Why better governance of technology suppliers is critical for operational resilience

Mike Tumilty, Global Chief Operating Officer at Standard Life Aberdeen explores why technology is the most important service when it comes to operational resilience

Sara Benwell POSTED ON 7/6/2020 11:01:40 AM

Mike Tumilty, Global Chief Operating Officer at Standard Life Aberdeen

Sara Benwell: What qualifies as Important Business Services that require the most attention in operational resilience strategies?

Mike Tumilty: In the asset management space the key business service is technology given that all our critical processes are driven by systems, e.g. Charles River, risk systems, performance systems, client reporting, and so forth.

Coupled with that would be telephony and the overarching reliance on broadband to provide connectivity for colleagues.

We are also inherently reliant on third party service providers, for example, Citi, State Street, and BNP Paribas for custody and fund accounting.

Sara: Looking at assigning accountability, for multi-jurisdictional and worldwide groups, what key questions do we need answers on from parent companies and how best to hold them to account on deliverables?

Mike: What is vital here is to have very clear policies and frameworks, which cover the entire firm wherever it operates.

That does not mean to say one size fits all, but having overarching policies and frameworks that can be leveraged is really important so minimum standards can be set globally.

Sara: How should we determine “severe but plausible” scenarios now and how can we measure such risks?

Mike: We constantly scan the operating environment to understand changing risks and events that could impact component parts of our business or indeed our whole business e.g. cyber security, political, environmental, social, technology, economic, and so forth. Which could impact component parts of our business of indeed our whole business.

We do an annual scenario planning exercise, which simulates a plausible scenario and tests how we as an organisation would respond. We aim to quantify the risks of the scenario, identify the likelihood of it occurring and how things might manifest themselves.

We then look at what mitigants we could employ and what other things we may need to consider. These exercises are subject to external assessment from an independent third-party.

Sara: What are the new lessons for drafting Service Level Agreements and how has this changed the holding of suppliersto account?

Mike: All our big contracts have a very clear and consistent theme with respect to the adoption of contractual breach.  This removes ambiguity in the event of who is liable when things go wrong.

Contracts are all underpinned by very detailed Service Definition Documents which set out who has responsibility for what in the provision of services.

SLA’s operate with very clear Key Performance Indicators (KPIs), which are reviewed in some instances daily, weekly, and monthly. We also have in place very clear Service Credit Mechanisms (SCMs), which are designed to remedy underperformance from suppliers.

One key thing is that the SLA’s are SMART but realistic.

Sara: Given the global dynamic of the recent pandemic, has the case grown for removing centralisation of operational support functions or has it grown?

Mike: I’m not sure the case has changed but what has been reinforced is that need for functions to utilise common technologies and for those technologies to be deployed on a remote basis.

The other thing that the pandemic has reiterated is the need to try and automate more processes that involve manual tasks and activities where possible.

Sara: According to a FCA report into Cyber and Technological Resilience from November 2018, 91% of disruptive events came in periods of change management. How can we best minimise these threats?

Mike: How we manage change is imperative and how we ensure quality in each stage of the change management life cycle, but testing from both a functional and non-functional perspective is critical.

The reputational impact associated with a cyber-attack because of any perceived negligence is massive and to that end, demonstrating that testing has been full and comprehensive is a key mitigant.

 

Please Sign In or Register to leave a Comment.