09 December 2019
- Julian Cunningham-Day
- Simon Treacy - Victoria Hickman
Cyber security - Data privacy
Operational resilience: a new approach to managing cyber, tech and sourcing risk
The financial services sector has often led the way in shaping thinking about how to manage risk. Its latest focus, thanks to the Financial Conduct Authority, Prudential Regulation Authority and Bank of England, is something called “operational resilience”. This concept is one that anyone in, or interacting with anyone in, the financial services sector needs to know about. However, even those not directly impacted are already watching and waiting to see how the principles of operational resilience might influence the way they operationalise resilience in their own organisations.
What is Operational Resilience?
In days that are long gone, the focus was mainly on trying to prevent cyber attacks, data breaches, and system, process and third party service failures. Nowadays, most people accept that these types of events are bound to happen. Crisis plans and teams are now in place across many organisations, primed and ready to respond to all kinds of risk scenarios. However, in many cases, approaches still focus on the risk relating to individual systems, processes or events. Stakeholders are incentivised to look after only what is within “their” areas, and the potential impact of events on customers, suppliers, the wider market and other third parties is too often left to be determined at the point of crisis, rather than beforehand.
Operational resilience shakes things up. It requires financial services firms to take a more holistic, clearly-evidenced, outcomes-focused approach to making themselves ready to “resist and respond” to disruption to their operations. The way in which they judge disruption needs to be set by reference to clear impact tolerances i.e. the point at which the disruption to each of the firms’ services to their customers and the wider market becomes intolerable. Using metrics, firms would then be expected to ensure they stay within the tolerance levels they have set. This means, that they will need to understand holistically all potential sources of disruption beyond their tolerance levels – whether those arise from potential threat actors, poor governance or organisational issues, individual systems or processes, poor performance or management of outsourced and third-party services, poor change management, poor disaster recovery or business continuity planning, unknown interdependencies or otherwise. They must then manage them.
The focus is on protecting the continuity of the services that firms deliver to customers and others (known as “business services”), i.e. thinking about “business service outage”, not just “system outage”; thinking about the “end-to-end business service”, not just the “end-to-end system or process or outsourced service”. For many organisations, this will require significant cultural change and the bringing together of previously siloed parts of the business into a common operational resilience team, with a common new language.
For those who are familiar with the compliance programmes put in place to address General Data Protection Regulation requirements, many of the activities that need to be carried out to embed operational resilience will be familiar. Setting up the right programme governance and key milestones, as well as making sure there is a clear plan not just to map, remediate, implement and train, but also to keep embedding operational resilience into the business-as-usual that continues after the initial implementation will be key. In fact, GDPR compliance is itself explicitly recognised as a facet of proper operational resilience.
There is no mistaking that embedding operational resilience, and doing the work to demonstrate that it has been embedded so that a firm can operate within its impact tolerances, will be a mammoth project for many. At this stage, full compliance with operational resilience rules is not expected to be tested until 2024.
Proposed Rules for Operational Resilience
- Governance. Clearly articulate governance and responsibility for operational resilience (for firms, this must be done as part of their Senior Managers and Certification Regime framework), with clear allocation of responsibility and clarity around delegations of responsibility.
- Business services. Identify your important business services at a sufficiently granular level. Organisations must determine what their business services are, including important group business services.
- Mapping. Identify and document the people, processes, technology, facilities and information necessary to deliver each important business service. The purpose of mapping is to identify and remedy vulnerabilities and enable effective scenario testing. This is much easier said than done.
- Impact tolerances. Assume disruption will happen and set a disruption tolerance level for each important business service. Impact tolerances should generally be set at the first point at which a disruption would cause an intolerable level of harm, for example, to customers or market integrity. Metrics should cover at least the tolerable duration of impact and may factor in how many customers are affected and/or a measure of data integrity. Impact tolerances should be appropriate for peak time usage as well as in normal circumstances. It will be crucial to be SMART about how impact tolerances are set and monitored.
- Scenario testing. Carry out regular tests of your ability to remain within impact tolerances. Scenarios should be severe but plausible, and lessons should be learned. Any existing crisis plans will need to be reviewed and tested regularly to ensure that they remain adequate.
- Communications. Implement “fast and effective” communications strategies for internal and external communications.
- Document, document, document. Amongst other things, prepare and regularly update self-assessments to evidence compliance with operational resilience rules. These self-assessments must include important business services, their impact tolerances, the approach taken to mapping, an identification of vulnerabilities and outcomes of lessons learned exercises. These self-assessments could be requested by the regulators at any time.
This must be reviewed and approved at board level regularly. They must be ready to be sent to regulators on request.
What Happens Next?
Regulated firms can respond to the consultations before 3 April 2020. In order to properly understand the impact of the proposed rules, firms will need to have a proper handle on what operational resilience means for them.
As well as requiring input from internal stakeholders across a very broad spectrum, they may also need to seek feedback from third parties, including those within their supply chain or on whom they will rely to assist with the implementation of operational resilience programmes or in the event of a crisis.
Even in the short term, regulators’ keen focus on the proper management of third-party services is likely to increase. This makes it crucial for teams to be seen to be undertaking proper vendor assessment, selection and management, as well as ensuring that anyin-house functions responsible for procurement, assessment, strategic integration and management of third-party services are adequately resourced, experienced and performing. As always, it will be important to ensure that appropriate diligence has been carried out – and continues to be carried out throughout the procurement lifecycle – on vendors, and that appropriate contractual protections are not just in place, but also tested and used in practice. This will be particularly challenging against a background of increased cloud-usage and the drive for innovation and automation.
All legal stakeholders involved in cyber, tech and sourcing should understand key concepts around operational resilience, and what their role in relation to their organisation’s approach to it is.
By Georgie Kon, Julian Cunningham-Day, Simon Treacy and Victoria Hickman