Operational Resilience within the UK Financial Services Sector has come under the spotlight following recent high-profile media reporting of harm caused to consumers and other market participants following challenges associated with an increasingly hostile cyber environment and a number of large scale technology changes. The reporting of operational incidents has more than doubled in the last year, in part driven by new regulation. However, there are concerns that many incidents go unreported due to a risk of reputational damage, and that the reported figure should in fact be significantly larger.
The regulatory response to the increasing challenges with Operational Resilience has been swift and coordinated, with an initial discussion paper jointly published by the Bank of England, The Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) in July 2018. The Regulators acknowledge in this paper that some outages are inevitable and hence financial institutions must “increase [their] focus on back-up plans, responses and recovery options”.
in November 2018, the Treasury Select Committee (TSC) and chair Nicky Morgan launched an inquiry intoIT failures in the financial services sector citing that “The number of IT failures at banks and other financial institutions in recent years is astonishing.” The inquiry is multi-faceted covering for example the quality of technical documentation, outsourcing’s impact on operational resilience, common causes of operational incidents, and the risks brought about by old complex legacy system architecture.
In parallel to the launch of the TSC inquiry, the FCA published survey results from 296 financial institutions which identified four key areas of concern: (1) core skill gaps within senior management, (2) over-confidence in the firm’s own change management capability, (3) challenges coupled with the management of third-party vendors, and (4) the growing threat from cyber security.
The move towards an updated regulatory approach to Operational Resilience is taking place in the context of increased personal accountability of senior managers as part of the FCA’s Senior Manager & Certification Regime (SMCR). Banks and PRA-designated investment firms have been subject to the SMCR since March 2016.
In December 2018, the SMCR was extended to cover all PRA- and FCA-regulated insurance and reinsurance firms. A key tenet of the SMCR is the personal accountability and responsibility for the resilience of an organisation by those individuals registered as Senior Managers. Additionally, a consideration specific to insurance is the need to ensure that policyholders are appropriately protected and with the recent challenges around platform upgrades and outages in the sector, we expect this to be an area of scrutiny for the Regulators.
Insurance companies also saw updates to the PRA’s approach to Insurance Supervision in October 2018. These updates include a requirement for insurers to document tolerances, to test against severe but plausible scenarios and to ensure that resources are appropriately skilled, particularly in senior and high-risk positions.
The move away from avoiding outages and focusing on systems recognising that outages are likely to occur, and the identification of critical business services impacted by these outages is significant. Organisations need to plan responses to outages that minimises the impact on the customers (FCA) and economic stability (PRA), considering not only technology, but also operational aspects, the governance and assurance of these service (including 3rd party vendors) and how to effectively manage communications to its customers, the public, its suppliers and the relevant authorities.
By focusing on business services, rather than the resilience of for example specific systems, the Regulators hope that the end-user will be less impacted from unforeseen outages. The paper does not provide specific examples of what a critical business service could be for an insurer, but it does state that it could, for example, constitute the “delivery and management of particular loan or insurance products”. For example, firms may wish to consider whether customers being unable to reach their car insurance provider for road-side emergency support, obtaining immediate assistance in instances of flooding, burglary, or failure to secure support in case of acute illness, etc. might constitute critical business services, particularly in the case of more vulnerable customers. Real-time access to investments is another area where asset managers and insurers are likely to see significant focus.
In conclusion, within insurance and asset management, operational resilience is of increasing importance for policyholders, advisers and the Regulators and there are significant risks associated with taking a reactive approach to shoring up resilience. A proactive short-term assessment to look at resilience across the business as well as a top-down approach to ownership and accountability is a great first step towards actively managing risks associated with a failure to take operational resilience seriously.
“Last year’s discussion paper from the PRA and FCA made it clear how serious both regulators now are about the risks to operational resilience in addition to financial resilience.
Insurance firms are already taking steps to address these risks and to ensure a robust and resilience organisation which can help mitigate the risks to individual customer harm and to the financial system at large. But there is still more to do.
So it is encouraging to see the range of initiatives and solutions on the market in this area. And with our members, the ABI will continue to engage with both the PRA and FCA as well as other policymakers as this area develops in the months and indeed years ahead.”
- Steven Findlay, Assistant Director, Head of Prudential Regulation, Association of British Insurers (ABI)
Operational resilience will be the focus of a half-day event at the ABI on 1 October: Maintaining your company’s operational resilience in the face of disruption.
About the authors:
Johanna Hellstrom, Senior Managing Consultant - FSS Finance Risk & Fraud, IBM
Johanna is an experienced finance professional working for IBM Business Consulting in the Financial Services team where she leads on risk and compliance for insurance with particular focus on operational resilience. Johanna has developed solutions and strategies to tackle several high-profile regulatory challenges over the years with a recent focus on IFRS 17 and GDPR. She is a chartered accountant with CIMA.
Tim Bourne, IBM UK Risk and Compliance leader for Financial Services
Tim is the UKI Risk and Compliance Consulting Lead for UKI, and part of the IBM Interactive Experience practice for Customer Experience and Design. He specialises in shaping and delivering the creative, scientific and strategy focused elements of GBS engagements with our Financial Services clients across Europe. He combines together customer experience, business consultancy, change management, risk/regulatory knowledge and technology skills, to guide our clients through the complex change agenda facing the financial services industry, especially due to Operational Resilience. He has 17 plus years of experience in consulting for IBM Global Business Services, and has built up in-depth knowledge in managing and architecting large transformational engagements across many FSS lines of business, functions and channels.
Clare Seah, IBM uk life pensions wealth strategy leader