Predicting Fraud by Investment Managers
After completing this reading, one should be able to: Explain the use and... Read More
Limited Time Offer: Save 10% on all 2022 Premium Study Packages with promo code: BLOG10
After completing this reading, you should be able to:
In the past few years, there has been a lot of effort to promote operational resilience among financial institutions around the world. Most of the proposals have been designed to improve the operational resilience of firms and market infrastructures firms (FMIs), protect consumers, the wider financial sector, and the economy from the impact of operational disruptions. The Prudential Regulation Authority (PRA), the Financial Conduct Authority (FCA), and the Bank of England (‘the Bank’), which are collectively termed ‘the supervisory authorities,” have all been at the forefront in these efforts.
In 2018, the supervisory authorities published a joint Discussion Paper on Operational Resilience that out an approach to operational resilience. The paper marked the start of large-scale consultations among stakeholders that ultimately led to a formal policy document. The goal of these policies is to ensure that firms and FMIs will improve their operational resilience to be able to respond effectively if a disruption does occur. This chapter summarizes the key policy proposals
One of the key policy proposals revolves around the need for firms and FMIs to identify important business services. According to the PRA, here’s the definition of an important business service:
A service provided by a firm, or by another person on behalf of the firm, to another person which, if disrupted, could pose a risk to:
The FCA has a differently worded definition, which goes as follows:
A service provided by a firm, or by another person on behalf of the firm, to one or more clients of the firm which, if disrupted, could:
Impact tolerance refers to the maximum tolerable level of disruption to an important business service, including the maximum tolerable duration of a disruption. By setting impact tolerances, firms are able to determine the point at which intolerable harm occurs to consumers or a risk is posed to the orderly functioning of the financial markets. Thus, by anticipating scenarios in which harm may occur, firms can operate within their impact tolerances. This approach is premised on the idea that setting impact tolerances helps boards and senior management prepare for inevitable disruptions regardless of their likelihood, instead of merely trying to minimize the probability of disruptions. In addition to protecting consumers, it also ensures the market’s overall resilience.
For PRA-FCA Dual-Regulated Firms, the following are the best practices for impact tolerance:
To nurture a culture of operational resilience marked by strict adherence to impact tolerance levels and accountability, firms and FMIs must first identify their important business services. An important business service is one that is provided by the firm, or by a third party on its behalf, to its clients. Crucially, this excludes internal functions, such as human resources or payroll. The FCA and PRA argue that if internal services were to be defined as important business services on a standalone basis, this would effectively expand the coverage of this policy, and the importance of external services could be reduced.
Below are some general considerations that could help firms identify their important business services:
As part of the policy, firms and FMIs must set and implement operational resilience standards that are consistent with the public interest as represented by supervisory authorities’ objectives. Firms and FMIs should focus on their important business services and ensure they have the ability to remain within impact tolerances in severe but plausible (or extreme) scenarios. To stay within their impact tolerances, firms will be required to map the resources, people, processes, technology, and facilities required to deliver important services, regardless of whether they rely on third parties to provide these services.
In the context of operational resilience, mapping is the process by which a firm of FMI develops a holistic view of the systems and processes that support its business services, including those systems and processes that it does not control directly. It’s marked by identifying and documenting the necessary people, processes, technology, facilities, and information (referred to as resources) required to deliver each important business service. In their proposals, the supervisory authorities state that mapping will allow firms and FMIs to understand how their key business services are delivered and how a disruption might come about. According to the proposals, firms and FMIs are expected to map only their important business services rather than all business services.
Mapping should have the following outcomes:
For example, mapping can help reveal whether there’s resource concentration risk where the firm relies too much on a single resource. It could also highlight business areas with limited substitutability of resources or single points of failure. However, the supervisory authorities stop short of prescribing a mapping methodology for all firms. Instead, firms are encouraged to develop their own methodology based on their specific needs and document their mapping according to their size, scale, and complexity.
The purpose of scenario testing is to evaluate whether a firm or FMI can remain within its impact tolerance for each of its important business services in the event of a severe (or extreme in the case of an FMI) but plausible disruption. If a firm conducts scenario testing, it should identify a variety of adverse circumstances of varying nature, severity, and duration that are relevant to the firm’s business and risk profile and identify the risks that these circumstances pose to the delivery of the firm’s important business services. When preparing severe/extreme but plausible scenarios, firms and FMIs may consider past incidents or near misses within the organization, across the financial sector, as well as in other sectors and jurisdictions.
It should be noted that impact tolerances assume a disruption has occurred. In light of this, scenario testing should not be focused on preventing incidents from occurring or determining the likelihood of an incident occurring. Rather, the focus should be on what must be done to continue the delivery of an important business service, assuming a disruption has occurred.
Operational resilience must be integrated into a firm’s risk management and business continuity processes in order to ensure its effectiveness. A key role for the board and senior management is to direct, evaluate, and monitor this operational resilience framework. For the best results, governance arrangements and reporting lines need to be given adequate consideration by firms. For example, firms might wish to consider whether their operational resilience strategy should be an initiative led by the risk management team or by the IT department.
Each firm’s board is specifically responsible for approving the key business services identified and establishing impact tolerances for each of them. Firms’ boards have to approve and regularly review their important business services, impact tolerances, and self-assessments. While board members need not be technical experts on operational resilience, the PRA expects them to have access to adequate management information. Additionally, boards should possess sufficient knowledge, skills, and experience that will enable them to issue constructive challenges to senior management and help them make decisions that will positively impact operational resilience. Currently, many requirements exist for a firm’s governance of operational resilience. Boards of directors and senior managers also have personal and collective responsibilities and accountability requirements. The supervisory authorities expect firms and FMIs to continue to meet their obligations under these existing requirements.
All firms’ senior management should be aware of their responsibilities and accountability, according to good practices in general governance and the Senior Managers and Certification Regime (SM&CR). Clearly defining the roles and responsibilities for managing operational resilience is a key aspect of this process. Using existing committees or establishing new ones as necessary, firms should structure oversight of operational resilience in a way that is appropriate and effective for their businesses. There must be a clear delegation of responsibilities when people and systems are involved in supporting an important business service.
Impact tolerance differs from risk appetite in that it assumes that a particular risk has crystallized instead of considering its likelihood and impact. The ability to remain within a firm’s impact tolerance increases its ability to withstand severe but plausible disruptions, but firms are likely to exceed their risk appetites in these scenarios. Impact tolerances are set based solely on the implications for financial stability, safety and soundness, and, in the case of insurers, the level of protection of policyholders. Defining the board’s risk appetite and impact tolerance can create a better risk oversight and will help senior management know what the board expects of them in terms of business and strategic decisions. As a result, management would be encouraged to take more risks and allocate resources in a more effective, risk-proportional manner, ensuring the best return on investment possible.
The heat map presented below depicts impact and likelihood levels, where the Y-axis represents the impact scale and the X-axis, the likelihood scale.
Green, yellow, and red illustrate the firm’s appetite towards disruption at different levels of impact and likelihood.
The impact tolerance line assumes disruption has occurred, so it is indifferent to likelihood. The green, yellow, and red zones are not related to the impact tolerance.
According to the PRA, banks should have “adequate contingency and business continuity plans” to ensure that they can continue to operate in the event of a severe interruption. Similarly, an insurer must take reasonable measures to ensure continuity and regularity in the conduct of its activities, including developing contingency plans. By incorporating these requirements and the PRA’s operational resilience policy, firms can enhance their response and recovery capabilities.
According to the PRA, when firms outsource functions to third parties, they remain responsible for those functions. According to the PRA’s operational resilience policy, firms should be operationally resilient irrespective of how they utilize outsourcing and third-party services. Firms must ensure that their ability to deliver their important business services within their impact tolerances isn’t compromised by partnering with external providers or other entities within their group.
After completing this reading, one should be able to: Explain the use and... Read More
After completing this reading, you should be able to: Define cyber risk and... Read More
After completing this reading, you should be able to: Explain the distinctions between... Read More