DTCC: Operational resilience planning, in 2021 and beyond
By David LaFalce, Managing Director, Global Head of Business Continuity & Resilience at the Depository Trust & Clearing Corporation (DTCC)
Planning for operational resilience will unquestionably be a strategic priority for firms over the course of 2021 and beyond. In an increasingly interconnected and digitalised world, organisations can be vulnerable to disruptive events related to technology-based failures, system outages and cyber-attacks. This has been further highlighted by the Covid-19 pandemic, with organisations needing to adjust their operational resilience plans to take into account not only the health impact to employees, but also the effects such as the shift to remote working. At the same time, because of climate change, firms also need to consider the increased likelihood of natural disasters threatening significant operational disruption.
Such a diverse risk landscape requires firms to continuously evaluate how they operate, communicate and safeguard against threats – some known, and some not yet known. While predicting a disruption can be challenging, there are measures organisations can adopt to further evolve and enhance their operational planning and response. This is even more pressing in light of the growing attention from global regulators and government agencies who have been gradually increasing their focus and oversight of firms’ operational resilience plans.
In the US, recently, the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency (OCC) and the Federal Deposit Insurance Corporation (FDIC) released an interagency paper outlining sound practices drawn from existing regulations, guidance, statements, and common industry standards, designed to help large banks increase operational resilience.
In the UK, the Bank of England, the Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) have proposed a regulatory framework to promote operational resilience of firms and financial market infrastructures (FMIs). This has culminated in the three UK supervisory authorities publishing a shared policy summary and coordinated consultation papers aimed at prompting a dialogue with the financial services industry on new requirements to strengthen operational resilience across the sector.
In Europe, policymakers are also addressing this topic, with the European Commission adopting the Digital Finance Package (DFP) in September 2020. This includes the Digital Operational Resilience Act (DORA), which requires participants in the financial system to have the necessary safeguards in place to mitigate cyber-attacks and other risks around the use of information and communications technology (ICT).
Until recently, operational resilience was typically developed with a risk-avoidance mindset focused on the end goal: full recovery. However, given the increased regulatory focus in this area, and with organisations facing a greater variety of operational threats than ever before, businesses must widen their planning scope to ensure the continued delivery of critical services, even with some systems becoming unavailable. In response, firms must consider evolving their operational resilience practices while focusing on three key areas:
1. Tailored approach
Firms must assess and develop long-term business continuity plans and operational resilience strategies in accordance with their specific needs and those of the clients they serve.
Developing maturity matrices – a “checklist” intended to evaluate how well-developed a particular process or program is – can be beneficial to establishing resilience program goals, as well as to managing expectations and measuring a firm’s performance against those predefined goals. It is no longer sufficient to have an optimum system of risk identification, evaluation, and assessment; companies must now be able to predict potential disruptions and be agile, adaptable, and resilient to continue to thrive. This premise has driven firms’ shift from a pure risk focus to a risk and resilience approach.
2. Know your assets
Firms and FMIs can identify relevant risks by mapping important business services to their operational dependencies, including locations, systems, suppliers, and people. For example, organisations need to ensure they know where the critical workforce, such as subject matter experts, key decision-makers and employees with critical skills are located and ensure that the risks associated with geographical locations are understood. A crucial part of an efficient operational resilience strategy is conducting a thorough “bench-strength” analysis, assessing critical processes and the depth of people who are able to provide support. This should include an estimate of the timeframe required for peers to take over the responsibilities of those who are not able to perform them.
3. Supply chain disruption
The use of third, fourth and even fifth-party suppliers to deliver a firm’s services, specifically those related to critical operations, has risen in recent years. As such, organisations are increasingly required to establish detailed processes to measure, monitor and control the potential risk exposures associated with outsourcing these services. This includes consideration for testing and availability of backup providers and failover procedures.
One of the crucial issues that requires thorough evaluation is how far back in the supply chain organisations are able to go to assess risk threats, particularly for third-party suppliers providing critical services. While opting for supply chain restrictions may be challenging in today’s interconnected operational environment, it is important for firms to realise that it might be more difficult to achieve operational resilience if they rely heavily on vendors with whom they don’t have direct contact.
As a result of the challenges revealed by the Covid-19 pandemic and increased regulatory focus, operational resilience will continue to be a high priority for financial services organisations in the coming months and years. Building a robust operational resilience model is critical to ensure the continued delivery of services. By moving away from a “one size fits all” resilience approach to each firm knowing their unique assets and understanding the implications of a potential supply chain disruption, organisations can tackle key issues head-on and better prepare themselves against future threats.
Managing Director, Global Head of Business Continuity & Resilience
September 26, 2022
4 popular digital payment gateways in IndiaRead More
- Daily insightful Financial Technology news analysis
- Weekly snapshots of industry deals, events & insights
- Weekly global FinTech case study
- Chart of the Week curated by IBSi’s Research Team
- Monthly issues of the iconic IBSi FinTech Journal
- Exclusive invitation to a flagship IBSi on-ground event of your choice
IBSi FinTech Journal
- Most trusted FinTech journal since 1991
- Digital monthly issue
- 60+ pages of research, analysis, interviews, opinions, and rankings
- Global coverage
Other Related Blogs
April 06, 2022
Caught in the crossfire: How the Russia-Ukraine crisis is exposing firms to cyber risk and what they can do about itRead More
March 29, 2022