Who five years ago would have predicted that as we sit here in Q2 2023, we would have been subject to lockdowns over the best part of two years, war would be waged in Europe, various US banks would have evaporated and further banking contagion feared?
Had any notion of these been advanced in 2018, a likely response would have suggested such thoughts to be fanciful.
Different businesses are affected in different ways when such global calamities visit. Some of us were untouched by Silicon Valley Bank, while for others their entire liquidity depended on SVB being able to fulfil its obligations.
A business that had no capacity or mechanism for home-working would have had to seek rapid solutions during the first lockdown, and as many of us would recognise, a rapid solution is generally not a good, long-term solution.
FCA honing in
Regulators are focused on operational resilience, as requiring firms to measure and monitor their operational resilience produces appropriate outcomes, and satisfies a number of the regulator’s statutory obligations, and to the fore: prevention of harm to consumers.
The operational resilience requirements of the Financial Conduct Authority's senior management arrangements, systems and controls (SYSC) 15A – part of the FCA handbook – do not apply to all firms.
However from a best practice perspective, having an understanding of effective steps that can be taken to improve operational resilience anticipates potential business disruptions that may come down the line.
Operational resilience also needs a careful analysis of the reliance of customers on the firm.The identification of important business services and intolerable harm sit at the heart of operational resilience. Mapping identifies important business services, and a differentiation needs to be made to enablers of business services and services that are provided by, or on behalf, of the firm.
Enablers include people, infrastructure, facilities and information, as those feed into the business process delivering the relevant service to the client.
Intolerable harm does not have a definition, but the FCA sets out in PS21-3 various factors that should be taken into account, as well as the setting of impact tolerances, those being by reference to time/duration.
Understanding your tolerance
While all firms should have a very well-developed understanding of their customer journey, operational resilience also needs a careful analysis of the reliance of customers on the firm, and time criticality of that reliance.
Clearly a bank is heavily relied on day to day by customers for payment of bills, standing orders and the general business of living.
A takedown of a bank’s systems has an enormous effect on consumers. A bank might have a time/duration impact tolerance of a matter of hours, while an insurance claims handler, dealing with notification and processing of claims, where a customer is not immediately reliant on that claims handler for their day to day might consider a two-day takedown to be an appropriate time/duration impact tolerance.
Taking a look at your customer base, what it is they are buying from you and what happens if you are unable to function has to be a good starting point. Putting yourself in your customer’s shoes and thinking how would I feel if this happened to me or to a relative, and what is it we would need to know, is appropriate.
The mapping process of each important business service informs a firm as to the elements which form delivery of that service, and having identified those, the impact of losing one or more can be measured.
That loss can come about in any number of ways, and the FCA requires that self-assessment is run against severe but plausible scenarios.
Having a basket of responses to disruptions and associated planned recoveries will give some sort of head start.Some of these scenarios are self-evident; what happens if our IT goes down; how quickly can we get it back; what happens if we cannot access our banking facilities and make payments?
All of these are plausible and not flights of fancy; firms are not required to benchmark against the book of Exodus, but an objective view should be taken.
For example, there is a difference between a temporary loss of service from a telecommunications provider and that provider going out of business. Depending on the nature of the provider, the insolvency scenario may be appropriate.
Adapt and overcome
The FCA’s operational resilience mantra is: prevent, adapt, respond to, recover and learn from operational disruptions.
Prevention comes from proper mapping and identification of points of failure, and particularly single points of failure – adaptation springs from that mapping.
If a firm determines that reliance on one bank poses a threat to customers or to the firm itself (and operational resilience goes to a firm’s own solvency), consideration should be given to having two banks.
This is of course easier in theory than practice; many banks are not keen on a firm’s banking relationships being shared and lending packages may specifically prevent it. Adaptation very much depends on what is reasonable and achievable.
Once you have a good idea of where your challenges lie, those can be baked into your procedures.The response and recovery from any operational disruption can be planned in advance, and while any anticipated scenario may not be exactly the same as an actual event, at least having a basket of responses to disruptions and associated planned recoveries will give some sort of head start.
So where to start? Step into your customers’ shoes and look at it from their perspective, both in terms of the service they are buying from you and how crucial that service is to their day to day.
Having done that, undertake a mapping exercise in relation to each service and understand which elements of that service and its enablers could prevent its delivery. Your impact tolerances can then be determined.
Once you have a good idea of where your challenges lie, those can be baked into your procedures, compliance monitoring programme and overall business planning.
Like everything, operational resilience should be reviewed periodically, and in this case at least every 12 months.
Richard Tall is a partner at Faegre Drinker Biddle & Reath
