Operational Resilience deadline FCA

Author

Luuk Jacobs

Luuk Jacobs

Partner

Read the AlgoMe Consulting Operational Resilience podcast transcript

Posted by Pierre-Yves Rahari and Luuk Jacobs on 5 October 2021

Introduction: Please enjoy reading this discussion on Operational Resilience between the partners of AlgoMe Consulting, Pierre-Yves Rahari and Luuk Jacobs and as usual presented by Chris New.

Please note: Coffee With… AlgoMe Consulting podcast is produced for the ear and designed to be heard. Therefore, it is very conversational and not an article. Transcripts are generated using a combination of speech recognition software and human correction and may contain errors.

Chris New: Hello, and welcome to Coffee Meet… With AlgoMe Consultant and me, your host, Chris New. Today’s podcast is a seventh in our third series of podcasts titled “Optimism with caution”. Today, we are also taking a break from our normal format. As we look to give you a whistle-stop tour, what you need to know about operational resilience.
As those of you, who have listened to our last few podcasts, operational resilience, and with many other regulatory programs, are keeping asset management CEOs from their summer holidays, is looming large on most, CEOs, and CRO’s calendars, with regulators around the world looking to improve on the operational risk management initiatives in the last 10 years. That arguably has helped the industry to have a good pandemic and ensures that cyber security and robust dynamic governance are built on top of the risk management process. As we will hear for those managers in the UK, under the PRA FCA, that deadline is fast approaching. To help us guide through this Q and A session I am joined by AlgoMe Consulting Partners, Pierre-Yves Rahari and Luuk Jacobs.

Chris New: I’m going to do this in a very quick-fire format, just to help all those who are still either wondering what operational resilience is all about, or just have those questions that have never quite been answered. Let’s kick off with what is operational resilience and what are people doing about that? I am going to you first Luuk.

Luuk Jacobs: When we speak about operational resilience in the regulation it is quite specifically indicated, and in general, it is achieving resilience to operational disruption within your organisation. And it is really a strategic business imperative as well as a regulatory and compliance area of focus and the regulation is very much about looking at the important business services in your organisation. And that is defined as a service provided by a firm or by another person, because it could also be outsourced on behalf of the firm, to one or more clients of the firm. And if disruption would occur, then this would in that case, cause intolerable levels of harm to one or more of the firm’s clients, or would pose a risk to the soundness, stability or resilience of the UK financial system or the orderly operation of financial markets. Still a broad definition, but at the same time, it indicates that it just goes beyond the firm itself. Which in the past BCP was very much focusing on, it is now moving that towards clients and the financial markets.

Chris New: Excellent. There are no internal services out of scope, is what I am hearing.

Luuk Jacobs: Internal services are part of the framework. Even in a way, they would be still in scope if they ultimately have an impact on the client or the operating or the financial markets. But if you would talk about maybe HR services, they would normally not be part of your operational resilience.

Chris New: Luuk, maybe you could talk us through a bit more about the international dimension of operational resilience and the difference between the regulators and the sort of timelines for implementing any regulation or consulting programs they have.

Luuk Jacobs: Absolutely. The UK regulation doesn’t stand on its own. There has been already a regulation within other countries as well, especially in Asia and Europe and through international bodies, like the Basel committee and there are for instance, elements of the international organisation of securities commissions. There is also in the US a joint authority’s paper on operational resilience and the European commission has a digital operational resilience that came in force in September 2020. And again, there has probably initially been quite a focus on cybersecurity and the resilience around that. The UK are probably a few steps further, not ignoring cybersecurity, but just making it part of the overall operational resilience. And that is looking at the levels of harm to one or more of the firm’s clients and the orderly operation of financial markets. It really goes further, and cybersecurity is just part of that.

Chris New: And in terms of which regulations need to be met first is a there a sort of a pecking order within those different jurisdictions.

Luuk Jacobs: Clearly all those regulations have certain dates at which they have to be implemented. It is not a pecking order in that sense, unless you take the date of implementation, it is really looking at the combined elements of this regulation and make sure that you understand the general denominator of these regulations, because clearly it is the most stringent regulation that you will have to follow.

Chris New: We have heard there is lots of regulation and compliance required, but I guess my next question is going to be, what are the business benefits beyond the prevention of harm to clients and financial markets, of operational resilience. Pierre-Yves, time for you to jump in. What are those business benefits? Can you give us a quick answer on that, please?

Pierre-Yves Rahari: I guess there will be three points to highlight here, Chris. The first point we will be looking at is, operational resilience gives organisations more holistic visibility on the resilience performance and the risk that is attached to their business. I think that is important, the holistic view. The second point is, thinking about operational resilience helps organisations look at or achieve a better coordination between business lines, when you talk about risk and prevention of risk, and it reduces the duplication of inefficiencies. And then the third point is around bringing better clarity in the organisation in terms of roles, responsibility, with regard to risk and prevention of risk. More and foremost, it gives boards and senior management an ability to assert their role as responsible for risk.

Chris New: Excellent. We got some governance there and some transparency in terms of reporting and decision-making. In terms of the financial markets, is this something that you think will improve the resilience of financial markets and the second part of the question?

Pierre-Yves Rahari: Oh, definitely. And it is part of the program. It’s a two-fold program that the regulators are trying to implement. As you mentioned, part one is to prevent harm to clients. And part two is to continue the contribution of financial firms to the stability of the market. It is a collective and industry type of goal that we’re trying to achieve as well.

Chris New: Excellent. I guess, taking that sort of wider stability, we can go back to the UK specific. The top of the first question, we mentioned important business services or IBS, an acronym that everyone’s going to have to get used to in the WAM industry. Luuk can important business services, it could have a different definition for, despite anyone who you ask, maybe you could give us some clarity on what is an IBS an important business service.

Luuk Jacobs: Let me do by giving some examples, I think that indicates it better than just the description of the regulator. I think when we talk about IBSs for example, the acceptance of clients’ transactions through an order management system, is obvious if that cannot take place, people cannot place their investments cannot withdraw their investments. That would definitely in that case harm the firm’s clients.
But equally placing investment orders. Within the funds placing the investment orders, if that would not be a resilient, that would clearly impact also the financial markets. And on top of that also clearly the client, because a fund manager cannot place its trades in the markets because of operational issues. Then that would most likely impact the performance of a fund. In the wealth and asset management industry, we are very much using all kinds of IT solutions, outsourced solutions, et cetera, within that. You can imagine there as well that the availability of information and communication is paramount to doing our day-to-day business. Unavailability of that would most likely have a significant impact. And if we look at IT specifically, there is also a quite high risk of concentration, because it is not just where the company itself directly has outsourced, for example, its cloud services, but that is also the outsourced providers. For example, for that order management system or for investment orders, where have they outsourced their cloud to. And do we understand that? Do we have that full picture of IT services and who the parties behind that are? It is almost the sub outsourcing of the outsourcer. As the company you need to know that as well, to understand it, to be well-prepared to create your own mapping of the risks and therefore, in that way, your operational resilience.

Chris New: That is interesting. I think, it comes through it and all those examples you gave. I think this is maybe the difference between perhaps a UK and European or US regulations. And I think Singapore doing a similar thing to the UK, it is about focusing on a service that is ultimately delivered to the client. Not just looking at how a firm is impacted. Is that a fair summary?

Luuk Jacobs: Absolutely Chris. And that is what I also highlighted in the intro already. It moves from call it BCP business continuity planning to operational resilience that is focused on clients and the financial markets. It really goes quite a step further than before, and therefore in that sense also BCP is not enough. That might be thought in the market like, oh yeah, but we did already BCP, we have everything in place. I would put some caution to that and say, you have to go a step further and you really have to look at your organisational setup with outsourced parties. What do you do internally, but also know your outsourced party. Have also the discussion with the outsource provider of services as to how they manage operational resilience, because they might not be regulated, but if you have outsourced things, you remain responsible for that service that you have outsourced. You need to know your outsourced party as well. And for sure you can mitigate that risk by doing audits, do a joint audit with competitors. Competitors might use the same service provider. And that gives you further assurance as to how they have set up that operational resilience. But definitely it has to go beyond BCP, and you have to look much more at your complete organisational setup, call it your target operating model of your organisation, and really well understand it.

Chris New: Talking of understanding, that was a nice segue into some deadlines and some dates. My next question is around self-assessment and reporting, which I believe is expected in March 2022. Maybe you can tell us what that is, what steps you would recommend in terms of a plan and how you would organise that sort of self-assessment.

Pierre-Yves Rahari: March 2022 is part of a two-step program, Chris. By March 2022 firms are expected to come up with a self-assessment report that outlines how they are doing from an operational resilience viewpoint and what are the remediation programs that they need to come up with. And then from March 2022 to 2025 firms have three years to do the remediation. More specifically on the March 2022 report, there really are three steps that we would recommend. One is the identification. Two is the definition and three is the testing. Under identification really, it is a matter of defining what your IBS are, and having marked your resources that contribute to the business services. Then the definition is really defining what your tolerance level for IBS is. And what is the impact of those IBS’s. And three, the testing is really coming up with scenarios where you test the IBS and their impact, and you analyse where your situation is from the viewpoint of operational resilience. And then come up with a program that says, this is what we have identified, this is what we have defined, this is what we have tested, and this is our situation. Then we will design the program to remediate what we have to do for the next three years. Firms are not being told you have to be crystal clear and correct, and all set up by March 2022. They have been asked, you need to have a framework in place. You have to have identified your IBS’s and what their impact is and show you have tested this whole framework with scenarios, and that you have identified where you are strong, where you are fair and where you absolutely need to remediate your model. There is no standard provided by the regulator in terms of the report, but again, we would recommend going through an identification process, a definition process and through a testing process and translate that into a report. And most importantly, identify what needs to be remediated over the next three years. Make sure that you establish a governance model to make this work and set up a SteerCo connected directly to the board, to oversee the whole process and to get the buy-in from everyone in the firm that will be impacted.
In other words, create a culture where operational resilience becomes the norm throughout the organisation.

Chris New: Fantastic. And that what we are describing here is for the UK regulator, if you set up this program or you set up this governance of the back of this program, if someone says, oh, that is only for the UK, that is a lot of effort. Do you think this is applicable? Or you could leverage this for other jurisdictions?

Pierre-Yves Rahari: I believe you can. If you look at the regulations that we have quoted earlier in America, in Europe, in Asia they all operate from the same spirit, that there is identification and the remediation of operational resilience. You can replicate the format across your organisation and jurisdictions.

Chris New: Brilliant. I think my next question then is going to be, again, we are talking about a program. All firms in our industry have been through a lot of regulation since the financial crisis. So, it feels like one regulation after another. And in terms of efficiencies, would you recommend leveraging the existing risk and control frameworks. We have mentioned BCP, we also have operational risks has been an ongoing effort for firms. Could we leverage these in the self-assessment review? I am going to point that one at you Luuk; what are the chances for efficiencies for anyone listening to this?

Luuk Jacobs: I think efficiencies are definitely there and it is not a complete start from nothing. Definitely as an organisation, you would look at your current operational risk framework or overall risk framework that you would take as a starting point. But as I mentioned earlier, it goes a bit further than that. And at the same time, you don’t want to create something that is completely standing on its own as an operational resilience. You want to integrate it within your overall risk management framework. As I said before, you really have to go a few steps further than you might have done within your normal risk management framework. So definitely efficiencies there, the use of what there is today, but with a different angle, I would say to it that you have to integrate within that.

Chris New: And taking that one step further because there are various pieces fitting together, which we have just discussed. How would you recommend organisations, organise within their current governance structures and governance models?

Luuk Jacobs: Clearly very important to integrate it within your current governance structure. It’s also an SMF 24 function for the COO. The COO is responsible for operational resilience and will need to give in an annual assessment for him or herself assurance, that operational resilience is well covered within the organisation. Covered in the sense of well understood, assessment done, an annual assessment in that sense, as well as if it is still fit for purpose. But on top of that, it is also the existing governance structure of a company that needs to not just be aware, but probably approve the set-up of operational resilience in the organisation. And that goes up to the level of the executive board, the company board with the independent directors. Our experience as well in doing this for organisations is to get to the point where operational resilience is well understood; set up in the sense of annual assessments; the self-assessment of it, at cetera. To get to that point, it is advisable, to set up SteerCo or a working group that really deals with this for the next six to nine months initially. And then the implementation as well afterwards for the mitigation of the operational resilience shortcomings that need to be remediated.

Chris New: Okay, that sounds clear. Strong governance is important in any of the programs that we implement. No difference here. That brings me to my final question back to Pierre-Yves. What happens after March 22, when you have done your identification definition and testing.

Pierre-Yves Rahari: Once you established a report, part of your report would be a program or a plan that maps out how you are going to address and remediate the outcome of your testing. You are going to have to fix something. You have got three years to get it done and that is what the regulators is going to look into. This is a principle-based regulation. There are no specifics in terms of what is going to happen. And you are going to have three years. I would recommend to make sure that in your report of March 2022, your plan is very clear. The plan you are going to work against the next three years of course. Make sure that you have a team in place, as Luuk referenced earlier, that takes responsibility for the execution of the plan and the remediation that is needed over the next three years. Make sure that your governance model is in place so that you can on the regular basis, review interim reports as how you are doing against the remediation plan. It could be a six months or yearly interim report, but it needs to be on a regular basis, and you need to be aware of where you are going. And it is an iterative process. It’s a dynamic process. Some new risks could emerge that will need to be baked into your scenarios, tests, and report. Again, three years to remediate what you have highlighted in your March 2022 report, but on a very dynamic and iterative basis.

Luuk Jacobs: I can add to that Chris. I think also what we have done as AlgoMe consulting, we have designed basically what we call the seven steps to establish your firm’s operational resilience framework. That’ i really seven steps to be able to create that operational resilience framework and have that assessment report for the regulator in place. Then we follow that with the seven steps of mitigation. Which is similar kind of high-level roadmap, how you can get to an operational resilience framework that sits within the tolerance of call it risks that you want to take there.

And we work with our clients on establishing that. It helps also in formulating what in your organisation needs to be done on a high level, not a nitty-gritty detail, but that doesn’t mean that the detail you don’t have to go through, but at least you have a good framework of communicating throughout the organisation. What operational resilience means, how you are going to establish it, and as Pierre-Yves mentioned also, it is dynamic and how you overtime stay on top of it.

Chris New: Brilliant. There we go, seven steps to operational resilience heaven. Luuk Pierre-Yves thank you very much. For that very informative guide to operational resilience. I hope you found this a whistle stop tour on operational resilience, useful, informative.

If you want to discuss this podcast further with us, have any questions on operational resilience or how to implement your operational resilience program, please get in touch with us through enquiries@algome-consulting.com. Thank you and goodbye.

Listen to the episode here to find out more.

 

Next post

Introduction to our new podcast series: Pathway to Freedom

Posted by Pierre-Yves Rahari on 12 October 2021

Read post