COVID-19 and operational resilience in the financial sector

At a glance: 

• Regulators have been monitoring the operational resilience of financial services firms during the COVID-19 pandemic and the government restrictions consequently imposed. This will continue to be an important focus for them as restrictions are gradually eased.
• In the near term, we see regulators looking particularly closely at how firms refine their resilience plans in the coming months, how they approach the governance of their operational resilience and the quality of their crisis communications.
• Longer-term, it is clear that the current circumstances will influence the direction of operational resilience regulation. We believe the COVID-19 experience will validate the proposed UK regulatory approach that focuses on strengthening the resilience of important business services in the face of a wide range of severe but plausible scenarios.

Reading time: 8 minutes 

Financial services firms have had to overcome significant challenges in responding to the first phase of the COVID-19 pandemic. Maintaining resilient operations while many countries have imposed strict lockdowns has required firms to rely on their existing business continuity plans, but has also demanded the fast adaptation of those plans as the severity and duration of the lockdowns have become clearer. The evidence to date suggest firms have been more successful in moving to digital-based services and home working than might have previously been anticipated – this is good news.

Financial regulators and other public authorities have been increasing their focus on the operational resilience of the financial sector in recent years. As part of this, regulators in the UK and EU had already begun developing new frameworks to address various non-financial threats to the sector’s functioning such as ICT resilience and cyber risk.

This can now, with hindsight, be said to have been a wise shift in strategy given the events of the last few months. But the circumstances around COVID-19 represented an unexpectedly early test of the work already done. It will also be an instructive experience in informing how the regulatory framework around operational resilience evolves and embeds in a post-COVID world.

Planning for operational resilience will undoubtedly be a strategic priority for boards and senior management. In doing so, it is important for them to consider a number of nearer and longer-term considerations arising from the pandemic on the direction of regulatory expectations. It will also be important to understand whether the resilience achieved to date was by design, and if not, what lessons should be drawn for the future.

Nearer-term considerations for financial services firms 

The circumstances firms will face in the next phase of the pandemic remain uncertain. Governments will review their response strategies and adjust them based on case numbers, transmission rates and the impact on their health systems. This will lead to a gradual easing of lockdown restrictions, but could also see a re-introduction of measures if cases begin to rise again.

Our view is that firms should be prepared to cycle between varying degrees of restrictions for the coming 3-12 months and anticipate a gradual exit from lockdown measures. During this time, there will be an opportunity for firms to modify their operating model from being based on event-driven contingencies, often adopted in haste and expected to be deployed for a short time, to one that takes a planning-driven approach based on the scenarios they are likely to face over a prolonged period. This is an approach that we have called ‘modified resilient operations’ and discussed further in a recently published paper.

Financial supervisors have been giving firms flexibility in some areas of regulatory compliance at this time, but firms should nevertheless expect a higher degree of scrutiny around their operational resilience and business continuity planning. Although the regulatory framework for operational resilience in the UK and EU is still incomplete, and in some cases still under consultation, a number of regulatory powers and requirements are already in place that give supervisors the tools to hold the financial sector to a high standard in the coming months.

It is right to recognise that most parts of the financial sector have handled the first stage of the pandemic response remarkably well, with limited disruptions to their core services. Firms, however, should remain alert to evolving operational resilience risks as varying degrees of restriction continue, sometimes for longer than expected, and equally, risks that arise from the gradual and partial lifting of restrictions across countries. From this point of view, supervisors see events so far as only the beginning of the resilience challenges the financial sector could face.

Based on recent regulatory statements on the management of operational resilience in the financial sector, there are at least three areas where firms can expect regulatory scrutiny to be most acute in the coming months:

• Refining resilience plans: Regulators have stressed that firms need to update their business continuity plans and operational resilience arrangements to account for the longer-term challenges and risks that will come with the later stages of the pandemic response. One often-cited risk is the threat of opportunistic cyber-attacks on firms whose IT vulnerabilities may now be greater due to widespread remote working and hastily deployed alternative systems. Another consideration could be related to the ability of firms to monitor the resilience of third party providers that they rely on to deliver important business services (a topic we address in more detail in a recent blog on Cloud outsourcing and COVID-19). There are many potential strands here, but firms will need to show their supervisors that they have built this thinking into how they plan to maintain their operational resilience as countries cycle through stages of the pandemic recovery over the next several months. This planning should consider not only the ability to protect operations from further disruption, but also how operations can be made more agile and how firms can take advantage of digital transformation opportunities in order to meet changes in consumer and market demand as government restrictions evolve.
• Governance of operational resilience: Regulators have made clear that firms need to have an adequate internal governance and control framework in place for managing operational resilience in response to COVID-19. In a recent statement on the expected supervisory approach to the pandemic, the European Banking Authority underlined that a firm’s board and senior management should also be closely involved in setting the firm’s priorities and making key operational decisions in its COVID-19 response. In the UK, the Senior Managers and Certification Regime requires firms to designate a Chief Operations function (SMF24) that regulators have stated is responsible for safeguarding the firm’s operational resilience during the pandemic. Executives holding these roles will be under particular pressure to show that they have taken steps to strengthen and protect the firm’s resilience, including giving special consideration to the role of essential employees and how the approach to managing them may need to change. Boards and senior management must keep the likely scrutiny of regulators in mind as they make difficult choices on using limited resources in the months ahead to support supply chains, serve customers, protect their employees and invest for the future recovery.
• Crisis communications: Firms should expect to be challenged by supervisors on the effectiveness of their crisis communications with all parties; including internal communications, contact with customers and with other relevant external stakeholders including regulators themselves. The content and delivery of these communications will need to be adapted appropriately for different stages of the response and subsequent recovery, to convey accurately the steps the firm is taking to ensure its resilience and their expected impact on its services. Industry-wide information sharing will also be important to support the resilience of the broader financial sector, and firms should engage fully with sectoral operational resilience groups such as the Cross-Market Operational Resilience Group in the UK and its equivalents.

Setting operational resilience standards after COVID-19 

The experience of COVID-19 will undoubtedly influence the direction of regulatory policy on operational resilience. In the UK, financial authorities had been developing a supervisory approach to this based on identifying firms’ important business services and setting an ‘impact tolerance’ for disruptions to them. This work has already seen one delay; the consultation deadline for the proposed framework (which we analysed in more detail in an earlier blog) has been extended to 1 October 2019 and the timeline of supervisors to finalise their approach may also need to shift back. Nevertheless, the UK’s proposed regulatory approach is very likely to be emboldened by the COVID-19 experience for several reasons.

First, the last few months have shown that serious challenges to operational resilience can be brought about by scenarios not directly related to technology failures. Even though ICT risks will likely remain the most frequent threat to operational resilience, this experience has shown that firms should be conducting resilience planning based on a wide range of public health, environmental and other scenarios. For these exercises, firms should look closely at risk analyses done by national governments, such as the UK’s National Risk Register (where pandemics featured as a top risk long before COVID-19). Authorities in jurisdictions that have focused mainly on cyber threats to the financial sector as the most likely source of an operational systemic disruption may need to consider broadening their scope of analysis.

Second, we can now see that a focus on identifying, understanding and maintaining important business services, as opposed to protecting key assets, can be a more effective approach to dealing with an unexpected and unconventional resilience shock. Worldwide lockdowns did not directly threaten the integrity or connectivity of a particular IT system, but instead challenged firms to continue their core operations, through modified procedures and the use of substitute systems, just when daily life had to change dramatically. Focusing on the adaptability and alternative delivery of important business services has been a critical part of this.

And finally, the COVID-19 experience is showing that some of the most important threats that boards and senior management need to plan for are not always idiosyncratic. Large, systemic events that threaten the functioning of financial markets, or the economy as a whole, happen with sufficient frequency that they need to be taken seriously, even when crises become a distant memory. Boards and senior management should attach greater importance to work done by financial sector authorities, such as the European Systemic Risk Board, into how a cyber attack could precipitate a sector-wide liquidity crisis. Firms need to assume that events like these will lead to service failures and that they fall into the category of ‘severe but plausible’ scenarios - regulators will expect firms to plan for and build resilience to them.

Regulators will take a lot of lessons from how the financial sector performs during the COVID-19 lockdowns, both in terms of finding out what existing processes and tools worked best, but also identifying vulnerabilities that need to be addressed by future standard-setting. Although the finalisation or implementation of some regulatory initiatives might be delayed due to the pandemic, the regulatory focus on operational resilience in financial firms can only increase, from what is an already a high base.