The term “resilience” has been a much-used buzzword on the strategic radar of firms for some time now. Since March 2020, however, resiliency has moved from just the boardroom to the war room and sitting room, as Covid-19 has tested the resilience capabilities of businesses, governments and people alike.
Resilience is the adoption of a “bend, not break” mantra. Its dictionary definition is “the capacity to recover quickly from difficulties; toughness”.
Be it mental, physical or operational, lessons learnt from the global devastation of Coronavirus has taught us that resilience is a “must”, and not a “nice to have”.
We have seen the resilience of the financial services industry pushed past breaking point as a result of the 2008 financial crisis, only to see it bounce back through governmental intervention and tough management decisions.
In the wake of the financial crisis, sensibility has prevailed, as companies and regulators put aside more provisions and prepared for worst-case scenarios. Emphasis on effective risk management and enhanced assurance activities also emerged, all in an attempt to increase capacity to recover quickly. 2020 has provided the acid test for this progress, determining whether firms’ preparedness and planning will navigate the difficulties and uncertainty of a global pandemic.
Operational resilience, as a concept, is about joining the dots and strengthening end-to-end services across silos, departments and disciplines. It connects several elements of risk management (including business continuity, cybersecurity, data protection and outsourcing) to address the end-to-end ability of an institution to provide a level of service that is acceptable (or tolerable) to its customers.
Emerging trends in regulation are focusing on accountability and responsibility, enabling the most appropriate stakeholders to drive and govern the risk management and resilience of their institutions, the services they provide and the markets they support. This is being underpinned by a shift in mindset to put the customer first and understand their tolerances and needs.
Within Europe, regulatory guidelines have been implemented in relation to outsourcing, ICT and security risk and recovery and resolution planning, all with the aim to strengthen resilience across the financial market as a whole and drawing attention to enhance its weakest links.
In the UK, Consultation papers on operational resilience have been circulated and final published guidelines are expected early this year around the requirements of end-to-end resilience of business services.
The European Commission published a legislative proposal in September 2020 – the Digital Operational Resilience Act. Outside of Europe, the US Fed have published Sound Practices to strengthen Operational Resilience in October 2020 and the Basel Committee published a paper of 7 principles for Operational Resilience in August 2020.
The focus in Europe on the topic of resilience has leaned towards the digital agenda, set against a backdrop of:
The Digital Operational Resilience Act formed part of the European Commission’s Digital Finance Package designed to ensure financial stability and consumer protection while supporting innovation and a digitally competitive financial sector in the EU.
The European Commission’s Digital Operational Resilience Act (DORA) proposal outlines a comprehensive risk management framework to oversee financial institutions and address the fragmented supervisory approach across the single market.
Whilst some elements of the operational resilience requirements are an evolution to regulation which was already in place (such as governance structures and outsourcing requirements), other elements will be a full revolution to firms. The proposal expands the regulatory perimeter to establish an oversight framework applicable to critical third-party providers of ICT services (including cloud computing and data analytics).
The proposal is principle-based. However certain aspects of it are rather prescriptive, leaving little space for flexibility to meet the desired level of resilience and account for a company’s proportionality.
Some key sections of the act are summarised below:
There is a way to go before the act comes into effect, with an expectation of around 18 months. Additionally, there are underlying technical standards to be developed by the European Supervisory Authority’s (ESAs), which will give more granular guidance as to requirements.
The commission considered establishing a new, separate, authority to supervise Critical ICT service providers and instead decided to absorb them into the existing regulated financial entities framework. This approach suggests that the technical standards as well as the supervisory model is likely to be very closely aligned to the existing ESA guidelines and supervisory approach.
ICT firms (including cloud providers) will need to assess if they may be classified as a critical ICT service provider under DORA’s definition of the term. For all critical firms, the recommendation is to evaluate their current risk framework against DORA and build any step-up requirements they may have into their strategy, growth plans and budgets
Financial institutions currently under the European Commission’s supervisory model and scope should assess if their current state meets the expanded regulation and plan accordingly to respond across the themes.
Don’t hesitate to reach out if you have a question.
This article was first published in the April 16th issue of Finance Dublin.