Raising the bar on operational resilience

The UK Financial Conduct Authority’s (FCA’s) operational resilience guidelines set clear expectations for how financial firms should strengthen their resilience against operational disruptions. But how are firms faring in meeting these goals?

The FCA’s Building operational resilience rules required firms, including banks, building societies and insurers, to identify their important business services, and the potential impacts beyond their own interests, by March 2022.

At a session on resilience at OpRisk Europe 2023, Anna Mazzone, head of risk business for Europe, the Middle East and Africa at ServiceNow, sat down with the FCA’s head of secondary market oversight, Jamie Bell, to find out what progress has been made, where further work was needed and what tools were available to help firms achieve greater efficiency in the process.
 

Anna Mazzone: What priorities does the regulator want to see from organisations throughout 2023 and 2024?

Jamie Bell: We expect firms to have been implementing their self-assessment approach from March 2022, to have considered what their important business services are and to have impact tolerances for those in train.

We’ve seen some firms take existing tools and import those into their self-assessment frameworks. That can be a reasonable first approach, but we would stress that the operational resilience framework is designed to identify important business services. In that sense, it is narrower than your corporate framework. We are asking firms to prioritise what will have the greatest impact on the market and on the customer.

It will help with your business and, ultimately, confidence in the market. We need firms to show their whole working out. That’s incredibly important.

 

Vendors can provide invaluable insight from the thousands of relationships they have with firms, and bring a lot to the party. But you are responsible for your risks – you understand your business better than everybody else and it’s up to you to control that relationship.

Jamie Bell, UK Financial Conduct Authority

Anna Mazzone: Firms have been investing in improvements to their end-to-end resilience processes, which is driving down the cost of compliance. Is that something the regulator was expecting?

Jamie Bell: Yes, we were. We have an eye on compliance costs and it’s important that we’re consistent.

The operational resilience framework invites firms to prioritise the most important things and think carefully, and quite deeply, about those that have the greatest market impact. Of course, that will also help you with other things – such as consumer duty or demonstrating you have robust testing controls, for example, in times of market crisis.

Regulation will likely drive down costs across compliance because we expect a common thread across a number of regulatory interventions, which all require the same kinds of thinking and analysis.
 

Anna Mazzone: Can you outline the resilience concerns keeping you awake at night?

Jamie Bell: It’s mainly what gets firms into trouble. My day job is market abuse – where we find firms that have real problems, firms that are failing and sometimes end up in enforcement, and also have very outdated risk assessments. We have found examples of firms that haven’t updated their market abuse risk assessments since 2018 when the second Markets in Financial Instruments Directive came in.

Clearly, if you’re in that situation, you don’t have a handle on your risks and you don’t have a good handle on your business, because a process has happened in the middle of it. That’s a big red flag for the FCA. Weak or ineffective communication between the front office and second line is a key red flag.
 

Anna Mazzone: Further regulation is planned in this area, particularly around third-party risk management. How does the FCA view critical third-party requirements?

Jamie Bell: You can outsource a function but you can’t outsource the risks. We see problems with firms … that place undue reliance on their vendors to manage their risks for them. It’s your responsibility to tailor the products and your own business processes to be the key risks in your organisation.

The vendor can help you. We aren’t against outsourcing. Vendors can provide invaluable insight from the thousands of relationships they have with firms, and bring a lot to the party. But you are responsible for your risks, you understand your business better than everybody else and it’s up to you to control that relationship.

 

Firms have been investing in improvements to their end-to-end resilience processes, which is driving down their cost of compliance.

Anna Mazzone, ServiceNow

Anna Mazzone: How does the FCA think firms can start to deliver on regulatory compliance along with operational efficiency?

Jamie Bell: There’s a very strong business rationale for focusing appropriate resources on these things and it will help you achieve operational efficiency. It will challenge firms to think more medium to long term about where their capital should be invested. That has to be a good thing.

Financial institutions are enormously complex, with operations spread across the world and key business lines being fragmented across different jurisdictions. As risk managers, that’s an incredibly difficult thing to get your head around. But taking the lead in this area has enabled firms to think about a common structure in a way they didn’t need to before, and that has helped with the integration of their businesses.
 

Anna Mazzone: Firms are using artificial intelligence (AI) in new ways that can support operational resilience. How is the FCA approaching this topic?

Jamie Bell: We want firms to be able to use AI and don’t want to be an obstacle to its acceleration. Regulatory accountability is a really important thing, so firms can’t hide behind a black box. What that means for supervisors is a very interesting question. One of the purposes of being involved with the first sandboxes will be to engage with the industry about how we can effectively supervise AI in the future.

Again, outsourcing is a massive issue in the AI space for us – If you’ve outsourced to a firm using AI, the technology is proprietary and you may not get easy access to it. So we need to understand how that relationship is going to evolve over time.

You may see AI making simplistic and not necessarily correct decisions, which, alongside social media [manipulation], does worry me within the market space.

How you train your AI and put safeguards in place to prevent a co-ordinated irrational response to events is an [interesting challenge].

AI has enormous potential to drive down costs in the industry and the FCA, as a regulator, should welcome that.

Sponsored content