Senior Managers and Certification Regime: are you resilient?
- Describe how to ensure there is accountability in advice companies for the resilience of operational services ready for SMCR.
- List what to do to mitigate risks from outside the company.
- Identify the cyber risk to the business and prepare for it.
- Describe how to ensure there is accountability in advice companies for the resilience of operational services ready for SMCR.
- List what to do to mitigate risks from outside the company.
- Identify the cyber risk to the business and prepare for it.
However, without accountability at a senior level where someone looks across all the component parts, several minor problems may go unnoticed but which could then end up being catastrophic for the resilience of the service.
Advice companies also need to think carefully about who they make accountable.
It is rarely appropriate for accountability for resilience to sit entirely with IT because very few processes are fully automated.
There are also people, suppliers and broader change management to consider. This means chief operations function will need to be able to look all accountable people in the eye on a regular basis and ask the following: ‘Is this service resilient? Is there anything we need to worry about?’
In addition, resilience needs to be considered in the context of the customer and wider markets.
If your business outsources core processes, you must be prepared to enforce the same controls on those third parties as you would your own company.Regulators will naturally place their emphasis on protecting the rights of consumers and maintaining stability of markets.
Equally, the reputational damage and loss of trust from a customer facing incident is likely to be remembered for many months, if not years - as we have seen in recent high-profile financial services disruptions.
Use of third parties
Think about the risks from outside your firm.
The use of third-party providers makes the financial services supply-chain complex.
It is unsurprising, then, that the FCA says third-party issues are the second most common cause of IT failures and breaches.
Alarmingly, when the FCA surveyed 296 firms, only a fifth said they include third parties in their resilience testing and planning.
If your business outsources core processes, you must be prepared to enforce the same controls on those third parties as you would your own company.
Many firms only consider third-party risk during onboarding or when re-negotiating vendor contracts.
Even then, the assessment of risk is often skewed towards the financial standing of the third party.
However, regulators expect a broader set of risk categories to be assessed at critical points, such as when a third party starts work, during the lifetime of the contract and when the agreement is terminated.
The key questions that need to be asked are: Will the third party handle sensitive data on behalf of the firm? How will they control that data and what happens to it when you terminate the contract?
There is also a need to check if the third party has a business continuity plan that supports the specific services you are buying from them and then, if that has been tested, ask can you observe the tests?
