Banking Insight's: Operational Resilience
The Chartered Banker Institute, in conjunction with PwC, hosted a Banking Insight Session on Operational Resilience. Stuart Birnie (PwC Director) reflects on the session and the key points discussed.
6th December: Event - Banking Insight's: Operational Resilience
Following the joint PRA, FCA and Bank of England discussion paper on operational resilience in July 2018 the Prudential Regulation Authority has said it is second only Brexit in its list of priorities. That means it is time for all businesses to focus on operational resilience and the growing threat of incidents.
In addition to the discussion paper there have been a number of notable publications and developments: a) a Treasury Select Committee investigation has been announced, b) the FCA issued the results of their survey into cyber and technology resilience which showed that the number of incidents reported to them has increased 138%, and c) the announcement that operational resilience stress testing on payments will be conducted as a pilot in 2019 with this becoming a requirement for all regulated firms in 2020.
Given the increase in operational incidents, I agree with the regulator view that operational resilience should be on an equal footing with the efforts afforded to financial resilience. The session on the 06th December prompted a lot of debate with the key points of discussion including:
- Firms need to be braced for more IT and cyber incidents as they are increasing in frequency. The regulator expects more events and its focus is as much on how firms respond and learn as it is on how they prepare;
- The need for continued focus on operational resilience, as it is highly likely the consultation paper will become policy in 2019;
- Having senior management support and the right communication, collaboration and culture is critical. Operational resilience is not solely a technology issue;
- Operational resilience is an outcome - it is not a function, process or department: Operational resilience involves all three lines of defence, but must be driven by business leadership. The challenge is alignment and consistent linkage to business services;
- To obtain the end-to-end view of critical business services (as described in the joint paper) Firms will need to understand the activities of third parties (and even fourth, fifth parties etc). Regulators and Firms will need to continue to collaborate on answering key questions such as what are the requirements and boundaries when using Cloud outsourcing?;
- There is a lot of effort involved in meeting the requirements of the joint paper. For example, understanding critical end to end business services, impact tolerances etc. Given this Firms should be focused on implementing operational resilience now and not waiting for the policy;
- Performing stress testing does not necessarily mean a live test but it does mean having severe but plausible scenarios to test against using real data; and
- Given the expected timetable of regulation through 2019, now is the right time for organisations to plan and act so as to be well placed for the coming changes and requirements.
Stuart Birnie is a director in PwC’s Scottish IT Risk Assurance practice, based in Glasgow, with more than 17 years’ experience working on project delivery and assurance, technology risk management and internal control, and operational resilience projects. Stuart can be contacted at [email protected] with more information on PwC view of operational resilience.