Although a large percentage of financial services staff are currently working from home thanks to the Covid-19 pandemic – hunkered down with laptop, mobile phone and Zoom – it could be a mistake for individual firms to bring a bunker mentality to the recent consultation from the Basel Committee on Banking Supervision (BCBS), Principles for Operational Resilience.
Discussion about operational resilience was kicked off in 2018 by a discussion paper from the UK Financial Conduct Authority (FCA), followed by a consultation paper at the end of 2019 – just three months before many countries went into Covid-19 lockdown. However, the BCBS publication elevates the conversation to a global level. The challenges that initially moved regulators to develop the operational resilience theme – increased interconnectivity, complexity of operations, down to heightened risks e.g. cyber risk, third party risk, and concern about IT failures – have evolved and expanded significantly as a result of the pandemic.
Firms do not have to face either the enhancement of their operational resilience, or the demands of forthcoming regulatory requirements, on their own. Increased cooperation is no longer a regulatory wish, innovative initiatives are emerging. These challenges – and the solutions to them – are not really a source of competitive advantage for firms. In fact, if firms collaborated around operational resilience, it’s likely that important risks that firms face individually would be significantly reduced, making the financial system as a whole safer and sounder. Because of this, we are suggesting three key actions for the industry:
- Identify current operational resilience cooperation opportunities. While the Basel Committee and UK regulators have defined some key terms, there is an opportunity for the industry to co-operate and build out this emerging topic themselves, along with enablers, be it supporting data, taxonomies, or processes. Firms should be aiming to better understand existing best practice around operational resilience in light of emerging regulatory expectations. They also could bring their combined lived experience to operational resilience frameworks, policies, supporting data and processes in a practical and thoughtful way. By doing this, firms would be able to ensure that operational resilience delivers on its goal of keeping both individual organisations and the industry as a whole safe, whilst introducing unified regulatory dialogue.
- Clarify how operational resilience and operational risk interconnect. The BCBS paper is much more overt than the UK FCA’s documents about the relationship between these two disciplines. For example, in its consultation paper, the BCBS wrote that “in considering its operational resilience, a bank should take into account its overall risk appetite, risk capacity and risk profile.” Although operational resilience is thought of as a distinct area – the FCA talks about it as an outcome – it’s clear that these two disciplines are also somewhat entangled. As firms think about operational resilience, they might want to consider examining their existing risks and controls, possibly make adjustments to these, and develop new risks and controls. If they do this, there is also an opportunity for firms to work together to develop a common risk and control framework that interlinks operational risk and operational resilience in a way that enhances both disciplines, powered by a system of codified data points and taxonomies, not nebulous concepts too often lacking in pragmatism.
- Measure and benchmark operational resilience as an industry. Financial services firms could consider developing a common set of metrics around operational resilience risks and controls, to help them benchmark their own progress, as well as their success relative to their peers – and crucially learn from each organisation, connected in a network. Internally, a common set of benchmarks would enable employees across the entire enterprise to speak the same language around operational resilience, and align towards common goals. Having a common set of metrics within the financial services industry would also support the development of a benchmarking programme, as well as the further identification and implementation of best practices and new risks and controls. Additionally, such a programme could contribute significantly to the safety and soundness of the overall financial system, the protection of which is a key regulatory goal for operational resilience.
In summary, although Covid-19 has had the effect of atomising the financial services community in the short term, the industry’s response – in the form of enhanced operational resilience – could be strengthened by increased co-operation to develop solutions that would benefit firms, the financial system, and more broadly, society as a whole.