How to build resilience against the backdrop of constant change
Nick Simms, a Director at Cornwood Risk Management (and former Operational Resilience Director, M&G Plc.,) explores how firms can build operational resilience including new lessons for drafting SLAs, the trick to managing parent companies and how to define a "serious but plausible event".
Sara Benwell POSTED ON 9/3/2020 3:15:59 PM
Sara Benwell: What qualifies as Important Business Services that require the most attention in operational resilience strategies?
Nick Simms: An Important Business Service is something that delivers a specific outcome to an external end user or market participant where disruption could cause intolerable harm – not just inconvenience – to consumers, the market, or the firm itself.
The Investment Association working group identified six high-level generic Important Business Services for asset managers: payments in; payments out; investment; custody; valuation; client and regulatory communications. Each of these was then broken down further.
From experience, it may be appropriate to focus on just one aspect of a business service delivered through one channel, say access to online valuations, and think of other means of delivering the same service, e.g. snail mail, as one of alternative delivery options in a disruption.
Sara: Looking at assigning accountability, for multi-jurisdictional and worldwide groups, how can we best hold parent companies to account?
Nick: This is difficult, particularly if the parent company or other parts of the group are subject to different regulatory regimes.
"The only way to get round this is for multi-jurisdictional groups to adopt a single, globally consistent approach"
The US and Basel Committee on Banking Supervision (BCBS), for example, have taken a slightly different approach from the UK regulators.
The only way to get round this is for multi-jurisdictional groups to adopt a single, globally consistent approach and to have watertight, enforceable, intra-group contracts spelling out accountabilities and deliverables.
Sara: How should we determine “severe but plausible” scenarios and how can we measure such risks?
Nick: The Financial Conduct Authority (FCA) seems quite clear that firms are not required to measure the risks of any particular scenario occurring but should focus on what to do when – not if - the Important Business Service is disrupted.
We are being asked whether we could stay within our impact tolerances in the case of a “severe but plausible” event but it is not clear what “severe but plausible” means in this context.
Before, say, March 2020, would anyone have considered a global pandemic that has infected millions and led to the deaths of hundreds of thousands of people “severe but plausible” or was it “very extreme and barely plausible” and, therefore, outside what we should have been planning for?
Sara: What are the new lessons for drafting Service Level Agreements and how has this changed the holding of suppliers to account?
Nick: One of the challenges for many buy-side firms is that they are too small to properly challenge their suppliers. This is true even of the biggest fund managers who are dependent on the big cloud, payments, order management system and custody providers.
The only way firms can tackle their suppliers is collectively. This is difficult because of competition rules.
We are seeing industry bodies lead in this area. For example, there are initiatives to work with supplier utilities on having a standard set of questions that are posed to providers and can be used as the basis for any follow-ups.
"The only way firms can tackle their suppliers is collectively."
Firms need to fundamentally rethink their procurement practices and their contract terms so that only those suppliers who can meet at least minimum resilience and recovery requirements are even shortlisted for contracts.
Too many contracts and associated SLAs talk vaguely about recovery but have no specific requirements and rarely, if ever, mention resilience.
Sara: Given the global dynamic of the recent pandemic, has the case grown for removing centralisation of operational support functions or has it grown?
Nick: The pandemic should certainly make asset managers think about how and where they run both their investment and support functions.
There are many organisations where the back office is geographically decentralised but the trading and investment decisioning is all in one place. Does that really make sense?
We need to think wider than geography, though. Many firms have concentration risks throughout their investment process, from suppliers, systems, and staff and this needs to be systematically addressed.
Sara: According to a FCA report into Cyber and Technological Resilience from November 2018, 91% of disruptive events came in periods of change management. How can we best minimise these threats?
Nick: Change is the only constant these days, so all disruptive events come against a background of change management. The challenge is getting the right balance between “good discipline” and go to market.
The two biggest financial disruptions in the past decade, RBS/NatWest and TSB, both came from rushed migrations against the clock that weren’t thoroughly tested on the exact target platforms and neither had clear and demonstrated back-out plans.
"Change is the only constant these days"
Firms need to take a very good look at their change management processes and ensure that resilience is appropriately embedded from the start, not seen as something that can be added later.
We are all aware of new products or processes that were being trialled for one or two customers and suddenly the whole firm or a whole product suite is dependent on them.
Get the recent popular stories straight into your inbox