Operational resilience has become an increasingly important theme across financial services over the past few years. Highly publicised failures have caused widespread customer disruption and The FCA are quite rightly working to protect consumers in this space. As the number of threats to business seemingly increase – from geo-political tensions to ageing technology stacks – firms need to have processes in place to help overcome potential issues.
Whilst some of these threats could range from severe – for example, a state-sponsored hack, they can also vary to the more benign – such as an unfortunate power cut leading to complications in the tech stack. Firms such as banks and building societies need to manage and mitigate these risks to continue to service their customers.
The pandemic demonstrated why the industry needs to change its ways. The sudden shift to online away from the traditional in-person interaction meant, at times, the financial services industry was flailing, as legacy processes would not facilitate a change in operations. In essence, computer said no.
Before the pandemic struck, the FCA had started a consultation on how best to improve the UK's financial operational resilience. This followed several highly publicised failures, which the FCA wanted to stamp out and thereby increase consumer protection. From this, proposals in partnership with the Bank of England were created, and the PS21/3 directive was born to help measure operational resilience across UK financial services.
However, despite it being a laudable initiative, in my view, the directive could go further.
Out of scope, out of mind
An issue the legislation comes up against is that it only covers consumer-facing functions, i.e. it only measures the resilience of business areas that can potentially cause wide-reaching harm to consumers and pose a risk to market integrity. Everyone wants to treat customers fairly, but by only looking at customer interactions, other business areas that could also risk market integrity are overlooked as they're out of scope. Payroll, for example, wouldn't be included. However, if employees are not paid, that will undoubtedly put the operational resilience of firms into question.
Another potential problem is around clarity of the wording – meaning what firms do or don't have to report on is up for debate. Benchmarking requires a set of standards to measure against, and from my experience, it's always helpful to have a template to work to, as this ensures everyone measures the same thing. The FCA is set to receive thousands of responses, all in unique formats, measuring different metrics which firms deemed to be within scope. This will result in additional time and cost for the FCA and firms as specialists will likely be hired to help with submissions and evaluation.
From this, one surmises that the FCA will look for firms to introduce best practice principles, although there is a worry that financial firms will be terrified of being seen to cause harm to consumers without firm guidelines in place. To avoid this, we'll likely start seeing companies overcompensate or pay off missed payments from customers, i.e. incurring the cost themselves in order not to be seen as causing undue harm to their customers. The lack of measurement has the potential to cause a few headaches unless we move to a more solid system.
Why are we reinventing the wheel?
The FCA is doing the right thing in trying to improve operational resilience – it's vital to the industry and fair to consumers. We could benefit from looking outside the UK and financial services. Approaching this with a more international view might help drive standardisation. Let's not forget that this directive only covers UK operations, meaning parts of businesses operating abroad do not fall within the FCA's scope.
One idea would be to adopt ISO 2301 accreditation. It's internationally recognised (meaning all business areas, no matter their location, can benchmark) and also sets out measurements within firm parameters. So everyone will be measured on the same thing and in the same format.
This would also help the concept of operational resilience become less woolly. All business units could be incorporated, allowing the directive to be more comprehensive and have a lasting effect. Businesses will have to address issues holistically instead of partitioning off problems they deem in or out of scope.
But what can be done in the meantime?
At Target, we have embraced the directive and taken a bespoke approach, benchmarking operations against these four criteria to demonstrate operational resilience.
Does the service we offer to customers? :
- Lend money
- Collect money
- Would it cause 'intolerable harm' to the customer should that service stop? (This lends itself heavily to the 'treating customers fairly' guidelines, another core area for the FCA
- Does the service help maintain the company's market share? This is perhaps the most open to interpretation as it changes dramatically for individual companies based on size and what market they operate in, banking, mortgages, investments etc
In our view, operational resilience identifies important business services and then measures each against Business Continuity's criteria. This encompasses people, process, technology, site, information and third parties. We looked at the resilience for those areas and then assigned an impact tolerance, at which point the service no longer functioned. An impact tolerance can be anything dependent on the service, so it could be a financial tolerance score, a risk-based tolerance linked to risk appetite, or a time based on more traditional SLAs.
We then put this through its paces via testing. We pitted the important business services against 'plausible' scenarios. The purpose being to measure whether the tolerance had been breached. After this, we could implement lessons learned and fill in any gaps or vulnerabilities. We'll be doing this annually until 2025 when we'll be able to measure improvements since testing began.
Operational resilience also puts emphasis on stakeholder management, whether a vendor, third party or outsourcer. Anyone involved in enabling the service to function needs to be accountable, so time needs to be taken to get to the root of all processes, leaving no stone unturned. At Target, we're building a governance framework to help these actions progress and be appropriately monitored. This will then be reported to our Board.
I can't help but feel how this directive has been approached; full of good intentions, in practice will need refinement. It will likely lead to duplications of effort with business continuity, and the lack of consistent frame working means it may not deliver on its full potential. Whilst pivoting to ISO 2301 might cause short-term pain, it will bring about gains as it can deliver data points which will help the industry, as opposed to what is or is not deemed within scope.