are there any really interesting examples of particular challenges you've seen, or indeed particularly good practice that you could share with our listeners?

Kelechi:

What I would say is, it takes longer, and it's probably more complex and harder than people think it is. For firms that have started on this journey already using the guidance from the consultation paper, and prior to that the discussion paper, they have found the activities like setting tolerances and mapping, it just always takes longer than you plan it to. What I'll say is, start early, and look to learn, and refine and iterate over time. The regulator expects that as well. The concept of saying you don't have to do it to the Nth level of sophistication means that there is an opportunity for firms to try it out, experiment and learn over time.

How are firms doing this? Well, one that has come through quite popularly is a concept of doing pilots, which is effectively firms are taking one important business service and following it through the full process from setting the tolerances for them, doing the end-to-end mapping, identifying vulnerabilities, doing the testing; and therefore, setting the plan for how to fix them. Once you do a pilot, you learn how it works, what the challenges are, and you can refine and make it better as you roll out to others. We found that firms that have taken this approach, have found it to be lot more efficient when rolling it out to the other services. I’ve found a step change in terms of the rate at which they can make progress.

The other thing I'll say is collaboration is really key. Now the regulators have mentioned that they expect best practice to emerge over time. I would say firms shouldn't try to do this in silos. This is not one where you have all the knowledge internally to get it right yourself. There has to be a thing about speaking to your colleagues, speaking to your peers and understanding what they're doing, what's worked for others, what's not; how people define their business services, how granular are they going, how granular are they not going, how does your impact tolerance compare to the others? Am I going for a day, when my peers are going for four days? That effectively would mean that the industry starts collectively to move towards a norm, but there is lots of learning to happen there. We have seen this happen in a number of ways. Some of the resources that are available out there: there is the operational resilience collaboration group, which is a cross-sector full industry group, where organisations and FS firms have come together to say, ‘let's collaborate on this’. There's a LinkedIn group out there, it’s worth looking out for them, because there is a wealth of knowledge coming out of that.

Actually, specific sectors are doing things for themselves via the associations. For example, the Investment Association does work around impact tolerances and important business services for wealth managers. Similarly, we have the Building Societies Association, where building societies are collaborating to get to a common view of what's important for them and some of the standards that it should be setting. Locally, what's interesting, I’ve found some local groups or hubs emerging based on size and geography. A number of my building society clients across the north have started to come together to share insights and collaborate on this topic of operational resilience. What we are finding is these local hubs, where people are working together to try and solve this conundrum together, and I think it's working.

Andrew:

Thanks Kelechi, and it's really interesting to hear about that regional hub approach and firms collaborating together. I don't think we see enough of that from firms, so that's really good to hear as a live example. Adam, earlier on in the podcast, you briefly touched upon the third-party risk aspects, and there was a paper published at the same time as the policy statements, a supervisory statement from the PRA. Can you talk us through the key messages from that please?

Adam:

Sure Andrew, and it's easy perhaps when there are 12 other papers on resilience to forget that there were a couple of key papers on third party. You are right that it was the PRA that did this. So far we haven't seen anything from the FCA. Previously they've said that they weren't going to be making changes, this time they are suggesting they are keeping the door open, so they are going to carry on working with the PRA, and if they feel they need to make updates to their handbook than they will do, but at the moment this is just in scope for PRA firms.

Really what the PRA has sought to do is to refresh their approach to outsourcing and wider third-party risk management. It's about embedding the guidelines released by the EBA several years ago on outsourcing and also on ICT risk management, and reflecting things like the EIOPA cloud outsourcing guidelines. But also crucially, it's about linking the concept of how firms manage their arrangements with third parties, with their broader operational resilience. The two go hand in hand. Often when people think about third parties, they may think, we are just talking about external vendors, so other firms or other organisations. But of course the complexity of many financial services firms, means there are intragroup relationships here. This might just be a service that you're getting from elsewhere within the group, and that also needs to be appropriately risk managed and thought about.

What are the key messages from the papers? Well, again per the resilience papers, we've seen some good clarifications from the PRA responding to many questions that the firms came back with. There is a key change on the timeline. Whereas up till now firms have been working to the EBA guidelines, and the final deadline was actually by the end of this year, so by the 31 December 2021 firms were supposed to have remediated all of their legacy contracts in line with the refreshed EBA outsourcing guidelines.

The PRA has pushed that back now. What they've gone back to firms and said is that by 31 March 2022, any new or amended arrangements that have been put in place need to be under the new expectations via the supervisory statement. Then, after 31 March 2022 any other legacy arrangements that haven't been updated at that point should be addressed at the earliest opportunity. That does give firms some quite important breathing room there, but as I said, aside from the timeline the other key message really is just how much the third-party paper draws in on the operational resilience one. Whereas the EBA outsourcing guidelines focus very much on outsourcing, the PRA recognises that firms could have non-outsourcing third-party arrangements that are material, they are really important to how they deliver important business services under the Operational resilience regime. So of course it's important that firms apply appropriate risk management to those, even though they are not outsourcing. It does get firms to think about wider third-party arrangements and not just outsourcing. I would say that's a key difference.

Andrew:

As somebody who works in asset management that outsourcing and reliance on parts of your group, is clearly something I am very familiar with, but what are the major challenges that firms are actually going to face from that Adam?

Adam:

If I think about what we hear firms struggle with at the moment - there's an oft-quoted one around contractual terms. Clearly, through the new expectations that, first of all the EBA and now the PRA have expanded upon, they require regulated firms to have the right permissions and transparency, visibility in place of what third parties are doing. There’s a phrase that you can outsource services, but you can't outsource responsibility. They have some very high expectations of what regulated firms do in managing third parties, but trying to convince often quite large firms, quite large third-party providers to change common standard contractual terms is not easy.

So actually, there is a challenge to get them on the right level. Now, the PRA have acknowledged this in their recent paper, and they’ve said to firms, that look if you find that your third parties are unable or unwilling to make some of these amendments, then you should notify us at the earliest opportunity. They acknowledge the practical constraints that firms face. Maybe another challenge is around the visibility of the whole supply chain. We are talking about third parties, but in many cases third parties may subcontract out to fourth or fifth parties, etc. Whilst firms are not necessarily required to monitor fourth parties directly, they are required to ensure that third parties are managing the chain appropriately. It is also worth noting that there could be higher concentration risk if you started to look at some common fourth parties that firms were using. Visibility of exactly what’s going on in the supply chain and ensuring that your third parties are managing those subcontracts is another practical challenge.

Andrew:

Thanks Adams, so an awful lot of work for firms to be getting on with there. While operational resilience is really important as an area of regulatory focus, it is clearly only one of the things that is a competing priority for our clients at the moment. Certainly, I can think of things like the Investment Firm Prudential Regime, which must have links into the operational resilience agenda as well, but there must be other things we’ve talked about today and other initiatives that firms need to think about too. The old phrase of trying to dig up the road only once makes sense, if you’re trying to minimise the time and effort you put into dealing with multiple regulatory challenges.

Kelechi, can I come to you first, where are you seeing particular links between operational resilience and other regulatory challenges?

Kelechi:

Thanks Andrew, you make a fair point, there is a lot to do, and the way to go about it will be to drive, look for ways to be efficient, and to leverage, and to align. I will pick up on two specific things that firms need to look out for. One of them is operational risk. Now firms have to manage operational risk, they have got risk frameworks and everything else. If you think about resilience as being the way to manage the risk to disruption of critical services or important business services, then being able to reuse existing risk frameworks to inform your operational resilience approach - that could be things like your risk and control processes, your self-assessments, your risk matrixes, the way you assess impacts, to therefore determine what is critical, based on the impacts if you lose that service - all of these things are opportunities for you to leverage what you’ve got in your existing risk framework in the form of operational resilience. But it also goes both ways. Operational resilience provides a real opportunity for firms to refocus the approach to risk management. Risk management should focus on your most important or your most critical services, processes, things in general. What resilience does is that it allows risk professionals to almost add that additional robustness to what they do, because there is a real reason for why it’s being done. So operational risk and operational resilience are two areas where there is opportunity for alignment.

We also get a lot of questions from clients about how operational resilience links to operational continuity and resolution, or OCIR. Now these two have slightly different objectives. One focusses on ensuring that normal operations can continue if there is a disruption, while the other one is focussed on enabling continuity and smooth transition when a firm moves into recovery and resolution. That said, there are significant overlaps between the both of them and there is a need for constant narrative across the both of them. Now, if you are going to talk to the PRA about OCIR, you need to be talking in the same terms, you need to be talking about the same things, or presenting the same view as you have done for resilience. Your important business services should align with your concept of critical functions and critical business lines from an OCIR perspective. There is an opportunity as well to reuse some of the content and some of the work that has been done around mapping what’s important, identifying important business services, and setting standards when you are doing your OCIR.

I would say, from an efficiency perspective, from an alignment and effectiveness perspective, there is a real opportunity to make sure OCIR and operational resilience are fully aligned.

Andrew:

Yes, I would agree with that, and certainly I am seeing a lot more cross referencing almost in certain regulatory initiatives to other regulatory initiatives, where that consistency is what the regulator is expecting in the way you articulate a report on certain topics.

Adam, in terms of other regulatory initiatives that you see, are there any other links that you would like to draw out?

Adam:

Kelechi has covered the two main ones, but perhaps the other aspect I would like to call out is around vulnerable customers and harm. It is one of the questions we get asked a lot by clients, which is, how do we define intolerable harm? And it comes in when firms are trying to set their impact tolerances. As Kelechi said earlier, this is around the maximum level of disruption that could be tolerated through the eyes of the client, through the eyes of your firm, and through the markets that you serve. But trying to work out the red line, where does something go from being, by definition tolerable harm into intolerable harm, is really difficult. The FCA published a good paper on vulnerability recently and that was the subject of a previous podcast Andrew that you’ve done. When we talk to firms about this, we encourage them to think about vulnerability through the different regulatory concepts that are at play here. What does that mean? When they are working out which business services are important for them, they need to think about the nature of the client base and within that they need to think about vulnerability characteristics. When you get on to setting impact tolerances and you are thinking about harm and you are thinking about intolerable harm, again you ought to think about the impact that disruption could have on the different cohorts of clients that you have for that service, but also it is really important when it gets into scenario testing. Once you’ve assumed that a disruption has happened and now the whole point is about preparing and practising your response, so it becomes second nature in the event that it does happen. Is it appropriate there to identify customers that maybe are vulnerable if you have the ability to do so, and to then be able to perhaps expedite or treat differently those customer responses, because of the situation that they find themselves in.

It is definitely a theme that carries through the resilience paper. I would say that, given the FCA’s recent vulnerability paper, this is still very much live in firms at the moment. I don’t there is a well-developed view on it, but it is absolutely the right question for firms to be asking, which is, as we prepare for and we start to practice how we respond to disruption, what should that look like when we start to think about different types of customers, and in particular, vulnerable customers.

Andrew:

Thanks Adam, and I am biased, but you are right, we did do an excellent podcast on vulnerability very recently, which I am sure some of our listeners will have tuned into previously but is available for those who didn’t hear it.

The issues we’ve talked about today are clearly a combination of a good few years worth of regulatory work. I get a sense that to an extent it is over to firms really to implement and tackle these particular challenges now themselves, but I would just like to end by asking you, what does the future look like for operational resilience, and what is the ultimate impact of the policy going to be on firms and on the broader financial services market? Kelechi, let’s start with you.

Kelechi:

I will just steal a quote from one of my clients, who says, ‘this is how you should be running your business’. The aim of your day-to-day operations should be consistent, continuous, stable operations, where you minimise impacts to customers and the market. While the requirements for resilience may seem onerous for firms at first, we need to remember why we are doing this. We are doing this to minimise harm to customers, we are doing this to facilitate stability and integrity of the market. The objectives for resilience should absolutely be aligned with the objectives for running the firm. The firms that embrace this and do this properly, would effectively benefit, because it could be a source of competitive advantage. It means that you have smooth, seamless services. It means that you have fewer disruptions, which effectively will cost less in the long run for you as a firm, it means that you can attract and retain customers and everything else. For me, the lasting impact of this would hopefully be a change in, or a shift in culture across the sector, where there is a bit more ownership and awareness of the importance of resilience, which can only be a good thing. Ultimately, it should end up being the way we just do business, which is focus on treating customers right by maintaining seamless, smooth and resilient services.

Andrew:

Adam, what are your thoughts?

Adam:

I will complement Kelechi’s view where he has focussed on the commercial side, and that’s absolutely right. There are commercial drivers here, even if it’s the regulators who have perhaps encouraged firms to move in a certain direction, but if I just take that regulatory lens then in complement. There is a quote from a recent meeting I attended, where someone said, this was not the beginning of the end, but the end of the beginning.

Kelechi described earlier the timeframe the operational resilience policies are working to, to the end of March 2025, but that’s not everything. At the moment, what firms need to do is very clear. They have an implementation period, and they will be driving a lot of activity over this next 12 months, and the three years after that, but this is about how firms do business from here on in. This is not a short-term fad, this is about recalibrating how to work. From a supervisory perspective, I would expect in the next year or so, the supervisors will be looking at what firms are doing individually. As time goes on, you will start to see them compare and contrast perspectives that are coming from similar firms. Over time, you will see them start to build up this wider, sort of sector-wide, and hopefully industry-wide view, you start to see the systemic risks at play here, and you start to look for commonalities, and in particular outliers. It is there where we will start to see changes and driving the real benefits, where we are challenging, or the supervisors are challenging firms’ status quo and thinking about how to address things for the future.

They were called the final policies, policy statements, supervisory statements, but this is absolutely not the end, this is really the start of the next chapter for firms.

Andrew:

Thank you both, and from the end of the beginning to the end of our podcast, that was another really great discussion. It has been fascinating to hear about how firms are approaching this key regulatory topic, and it has been a long time in the making. To our listeners, I hope you’ve also found this episode really helpful. Please do subscribe to future episodes and rate and review this series as it really helps other people to find us. I will be back next month with our next episode.