Post 2008, the tide of regulation has been relentless, albeit necessary. For a long time, the banks made money despite themselves – the subsequent catalogue of failures and issues to be addressed is well documented. The ‘regulatory burden’ is in many quarters viewed as a continued brake on economic growth as banks’ ability to oil the wheels of the real economy is stifled by the need to hold ever-more risk capital, constraining the ability to leverage balance sheet and confining RoE to the mid-teens. This is an international matter, with the argument giving weight to a growing tide of opinion State-side calling for the repeal of the Dodd Frank Act. I have some sympathy with this, but at the same time, I continue to be surprised by the lack of fundamental good practice that is embedded within the banks and other financial institutions. Recently we’ve seen both ING and Danske in the news for systemic KYC / AML failures. Out of sector, but sounding an alarm bell, is the recently-reported data breach impacting the British Airways website where over 300,000 credit card records have purportedly been compromised.
Taking this backdrop into account, the Bank of England (‘the Bank’) and the Financial Policy Committee has for some time been focused on end-to-end Operational Resilience – this is not about being able to evidence the recovery of a system out-of-hours in a controlled Disaster Recovery / Business Continuity test scenario. This is about understanding the end-to-end value chain both within the regulated perimeter (banks, insurance companies, fund managers, exchanges, clearing houses etc.) and third-parties that sit outside this perimeter but provide and/or support critical services to these regulated entities. It’s about understanding the complex inter-connected dependencies and potential impact on the real economy. In this respect, Payments, Clearing, Settlement and Custody and Safekeeping functions are a significant area of interest given the systemic risk and potential impact.
The Bank is currently formulating a view on the regulated and unregulated landscape and at the same time reaching out to a number of firms to determine how Operational Resilience is managed not only to understand where potential ‘hot spots’ exist but also the level of maturity and what good looks like. On this latter point, frameworks such as CBEST are being referenced from a Cyber Security perspective. Similarly, adopting stress testing from other sectors is also front-of-mind: using software such as Chaos Monkey to arbitrarily disrupt critical processes intra-day in a live, Production environment for example.
Ultimately, the Bank views Operational Resilience as the next regulatory pillar and work is being formulated to define a number of stress test scenarios which a sample number of firms will be invited to participate in during 2019. During 2020, the regulatory framework for Operational Resilience will be framed in the Prudential Rule Book.
This future regulatory pillar is fast approaching and will align to other regulatory regimes including the Senior Manager Regime whereby Operational Resilience will become a Board-level accountability, Recovery and Resolution Planning and Regulatory Data Aggregation: data lineage is a critical component in fully understanding holistic risks and being able to mitigate exposures as part of an end-to-end value chain assessment.
Other key components to consider as part of any Operational Resilience assessment include:
- The service delivery model and associated service commitments
- The operating model, of particular significance given the move to cross-functional horizontal models as opposed to vertical siloed models
- Data lifecycle governance model – sourcing, ownership, cleansing, enrichment, publication, entitlement, consumption and retention of data for example
- Management of third-party vendors and service providers, including SYSC8 regulatory considerations
- Technology – Virtualisation, ‘on-prem’ versus Cloud, along with Cyber Security
- ‘Off-system’ activities i.e. where processes are reliant on spreadsheets, Access databases, manual interventions.
Per my opening remarks, many view Regulation as a burden but in many instances this mindset is coloured by old-school thinking whereby regulatory compliance is seen as a necessary evil best addressed through retrospective checks and balances. The regulatory framework and landscape in which banks and other financial and non-financial entities now operate is far more seamless and joined-up. Operational Resilience is arguably the culmination of all what’s gone before – SMR, GDPR, FATCA, RDA. In adopting a holistic, proactive approach to Regulatory requirements and embedding risk, control and compliance within the front-to-back operating model (including cultural aspects such as ways of working), supported by requisite MI and data analytics, there is a significant prize to be won in terms of cost, efficiency, advocacy, and engagement. This ultimately is about Operational Excellence: doing things at the right time in the right way.