The PRA’s Nick Strange delivered an update on operational resilience in a speech on 6 October setting out feedback to the PRA’s consultation paper, an update on how the industry has coped during the pandemic, international harmonisation and thoughts on the overlap, and differences, with operational continuity.
The industry remains supportive of the UK authorities’ approach and the paradigm shift towards assuming that disruption will occur, but raise a number of points to the regulators:
- The importance of maintaining a focus on prevention and detection
- Sharing good practice across the industry
- Encouraging a proportionate application of the rules
- Ensuring a consistent application of the rules across firms
- Consistency with other regulations
- Alignment on approach with other regulators
Lessons from the pandemic
The key observation was how successful firms and the industry as a whole has been to adapting to the crisis – more than might have been expected. However, he added a note of caution – this has been made possible by the developments in technology over recent years and in some cases it has placed significant pressure on IT systems.
He also notes that there was significant warning about the risk, which gave firms plenty of lead time to prepare and subsequently adapt to the changing circumstances. The fact that it affected the entire industry rather than specific firms has also helped – no single firm was an outlier and all were adapting together.
It had led to new ways of thinking – remote working was always seen as a short-term solution, but the industry will now need to maintain these solutions with staff working remotely for longer, which is more challenging for some roles than others (e.g. trading and retail operations).
Firms have also needed to relax risk appetite and controls to facilitate staff working from home, which naturally increases risks to fraud and data leaks. However, firms are now re-thinking the benefit of maintaining disaster recovery sites given the success of working from home.
The new way of working has increased cyber risk and the PRA is concerned that some IT change initiatives have been put on hold during the crisis, delaying improvements to firms’ resilience. There have so far been few material cyber incidents in regulated firms, but there have been a number of events impacting third party providers, so it is vital to fully assess the risks that providers face.
International regulatory harmonisation
The Basel Committee of Banking Supervisors (BCBS) recently released its own consultation on operational resilience, a document the PRA contributed to. The principles are broadly aligned, even if the terminology differs in places and he stresses that regulators will seek to cooperate to align the overall approach. There will naturally be differences as a result of local priorities, but not so great as cannot be worked around. Cooperation between regulators should eliminate any conflicting approaches.
Policy harmonisation: Operational resilience and OCIR
This is an area that has causes some uncertainty among firms, and the PRA seeks to clarify that while there are differences in overall purpose (one seeks to maintain a wide range of services through an extended period of stress and resolution, whereas the other is particularly focused on maintaining time-critical, high-impact services in response to an operational shock), there is significant overlap in what firms need to do – much of what is necessary for operational continuity is also required for operational resilience. It is important to remember that they are separate initiatives, however, and facilitate different outcomes.
Firms should have a clear understanding of what is ‘critical’ for OCIR and ‘important’ with regards operational resilience. The approach should be coherent and the thinking should not be done as separate exercises in isolation.
Service mapping is also an expectation of both OCIR and operational resilience and the PRA expects them to be managed through a common approach – again there should not be a silo approach, but one which can be leveraged to support the outcomes of both.
The PRA is expected to release a new consultation on OCIR in the next month.
In his closing remarks, Nick Strange noted that as firms develop services in the future, they should be resilient by design and not as an afterthought and that the current crisis should be used as an opportunity to embrace this new way of thinking.
Deloitte provides more thoughts around the topic of resilience through our Resilience Reimagined site, exploring how organisations can thrive before, during and after adversity.
As firms adapt to a new normal, that is the time to ensure that important business services are resilient by design rather than designed first with resilience as an afterthought. This is an opportunity to move to a new and higher level of resilience as you respond to COVID-19.