Case Study: Investor Protection and Co ...
After completing this reading, you should be able to: Summarize important regulations designed... Read More
After completing this reading, you should be able to:
Operational resilience is defined as the ability of an organization to continue providing business services even in the event of adverse operational events by anticipating, preventing, recovering from, and adapting to such events.
Management and governance: The Board plays a vital role in the management of a firm. Therefore, having an effective board is an essential requirement for any firm. Expectations are set to the Board and senior managers of firms and Financial Market Infrastructures (FMIs) by the supervisory bodies to ensure that business is done in support of the objectives, but more importantly, ensure continuous stability of the financial system. The Board should maintain access to the appropriate people with appropriate technical skills for executive jobs. For FMIs, the Principles for Financial Market Infrastructures (PFMIs) recommend that FMI boards should explicitly define the roles and responsibilities for dealing with operational risk and the operational risk-management framework.
Risk management: This should be responsible for all types of risk, including operational risk. Firms and FMIs should identify, monitor, and manage the risks they are likely to be exposed to; this includes threats like natural disasters, pandemics, cyber attacks as well as terrorism. FMIs should continuously assess the operational risks as they often change to make an analysis of potential vulnerabilities and find better defense techniques.
Internal controls: Boards and senior management should oversee and lead firms and financial institutions towards achieving the board-led strategy and direction. They must exercise appropriate oversight and ensure that their direction is being carried out. An effective internal control framework is, therefore, a requirement for prioritization, internal reporting, etc. The supervisory authorities require firms and FMIs to manage their affairs responsibly; this implies having adequate control systems in place. Effectiveness of internal controls ensures appropriate management of firms’ and FMIs’ core businesses and risk.
Business continuity and contingency planning: Supervisory authorities require firms and FMIs to have an appropriate contingency plan; this ensures that in case of disruptions, there are high chances of reducing their impact. Firms and FMIs are also expected to have a business continuity plan that explains how they are prepared to deal with disruptions and how to recover from them.
Outsourcing and critical service providers: In their oversight of key business operations, Boards and senior management put more focus on those outsourced activities to third-party providers. Outsourcing can help firms FMIs to manage risks more effectively and cheaply; however, it is also a source of risk. The Board and senior management should identify and understand the firms’ or FMI’s reliance on critical service providers. Existing rules expect dual-regulated firms to avoid introducing additional risk through outsourcing key business services. FMIs are required to ensure that outsourced and critical service providers meet the same requirements as internally provided services.
Communications plans: Having a communication plan during an operational disruption is essential to the supervisory authorities. They expect BC policies to include prompt and meaningful communication plans for both the internal and external parties and all stakeholders. A communication plan should address issues including how to get hold of key people, contact staff in charge of operations, customers, supervisory authorities, etc.
One way of ensuring operational resilience is by finding the impact tolerance of key business activities. Impact tolerance can be expressed by reference to specific outcomes and metrics; these metrics could include:
Supervisory authorities use several tools to review firms’or FMIs’risk management. These reviews target specific risks and are undertaken in several ways, including the use of questionnaires, simulations, experts’reports, etc.
Supervisory authorities employ several frameworks that assess the firms’and FMIs’capabilities. They include:
The following issues should be considered by Firms and FMIs repeatedly for effective and consistent operational resilience.
Business disruptions are disturbance that interrupts the occurrence of business activity or process due to a disruptive innovation or change.
New business services: New business services could pose several challenges, including incompleteness or ambiguity; this may cause delays on the consumer end before the firm finally sorts the challenges. For instance, a bank’s loan application system failing to ask the relevant questions to clients leading to rejection of applications. Clients experience delays as the errors are being sorted.
Availability and integrity of existing business services: Existing business services may also pose challenges of their own. For example, a system error rendering some customers unable to make withdrawals due to incorrect balances. Sometimes the system may not allow customers to make any transactions at all.
Unauthorized access to market-sensitive data: Consider, for example, a systems failure revealing market-sensitive data disclosed by listed companies to all employees of a specific firm corporate liability insurer.
Availability of a vital link in a value chain: If a certain business service key process is disrupted, then there is a potential delay in the provision of the service by the firm. For instance, if a custody bank fails to confirm ownership of some assets at the right time, then there is a potential delay in asset valuation and thus delay in sales completion in the intended value date.
Systemic risk is the probability that a disruptive event at an individual firm level could cause severe instability or collapse of the industry or even the economy. It was a key contributor to the financial crisis of 2008-2009.
Systemic risk’s source can be in or outside the financial system or result from the interconnectedness of particular financial institutions and financial markets and their exposure to the real economy (Szpunar, 2012).
Allen and Carletti (2011) listed the following types of systemic risk:
Systemic risk has the following likely consequences:
Impact tolerance of a key business service is the maximum level of disruption that the business service can tolerate, including the maximum tolerable duration of the disruption. Impact tolerance is a planning tool that should assure firms that they will remain in operation even after a severe but plausible disruption.
Supervisory bodies advise firms to identify limitations that may cause prevent them from remaining within their defined impact tolerances. Supervisory authorities would require firms to be able to explain how they obtained impact tolerance for their business services, and its relationship with the objectives set out by the supervisory bodies.
Impact tolerance should be expressed clearly and be separated from risk appetite and recovery time objectives. Risk appetite defines a level of risk that the firm might be willing to go in order to achieve its objectives before it is necessary to reduce the risk. On the other hand, supervisory bodies require firms to show complementary approaches to obtaining impact tolerance, risk appetite, and risk recovery objectives and explain their relationships.
Practice Question
Systemic risks negatively impact the financial industry in one of the following ways, which one?
A. A sharp decline in prices of assets across the market
B. A firm faces difficulty in integrating with new technologies and processes
C. Unauthorized access to market-sensitive data
D. None of the above
The correct answer is: A).
A sharp decline in prices of assets across the market results from mass sales during a downturn; this may be due to overleveraged financial institutions being forced to liquidate an asset at a time when potential buyers are also troubled.
B is incorrect: A firm faces difficulty in integrating with new technologies and processes in case of new technologies adopted by a firm; thus, it is not affected by systemic risks.
C is incorrect: Unauthorized access to market-sensitive data is a disruption caused by the failure of the firm’s software to manage privacy, but not affected by systemic risk.
D is incorrect.