"The pandemic shows my operational resilience framework is fine"
This blog is one of a series designed to identify common mistakes made by firms and individuals and explains why the mistake is damaging and could lead to regulatory sanction, a capital add-on and even a skilled persons review (S166). If you are making this mistake then you need to change your practice.
With financial services firms dealing with the global impact of Covid-19, it is not surprising that some have interpreted their survival as a sign of an effective operational resilience framework. Certainly, survival indicates a robust and effective response to Covid-19, but there are some aspects of the pandemic that differ from our previous experiences of operational resilience events, making the conclusion that operational resilience frameworks are fit for purpose concerning.
To understand my concerns, we should explore the origins of UK regulatory pressure for firms to improve their operational resilience. For example:
- In June 2012, millions of RBS, NatWest, and Ulster Bank customers were affected when problems with a software upgrade left them unable to access accounts, and the group were fined over £50m by regulators as a result;
- In April 2018, TSB transferred its five million customers to a new platform. In the days that followed, TSB’s Internet Banking and Mobile App channels were described as unstable and almost unusable. TSB also faced widespread issues in its branches with many services unavailable.
Between 2015 and 2019 the UK regulators undertook a number of initiatives aimed at focussing attention on operational resilience. In October 2019, the Treasury Committee published its second report on IT failures in the Financial Services Sector. The report notes that there is a role for financial services regulators in specifically reducing both the number and impact of IT failures in the financial services sector, and further regulatory intervention is needed to improve the sector’s operational resilience. In December 2019, the Bank of England, the PRA and the FCA published consultation papers on operational resilience and the final paper was published on 29 March 2021.
As the world entered 2020, reports began to appear of the outbreak of a pandemic in the City of Wuhan and on 23 March 2020 the UK population was told to stay at home and certain businesses were closed, mirroring similar actions elsewhere in the world. While it is a tribute to the UK’s financial services firms that they have survived the immediate impact of the pandemic, it would be erroneous to assume that the survivors have robust and effective operational resilience frameworks.
Unlike pre-2020 operational resilience events, which tended to impact a single firm and trigger without any prior warning, the pandemic was:
- A slow burn event, spreading to the UK over a period of about three months;
- An event that impacted all firms, substantially reducing the potential for reputational damage of the type seen in previous operational resilience disruptions.
This effectively lowered the bar for operational resilience responses and enabled firms to learn from remedial actions taken by others. Therefore, firms should not conclude that their experience of the pandemic demonstrates that they have a robust and effective operational resilience framework – one that could manage the impact from the more familiar threats to operational resilience, such as IT failures and cyberattacks.
The pandemic has certainly increased the focus on operational resilience, transforming it from potentially a regulatory exercise, emphasising the importance of all resources and live testing pandemic and resilience arrangements. Learning and implementing the lessons of Covid-19 should strengthen a firm’s operational resilience frameworks but does not give them a seal of approval.
We hope you find this blog helpful. Chapelle can help firms meet supervisory operational resilience expectations and build their operational resilience frameworks. For a full overview of our approach to framework improvements, please contact us directly.