RESEARCH REPORT

In brief

In brief

  • In response to FCA CP19/32, we agree with the UK regulator: Financial firms should view operational resilience as on par with financial resilience.
  • To meet expectations, firms may need to bring all hands on deck and incorporate benchmarking plus pandemic learnings to put a front foot forward.
  • Our response highlights where pursuing compliance can also enhance business outcomes for financial firms.


Financial firms should view operational resilience on a par with financial resilience—this was a clear expectation from UK regulators when they launched industry consultation,1 including the Financial Conduct Authority’s consultation paper 19/32 (FCA CP19/32), on this topic in late 2019.

The COVID-19 pandemic reinforces this prioritization. As financial firms experience spikes in phishing attacks2 and as remote working emerges as the new norm, the business imperative of operational resilience is rising—and so should the regulatory momentum.

A well-designed approach to embedding operational resilience can not only meet new requirements, but also enhance business outcomes.

The scope of operational resilience is broad. In the United Kingdom, mandatory rules expected following the consultation would apply to the entire financial sector: banks, insurers, financial market infrastructures (FMIs) and asset managers. The rules proposed range from enhancing board oversight and identifying important business services, to setting impact tolerances for disruption and testing them against disruptive scenarios.

Meeting regulatory expectations on operational resilience should require a concerted effort from across the organization—from the board and c-suite to technology, risk and operations teams. Firms should put themselves on the front foot and start planning based on the lessons from the pandemic, benchmarking across peers, as well as with clarity over the business implications of regulatory demands.

Our response to the industry consultation explores key areas of regulatory expectations, weighing their impact on a variety of business functions and organizational structures in financial services. Here are areas where firms can marry their compliance agenda with business outcomes:

Board oversight

Regulatory expectations focus on embedding resilience as part of the board culture, and better equipping board and management teams to strive toward continuity of critical business services. This presents firms an opportunity to improve governance by coordinating responsibilities across the enterprise.

Important business services

As COVID-19 triggers seismic shifts to business and operating models, firms can evaluate important business services to be sure they balance granularity, relevance and flexibility. They can review the full chain of activities, plus dependencies on third parties, and re-assess elements critical to service delivery.

Impact tolerance

Meeting a stated tolerance at a service level, and on an end-to-end process basis, would require a step-change in approach far beyond ticking a compliance checklist. To get there, firms can consider a combination of metrics such as the duration of downtime, volume and value affected, to help reduce customer impact from service disruptions.

Scenario development and testing

The pandemic highlights a need to place equal weight on technology risks and people risks. Firms should incorporate learnings from scenario development and recalibrate scenarios to place more emphasis on human factors. They can also focus on testing and exercising to mitigate threats from people, processes, resources and third-party suppliers.

Third-party risks

The pandemic shines a light on third parties, many of whom helped firms—particularly smaller ones—adapt quickly. COVID-19 also shows how material risks can arise from more “analogue” channels such as people risks, locational footprint and offshoring operations. These reinforce the need for a robust contractual framework.

View All

Make operational resilience your business outcome

A well-designed approach to cultivating operational resilience should not only meet new requirements, but also enhance business outcomes. Doing so requires an end-to-end upgrade of resilience capabilities from framework, architecture and analytics, to communication plans, training and culture.

To help planning and prioritization, firms should review their response during the pandemic crisis and benchmark readiness across peers. We suggest the following steps to get started:

  • Harness the real-life stress test: The pandemic has stress tested even the most prepared organizations. Response and recovery can be challenging, but that journey provides a chance to reinvent and reinforce operational resiliency capabilities.
  • Embrace operational resiliency: A holistic approach that is cross-functional and scenario-driven helps organizations shift from a reactive to proactive resiliency posture, one that reduces disruption and leads to improved sustainability, increased customer loyalty and regulatory compliance.
  • Define the path forward: Given the broad scope of operational resilience, it is important that firms start planning now to define their operational resiliency target state and build an implementable road map to the future.

Accenture’s Operational Resilience diagnostic tool considers regulatory criteria alongside industry lessons from the pandemic crisis to provide an up-to-date maturity assessment. Contact our team to learn more about how we can help your business enhance its operational resilience.

References:

1“Building operational resilience: Impact tolerances for important business services”, Bank of England and the Financial Conduct Authority.

2“UK financial scams surge during coronavirus lockdown”, Financial Times, August 19, 2020.

About the Authors

Heather Adams

Managing Director – Strategy & Consulting


Rafael Gomes

Managing Director – Strategy & Consulting


Claire Aldworth

Senior Manager – Finance & Risk


Jason Reading

Director – Technology Risk & Assurance


Kuangyi Wei

Director – Strategy & Consulting

MORE ON THIS TOPIC

Defining the risk function’s sphere of control
Financial services cyber resilience: Room to grow

Subscription Center
Stay in the know with our newsletter Stay in the know with our newsletter