Operational resilience is a key area of focus for financial services firms. It is the ability for a firm to rapidly and efficiently adapt to changing environments. Over the last 12 months, the coronavirus pandemic has challenged operational resilience in financial firms in unprecedented ways, putting it at the top of the agenda for the regulators. Following on from the FCA’s latest consultation paper (CP/19/32) which was issued in December 2019, we are months if not weeks away from the new rules being published which will further increase the pressure on firms to demonstrate resilience for any crisis that may arise in the future.
In a recent webinar hosted by SteelEye together with Aldbury International, we discussed what operational resilience is, its evolving role, how firms can get it right and how trade and communications surveillance can help. To get an understanding of people’s views on the topic, we took the opportunity to ask the +50 participants a number of questions. The findings were telling of the fact that there is a need for change. In this article we look at the responses received during the webinar polls and discuss the strategic considerations firms should look at in anticipation of further regulatory scrutiny in this space.
59% of firms reviewed their BCP strategy more than 6 months ago
Over the past 12 months firms have had to adapt to a number of key areas that the pandemic has challenged, including how to reshape business operations and controls for remote working. Consequently, Business Continuity Planning (BCP) seemed to be one of the key steps financial services firms took at the beginning of the crisis.
However, considering how many changes have happened over the last year, it is surprising that nearly 60% of people claimed that their firm has not reviewed their BCP strategy in the last 6 months.
It is even more worrying that 30% of firms last reviewed their BCP strategy more than a year ago. BCP is only a small part of firms’ overall operational resilience program and should be reviewed regularly – annually at worst and in the current situation, more frequently according to Chris Goodeve-Ballard at Aldbury International.
When it comes to BCP, many firms still confuse this with operational resilience. While they can be compared, operational resilience is much more than BCP. The aim of operational resilience in financial firms is not only to ensure that a business can keep going during uncertain conditions, but also to ensure it can continue to provide the services its clients expect. The impacts of not getting it right are significant and the failure to deliver operational resilience can harm not only a firm's reputation, but also affect its clients and the financial system more widely.
For example, in July of 2018, GAM announced that they had decided to investigate internal issues related to risk management procedures and record keeping in certain instances. Specifically, GAM mentioned that their fund manager had broken inducement and trading rules and had used their personal email for work purposes. GAM’s share price dropped in the region of 60% in the aftermath and the CEO lost his job. This was primarily due to poor initial communication of the issue which precipitated the subsequent crisis.
Examples like these, shows how crucial it is for financial services firms to get operational resilience right. By investing in operational resilience, firms have a chance to innovate safety, respond to fast-changing situations and increase the trust it has with its clients.
50% of firms have never exercised their crisis team
Many firms think that investing in the right technology is efficient in demonstrating operational resilience. However, there are so many more things that firms need to have in place beyond technology.
Firms need to also have the right people, training and an appropriate crisis management team that is regularly exercised. However, when asked about crisis management, only 38% of respondents stated that their crisis team has been exercised in the last 6 months.
These statistics should make us worry, especially when we are talking about a global pandemic. The past 12 months have taught us that firms should always be ready to face unpredictable conditions and take the necessary steps to prevent a crisis.
Good crisis management is an important element of operational resilience in financial firms and to get this right, firms need to regularly exercise their crisis team (and ideally, their subordinates) – at least every 6 months.
Remember: by having a professional crisis management plan in place, firms can better protect their brand, financial stability, supply chain and more during a crisis.
Only 47% of companies have completed a post Covid-19 lessons learned review
Lesson learned exercises are extremely important. It is a practice where firms weigh the impacts of different approaches and decisions that took place during a crisis and discuss what they could have done better.
When done correctly, such an exercise provides key learnings that can help business leaders to build resilience and thrive during future critical situations. It is therefore somewhat disconcerting that only 47% of firms have done such an exercise to date.
Sure, the pandemic is not over yet, but we have gone in and out several lockdowns over the past 12 months, each one of which should arguably have had its own lessons learned exercise to prepare for the next lockdown. The key things that help firms survive when unprecedented changes come up are these lessons learned.
Another important area or aspect of maintaining operational resilience in financial firms is the compliance practice of market abuse communications surveillance. Regulatory communications surveillance presented a significant challenge for many firms early on during lockdown as they did not have the technology in place to monitor regulated employees outside the office. Without effective recording and monitoring controls, firms lose vital evidence needed to resolve disputes between employees, clients, colleagues and other companies. This can be extremely damaging – both financially and reputationally.
Firms need to have a rigorous monitoring regime where in-scope activities conducted outside the controlled office environment are captured.
Conclusion
Regulators want to see evidence that demonstrates firms’ ability to deal with major incidents such as Covid-19. With their upcoming consultation paper this pressure is only going to increase. To meet regulatory demand, it is important to remember the following three principles:
- Good situation awareness – Firms need the right systems in place so that they can understand how any incidents, security breaches or suspicious behaviours may impact the firm.
- Crisis leadership – Every firm needs to include provision for crisis exercising, training staff on the response procedures, and critical decision making for when the BCP does not work.
- Communication – Firms do need to have a strong communications plan in place for communicating with stakeholders in crisis. They also need means to capture and monitor communications by regulated employees irrelevant of if they are in the office or not.
Operational resilience in financial firms can seem challenging but when approached in the right way, can be straightforward to establish – helping firms innovate safety, survive when unprecedented changes come up and increase trust with their clients thus providing them with a competitive advantage.
Professional crisis management plans, lessons learned exercises and the appropriate use of technology are some of the key area's firms can focus on to get ahead.
.png?width=163&name=Mark%20Pflitsch%20(square).png)
Mark Pflitsch
Head of Sales
SteelEye
Simplify your compliance and generate value from your data with SteelEye.
Our data-centric SaaS platform consolidates all your data, both structured and unstructured, under a single lens and facilitates effortless compliance with MiFID II, MAR, EMIR, Dodd-Frank and more.
Book a Demo
.png)
