Regulation watch: what lies ahead for operational resilience
Amanda Flynn, EMEA Regulatory Change Manager, at J.P Morgan Corporate Investment Banking explores the regulatory focus on operational resilience and what needs to be top of mind for firms
clearpat POSTED ON 8/3/2020 2:54:41 PM
Sara Benwell: What qualifies as Important Business Services that require the most attention in operational resilience strategies?
Amanda Flynn: The current focus is to establish the right set of criteria for determining if a business service is critical.
As a starting position, business services will be assessed against the Bank of England’s criteria set out in the December 2019 Operational Resilience consultation papers e.g. 'the service has the potential to cause harm to customers, harm to participants and harm to self''.
"The global definition of a critical business service needs to make sense, balanced with regional regulatory needs"
Globally, several regulators are just starting on the operational resilience journey and we expect more guidance to be provided. Therefore, we expect the criteria to continue to evolve.
Industry groups likely will have a role in establishing common understanding of what makes a business service critical.
From an individual firm’s perspective, the global definition of a critical business service needs to make sense, balanced with regional regulatory needs.
Sara: Looking at assigning accountability, for multi- jurisdictional and worldwide groups, what key questions do we need answers on from parent companies and how best to hold
them to account on deliverables?
Amanda: The Bank of England consultation paper sets the ownership with the Board and senior managers – and includes several new requirements to demonstrate accountability; for example, in making investment decisions.
We need to understand the accountability requirements from other regional regulators.
There are several overlapping existing global regulations in this space (e.g. recovery and resolution, cyber) with further operational resilience regulation expected.
Sara: How should we determine “severe but plausible” scenarios now and how can we measure such risks?
Amanda: There are several existing mechanisms in place to both: measure risk to firms; and to design test scenarios.
The theme is to leverage and build upon these existing frameworks rather than re- inventing or duplicating.
"There are several existing mechanisms in place to both measure risk to firms and design test scenarios."
The recent consultation paper throws an interesting new lens on scenario design – in particular, what scenarios are we not planning for?
It is early in this analysis, and it is hoped this will help us understand the service resilience limits better.
Sara: What are the new lessons for drafting Service Level Agreements and how has this changed the holding of suppliers to account?
Amanda: There are two lenses on SLAs here: Where clients contract with the Firm for services; and where the firm contracts with third party vendors for services. Both categories are likely to require further thought for Service Level Agreements (SLAs).
There is the potential for this regulation to introduce a new standard of industry expectation – and we would be looking to leverage collective engagement across the industry where appropriate.
Sara: Given the global dynamic of the recent pandemic, has the case grown for removing centralisation of operational support functions or has it grown?
Amanda: There is a difference between centralising functions versus overly concentrating functions.
Centralising functions into regional ‘centres of excellence’ spread across the globe remains useful, particularly to support ‘follow the sun’ operating models.
"While Covid-19 may hold current focus, this same principle applies to other similar risks"
But care needs to be taken to ensure that concentration of specific activity is spread across the regional hubs. And that coverage in other regions is available.
While Covid-19 may hold current focus, this same principle applies to other similar risks - political instability, climate events, etc.
Sara: According to a FCA report into Cyber and Technological Resilience from November 2018, 91% of disruptive events came in periods of change management. How can we best minimise these threats?
Amanda: Robust change management practises are well known with industry standards in place. Oversight of the implementation of these practises is a key.
The identification of critical business services should help focus and prioritise this oversight.
Get the recent popular stories straight into your inbox