Building the UK Financial Sector’s Operational Resilience

After completing this reading, you should be able to:

• Describe operational resilience and describe threats and challenges to the operational resilience of a financial institution.
• Explain recommended principles, including tools and metrics, for maintaining strong operational resilience at financial institutions.
• Describe the potential consequences of business disruptions, including potential systemic risk impacts.
• Define impact tolerance; explain best practices and potential benefits for establishing the impact tolerance for a firm or a business process.

Operational Resilience, Threats and Challenges to the Operational Resilience of Financial Institutions

Operational Resilience

Operational resilience is defined as the ability of an organization to continue providing business services even in the event of adverse operational events by anticipating, preventing, recovering from, and adapting to such events.

Threats and Challenges to Building Operational Resilience

1. 1. Technical innovation: There is a rise in technology within the financial industry to automate the delivery and the use of financial services, e.g., Fintech. Fintech is utilized by firms to manage financial operations and processes by use of special software and smartphone applications. It also includes the use of crypto assets or even cryptocurrencies, e.g., the bitcoin. Crypto-assets, however, have negative implications on financial stability and cause interference in the proper functioning of payments as well as market infrastructures and affect monetary policies. These innovations create a more challenging environment, and it is difficult to identify the weakness among the interconnected digital systems.
   2. Changing behaviors: Most current institutions still use the older technology infrastructure that is more rigid. It requires specialized knowledge to maintain. Moreover, it is difficult to integrate with new technologies and processes; this poses a challenge in implementing risk and resilience requirements in technology; this increases the exposure to disruptive scenarios.
   3. Keeping pace: Increase in competition as well as customer demand are causing a need for more disruptive innovations and even faster innovation cycles. Also, the complexity of processes and infrastructure for product and services delivery is increasing, increasing the risk of imbalance between the time to market and resilience.
   4. Challenging environment: The growth in technology comes with new tricks by cyber attackers to attack and exploit firms’ vulnerabilities. It is challenging to prevent, detect, respond, and recover from these new cyber attacks.

1. System complexity: Institutions are finding it easy to outsource services, thus expanding their reliance on third parties or even fourth-parties (third parties’ third parties). There is a challenge gaining a comprehensive view of the firm’s third-party dependencies and exposure and assess the risk and resilience posture of all the parties.
2. Interconnectedness and sharing: Financial institutions are sharing more information and services broadly in most cases as part of government policy. This area is now prone to vulnerabilities and disruptions in another part of the ecosystem.

Recommended Principles, Tools and Metrics for Maintaining a Strong Operational Resilience at Financial Institutions

Regulatory Requirements, and Principles Relating to the Viability of Firms and FMIs

Management and governance: The Board plays a vital role in the management of a firm. Therefore, having an effective board is an essential requirement for any firm. Expectations are set to the Board and senior managers of firms and Financial Market Infrastructures (FMIs) by the supervisory bodies to ensure that business is done in support of the objectives, but more importantly, ensure continuous stability of the financial system. The Board should maintain access to the appropriate people with appropriate technical skills for executive jobs. For FMIs, the Principles for Financial Market Infrastructures (PFMIs) recommend that FMI boards should explicitly define the roles and responsibilities for dealing with operational risk and the operational risk-management framework.

Risk management: This should be responsible for all types of risk, including operational risk. Firms and FMIs should identify, monitor, and manage the risks they are likely to be exposed to; this includes threats like natural disasters, pandemics, cyber attacks as well as terrorism. FMIs should continuously assess the operational risks as they often change to make an analysis of potential vulnerabilities and find better defense techniques.

Internal controls: Boards and senior management should oversee and lead firms and financial institutions towards achieving the board-led strategy and direction. They must exercise appropriate oversight and ensure that their direction is being carried out. An effective internal control framework is, therefore, a requirement for prioritization, internal reporting, etc. The supervisory authorities require firms and FMIs to manage their affairs responsibly; this implies having adequate control systems in place. Effectiveness of internal controls ensures appropriate management of firms’ and FMIs’ core businesses and risk.

Business continuity and contingency planning: Supervisory authorities require firms and FMIs to have an appropriate contingency plan; this ensures that in case of disruptions, there are high chances of reducing their impact. Firms and FMIs are also expected to have a business continuity plan that explains how they are prepared to deal with disruptions and how to recover from them.

Outsourcing and critical service providers: In their oversight of key business operations, Boards and senior management put more focus on those outsourced activities to third-party providers. Outsourcing can help firms FMIs to manage risks more effectively and cheaply; however, it is also a source of risk. The Board and senior management should identify and understand the firms’ or FMI’s reliance on critical service providers. Existing rules expect dual-regulated firms to avoid introducing additional risk through outsourcing key business services. FMIs are required to ensure that outsourced and critical service providers meet the same requirements as internally provided services.

Communications plans: Having a communication plan during an operational disruption is essential to the supervisory authorities. They expect BC policies to include prompt and meaningful communication plans for both the internal and external parties and all stakeholders. A communication plan should address issues including how to get hold of key people, contact staff in charge of operations, customers, supervisory authorities, etc.

Tools and Metrics for Maintaining a Strong Operational Resilience in Financial Institutions

One way of ensuring operational resilience is by finding the impact tolerance of key business activities. Impact tolerance can be expressed by reference to specific outcomes and metrics; these metrics could include:

• The maximum tolerable duration;
• The volume of disruption, and
• The number of customers affected by the business disruption.

Supervisory authorities use several tools to review firms’or FMIs’risk management. These reviews target specific risks and are undertaken in several ways, including the use of questionnaires, simulations, experts’reports, etc.

Supervisory authorities employ several frameworks that assess the firms’and FMIs’capabilities. They include:

• Committee on payments and market infrastructures-international organization of securities commissions (CPMI-IOSCO) guidelines;
• National institute of standards and technology (NIST) cybersecurity framework;
• The national cyber-security centre (NCSC) cyber assessment framework; and
• G7 fundamental elements of cybersecurity.

Improving Operational Resilience

The following issues should be considered by Firms and FMIs repeatedly for effective and consistent operational resilience.

1. Identify: Firms and FMIs should identify their key business services and the amount of disruption that can be possible to be tolerated and under what circumstances.
2. Map: Firms and FMIs should map processes and systems that provide support for these key business services.
3. Assess: Firms and FMIs should assess how the failure of a single system or process may impact the business service.
4. Test: Firms and FMIs should test using disruptive scenarios, and by learning from experience that resilience meets the firm’s tolerance.
5. Invest: Firms and FMIs should invest in appropriate systems, oversight, and training to achieve the ability to respond to and recover from disruptions.
6. Communicate: Firms and FMIs should pass timely information to internal stakeholders, supervisory authorities, customers, market participants, and other counterparts.

Potential Consequences of Business Disruptions and Potential Systemic Risk Impacts

Business Disruptions

Business disruptions are disturbance that interrupts the occurrence of business activity or process due to a disruptive innovation or change.

Business Disruptions and their Potential Consequences

New business services: New business services could pose several challenges, including incompleteness or ambiguity; this may cause delays on the consumer end before the firm finally sorts the challenges. For instance, a bank’s loan application system failing to ask the relevant questions to clients leading to rejection of applications. Clients experience delays as the errors are being sorted.

Availability and integrity of existing business services: Existing business services may also pose challenges of their own. For example, a system error rendering some customers unable to make withdrawals due to incorrect balances. Sometimes the system may not allow customers to make any transactions at all.

Unauthorized access to market-sensitive data: Consider, for example, a systems failure revealing market-sensitive data disclosed by listed companies to all employees of a specific firm corporate liability insurer.

Availability of a vital link in a value chain: If a certain business service key process is disrupted, then there is a potential delay in the provision of the service by the firm. For instance, if a custody bank fails to confirm ownership of some assets at the right time, then there is a potential delay in asset valuation and thus delay in sales completion in the intended value date.

Systemic Risk

Systemic risk is the probability that a disruptive event at an individual firm level could cause severe instability or collapse of the industry or even the economy. It was a key contributor to the financial crisis of 2008-2009.

Systemic risk’s source can be in or outside the financial system or result from the interconnectedness of particular financial institutions and financial markets and their exposure to the real economy (Szpunar, 2012).

Allen and Carletti (2011) listed the following types of systemic risk:

• Common exposure to asset price bubbles, particularly real estate bubbles;
• Liquidity provision and mispricing of assets;
• Multiple equilibria and panics;
• Contagion;
• Sovereign default; and
• Currency mismatches in the banking system.

Potential Systemic Risk Impacts

Systemic risk has the following likely consequences:

1. The tendency for the concurrent increase in credit and liquidity risk exposure during the booms may be as a result of lower credit standards caused by increased competition in a boom.
2. A sharp decline in prices of assets across the market resulting from mass sales during a downturn may be due to overleveraged financial institutions being forced to liquidate an asset at a time when potential buyers are also troubled.
3. The interconnectedness between institutions serves as shock transmitting channels, for example, shock between the Systemic Important Financial Institutions (SIFIs). In case of risk at the level of a particular institution, e.g., credit, operational, liquidity, etc., it is created simultaneously at this level, and the individual institutions bear the costs.
4. When most constrained agents to borrow in a foreign currency, then the constraints are lifted. This leverage leads to high investments and consumption, which implies faster economic growth in times of no crisis if the agents make a profit from their investments. There is a systemic risk caused by currency mismatch since the exchange rate might experience large amounts of depreciation, which in turn can lead to generalized bankruptcies of domestically oriented borrowers with foreign currency-debts. Hence, currency mismatch can either lead to faster growth or a potential financial crisis (Ranciere et al. 2010).

Best Practices and Benefits for Establishing Impact Tolerance for a Firm or a Business Process

Impact Tolerance

Impact tolerance of a key business service is the maximum level of disruption that the business service can tolerate, including the maximum tolerable duration of the disruption. Impact tolerance is a planning tool that should assure firms that they will remain in operation even after a severe but plausible disruption.

Best Practices

Supervisory bodies advise firms to identify limitations that may cause prevent them from remaining within their defined impact tolerances. Supervisory authorities would require firms to be able to explain how they obtained impact tolerance for their business services, and its relationship with the objectives set out by the supervisory bodies.

Impact tolerance should be expressed clearly and be separated from risk appetite and recovery time objectives. Risk appetite defines a level of risk that the firm might be willing to go in order to achieve its objectives before it is necessary to reduce the risk. On the other hand, supervisory bodies require firms to show complementary approaches to obtaining impact tolerance, risk appetite, and risk recovery objectives and explain their relationships.

Benefits for Establishing Impact Tolerance

1. It helps firms to prioritize their investments and resource allocation. With impact tolerances in place for key business services, firms are able to understand the level of tolerance of each process and, depending on how important it is, making investments to the most critical processes to ensure their resilience.
2. It provides scope for when the firms are testing their resilience. Given that they know the impact tolerance of their key business services, it is therefore not wise to go beyond that as that would imply that level of disruption as it will shut the services down.
3. It provides a focal point for supervisory engagement. With a clear impact tolerance set at the business services level, it is possible to find alternative processing to remain within the impact tolerance level.
4. It helps firms implement policies that set priorities to some levels of services in the event of a disruption. The policies are set depending on the severity and the impact of the disruption.
5. Firms can analyze business service delivery for a longer time to provide information to their risk management. For instance, firms can record the number of disruptions in a particular year, the time the service was impaired, and the transactions disrupted.

Practice Question

Systemic risks negatively impact the financial industry in one of the following ways, which one?

A. A sharp decline in prices of assets across the market

B. A firm faces difficulty in integrating with new technologies and processes

C. Unauthorized access to market-sensitive data

D. None of the above

The correct answer is: A).

A sharp decline in prices of assets across the market results from mass sales during a downturn; this may be due to overleveraged financial institutions being forced to liquidate an asset at a time when potential buyers are also troubled.

B is incorrect: A firm faces difficulty in integrating with new technologies and processes in case of new technologies adopted by a firm; thus, it is not affected by systemic risks.

C is incorrect: Unauthorized access to market-sensitive data is a disruption caused by the failure of the firm’s software to manage privacy, but not affected by systemic risk.

D is incorrect.