Operational risk must be managed warns BoE

The UK financial Services industry has been told operational resilience is key as the world faces a new normal driven by the COVID-19 pandemic.

Nick Strange, senior technical advisor, Supervisory Risk Specialists, at the Bank of England (BoE) has said it continues to look to strengthen the sector’s operational resilience and will expect firms to have in place adequate systems to ensure that its critical operations can continue in time of major shock.

He told the OpRisk Europe event that much has changed in the world in the past 12 months but that the BoE was still clear on its requirements.

“Our aim, then as now, was to build the resilience of the financial sector so that is better able to absorb operational shocks while continuing to provide what we have defined as important business services,” he said. “We asked you all to assume these shocks would happen and to focus on your response and recovery capabilities – as case of ‘when, not if’ disruption occurred.”

Strange added: “Firms should set their tolerances at the point at which operational disruption to important business services might pose a risk to financial stability, the firm’s safety and soundness and (in the case of insurers) the appropriate degree of policyholder protection.”

“We would also expect boards to satisfy themselves that their firm was meeting the requirements for having suitable strategies, processes and systems for identifying the important business services and setting the tolerances, and to perform mapping and testing.  We originally set a deadline for responses to our operational resilience proposals of 3rd April 2020, but in recognition of the challenges posed by Covid-19 we extended this deadline to 1 October. We currently expect to publish our final policy in Q1 2021.”

He said the BoE believe that the fundamentals of its proposed approach: important business services, impact tolerance, ensuring staying within tolerance, have stood the test of Covid-19.

“As we all know, Covid-19 continues to test the operational resilience and response capabilities of us as regulators and of the firms that we supervise,” added Mr Strange. “The nature and magnitude of operational risks have evolved as a result of the growing reliance on remote working arrangements.

“We all, regulators and firms alike, focused first on maintaining the continuous delivery of important business services with reduced staff and very large increases in remote working. For many firms this has been more successful than they, or we, might have expected, largely due to the technical capabilities that are now available to us. But the huge increase in remote working has placed significant pressure on firms’ IT systems which have needed to significantly scale up their capacity, and there have been practical problems too such as sourcing and configuring new IT equipment quickly and in large numbers.”

He acknowledged there was no doubt productivity will have suffered, as staff juggle personal responsibilities such as child care with their work commitments, but overall the finance sector’s response to Covid-19 is a relatively good news story.

“However, there is a real danger now that the pandemic is seen as an extreme test of operational resilience that proves that the financial sector is already operationally resilient,” Mr Strange warned. Does this mean ‘job done’? We don’t think so.

“There are characteristics of this event, extreme as it is, which made it easier for us all. It evolved slowly – relatively speaking. We could see it coming; response time was measured in days, if not weeks. We had time to think. We had time to prepare and implement. And we had time to react in a controlled way, making it up as we go along – if you like.

“Like many of you, I’ve been ‘practicing’ for this for over 20 years by working from home from time to time.

“Secondly it was prolonged, it has been with us for months now and will likely with us for many more months to come. This has given us time to understand and adapt to changing circumstances.. Finally and most importantly, it was symmetric in nature. That is to say that the threat has been broadly equal to everyone, everywhere, at the same time. Impacts may vary, based on local responses but essentially everyone was in the same boat.

“This gets you many things. Some level of goodwill or tolerance from your customers being one. But it also somewhat levels the playing field in terms of the response, i.e. if everyone is affected just as badly as me, then I’m not at an implicit disadvantage from a commercial risk perspective. And If I’ve got time to prepare, and react in a controlled and innovative way, then all the better.

“But there are threats out there that will not be slow, prolonged and symmetric but precisely the opposite, fast, short-lived and asymmetric. Cyber is one such example but idiosyncratic operational failures or key third party failures will be fast, short lived and asymmetric. Incidents with these characteristics, fast, short-lived and asymmetric, may rely on some of the same response and recovery capabilities but they will test an organisation’s preparedness to the limit and in potentially different ways from that which Covid-19 has.”

Looking to the future Mr Strange said in the event of an operational shock, a firm must deliver its most time-critical, high impact services that have an external end user (important business services). Firms should identify services that could rapidly impact on financial stability, safety and soundness or policyholder protection and have contingency arrangements.

“We therefore will expect firms to have a coherent narrative between what is ‘Critical’, or would support a firm’s viability for OCIR, and what is ‘Important’ for important business services. Irrespective of the terminology employed, boards and senior management should be aligned with us as regulators in wanting to know what aspects of their firms’ businesses have the most impact on financial stability, their own business success and their customers’ needs.

“So we don’t expect to see completely different mapping regimes employed in a silo-based fashion. Work done to ‘map’ and understand the interconnectivity of functions, business lines and services should be leveraged to meet the requirements of both OCIR and operational resilience policies.”

He concluded:  “The relative success of working remotely means that for some staff the return to office can be slow, taking account of their own personal circumstances as well as business needs. As well as heeding government advice, triggers might also include reliance on public transport, school arrangements and the ability to ensure employees’ health and safety in the office. Rotational working, staggered start/end of day times and split site working are all being considered.

“For the foreseeable future office occupancy rates will be much lower than normal. I recently came across the 21/90 rule, often quoted by lifestyle gurus; ‘it takes 21 days to build a habit and 90 days to build a lifestyle’. Well most people in the financial sector will have been working from home for double the 90 days and they’re discovering that they quite like this new lifestyle! Firms are also starting to question what the new normal will look like. This has longer term implications the ‘new normal’ and for the control environment needed to mitigate the new risks we’ve discussed.

“We will be looking to understand whether the firms who had made the most progress implementing our operational resilience policy proposals were able to respond best to this incident. There are some early indications that this is the case, as some firms were able to readily identify their key workers because they already had a good understanding of their most important business services.

“As firms adapt to a new normal, that is the time to ensure that important business services are resilient by design rather than designed first with resilience as an afterthought. This is an opportunity to move to a new and higher level of resilience as you respond to Covid-19.”