Following the financial crisis of 10 years ago, regulators ratcheted up their instructions to financial services operators to build financial resilience. They defined exact capital adequacy requirements and introduced new metrics to measure financial risks. Now regulation is moving in a new direction – that of ensuring operational resilience.

In the past few years, some banks faced embarrassing IT failures when their online systems failed and millions of clients did not have access to their money for days. The most notorious case is that of TSB Bank owned by the Spanish bank Sabadell.

The problem began last April when the British bank started to migrate data from its five million customers from the former owner Lloyds’ system to a new one. Despite TSB’s shareholders gloating about their international IT prowess a few days before the conversion started, the UK bank was down on its knees within a few hours of the project’s implementation attracting the anger of clients, regulators, the media and parliament.

A survey conducted among financial services operators by risk.net, an online risk management magazine, identified the top operational risks faced by financial institutions in 2018. IT disruption ranked as the most serious, followed by data compromise and regulatory risk. In July 2018 the Bank of England issued a Discussion Paper entitled Building the UK financial sector’s operational resilience.

The BOE paper defines operational resilience as ‘the ability of firms, financial market infrastructure and the financial sector as a whole to prevent, respond to, recover and learn from operational disruptions. The UK regulators are right in asserting that operational disruptions to the products and services that financial services operators offer have the potential to cause harm to consumers and market participants, threatening the viability of firms and cause instability in the financial system.

Organisations must plan to avoid disruption... they also must assume that one day operational disruptions will occur

Technical innovation is pushing traditional financial services operators to upgrade their IT infrastructure. Cybercrime is a challenging reality, but it is not the main worry of most medium or small operators. Obsolescence’s of IT systems, a skills gap and resistance to change are the elements that worry both the boards of financial services operators as wellas regulators.

From experience, I can vouch that one of the most traumatic experience for any financial services business is a major upgrade of its IT infrastructure. Convincing the board to spend the massive amount of money needed to upgrade fades into insignificance when compared to the more controversial task of getting board approval for the right project implementation methodology.

Many boards do not have the right experience or expertise needed to give the executive management the right direction on the best way to implement. They prefer digging in the deep pockets of their organisation to pay consultants not only to advise them but, more worryingly, to take over the responsibility of implementing complex IT projects.

Directors are increasingly expected by regulators to challenge the recommendations of their executives including the CEO. However, human respect often gets in the way of this uncomfortable approach. Boards too often prioritise consensus in decision making and shun anyone among them who proposes more robust ways of ensuring that the board’s oversight on the implementation of business critical projects are effective.

Regulators insist that ultimately operational resilience is the responsibility of the board and the CEO of an organisation even when essential functions like project implementation is outsourced. The tone set from the top should be one that indicates that everyone must ensure that all employees own IT transformation but that the Board and the CEO are the ones leading the project from the front.

It is inevitable that very soon regulators will be setting measurable standards aimed at ensuring that operational resilience is at the highest level of an organisation’s board priority list. Setting impact tolerances which quantify the amount of disruption that could be tolerated in the event of an incident may be an efficient way for boards and senior management to set their standards.

The symptoms of a board’s failure to prioritise operational resilience could be dramatic as is the case of the TSB failed data transfer project, or slow burning like the mediocre service of some organisations who struggle to upgrade their IT infrastructure efficiently and without excessive costs and delays.

Organisations must plan to avoid disruption. However, they also must assume that one day operational disruptions will occur. They must have contingency plans to guarantee the continuation of essential services. Only in this way can financial service organisations serve their customers fairly.

johncassarwhite@yahoo.com

Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.