The demand for greater operational resilience from UK regulators will require a renewed focus from financial services firms above and beyond the challenges they have faced from the COVID pandemic.
While the insurance sector has not been subject to the high-profile incidents which have beset some banking firms in recent years, the FCA and PRA and are determined to ensure that all firms understand the risks that will have a material impact on the market or their customers.
Speaking to Emerging Risks, Steve Dellow, Director, Technology Risk Assurance at BDO said the current timetable would see the UK’s operational resilience requirements put into place by the end of the year. Therefore, firms needed to be working on their response, not only to the regulators, but also the issues they have discovered in their efforts to address their operational resilience.
Mr Dellow highlighted that while may have robust business continuity and disaster recovery plans in place the requirements within the proposed regulations went further.
“The key elements at present are for firms to map out the threats to their business which have the potential to materially affect the market or the customers,” he explained. “We have seen in recent years incidents in the banking sector where technology or system issues have impacted their ability to operate services.”
Mr Dellow said for example should a bank’s mortgage payments systems go down to a point were agreed mortgage funds were unable to be transferred to clients who were completing a house purchase the impact would be catastrophic.
“For an insurer the inability to pay claims for a day may have a limited impact but a bank’s inability to transfer mortgage funds could have a serious impact for their customers,” he said. “Firms need to map the risks that could have a material impact, but they also need to assess the tolerance they have within the system before any failure has a material effect.
“It might be that a failure in a particular system or service would not have an impact for a day, however it might have an impact should the system fail for an hour. Firms need to understand the tolerance they have within the operation before the problem becomes material.”
While mapping the risks is part of the requirements, firms also need to analyse their client base and identify those clients which could be deemed to be most vulnerable in order to ensure that should an event occur those clients are prioritised.
Mr Dellow added that the regulators are aware that firms will find gaps in their resilience as their work continues and have placed a degree of tolerance into the planned timetable to ensure firms have the ability to address issues.
“There needs to be recognition that operational resilience is not simply a traditional business continuity issue,” he added. “The increased use of third parties by firms mean they need to ensure that those firms which play a part in the operation or provide services have the necessary resilience in place.
“Firms need to demonstrate they have taken steps to ensure that third parties can meet their requirements. It will not be enough to simply say they have told you that they have resilience in place.”
The COVID-19 pandemic has tested firms but Mr Dellow said the demands from regulators were above the impact that had been seen from the pandemic.
“Firms had two weeks as COVID spread where the move to remote working looked increasingly likely,” he explained. “The move to remote working was carried out with limited impact to firms’ ability to operate. However, for senior management it was not similar to waking up at 8am one working to be told that the company’s computer systems have been compromised and the firm is unable to transact business.
“In terms of COVID it has not tested the operational resilience for firms to the level that the regulators will require. Companies will need to have their operational resilience, business continuity and disaster recovery strategies and systems under a single umbrella in order to have a holistic view of the risks they face.
“Firms recognise their need to prepare for this and many firms have begun the journey. I do not think there are any firms which will say they have completed the steps they need to take, but they are working towards that point. COVID may have delayed some of that progress but regulators are keen to see the sector doing what it needs to do to meet their timetable.”