GREYSPARK INTERVIEW: An expert view on Op-Res
The Op-Res revolution is underway
Hello everyone and welcome to the latest edition of GreySpark Insights.
Please do not hesitate to contact us with any questions or comments you may have. We are always happy to elaborate on the wider implications of these headlines from our unique capital markets consultative perspective. Happy reading!
Given recent news-flow and the growing prevalence of black-swan events this decade, operational resilience has increasingly become a top priority for financial institutions and regulators alike. As such, GreySpark continues to see the importance of financial institutions implementing robust operational resiliency frameworks in line with evolving and indeed stricter regulatory requirements.
This week, GreySpark analyst Elliott Playle sat down with GreySpark manager and subject matter expert Mark Nsianguana to discuss all things operational resilience, including current operational resiliency regulatory frameworks, the nuances of implementing operational resilience, and challenges in achieving operational resilience for financial institutions.
Elliott: Between the aftermath of the financial crisis in 2008 and the start of the decade, it is probably fair to say that we didn’t see a unified operational resiliency framework in capital markets, with patchy regulatory standards spread across many different frameworks including EMIR and MIFID. Now, it seems that in the last few years, we appear to be seeing a change in that narrative with regulations becoming more grouped and more defined. I don't know if you have seen that?
Mark: Yes. So basically, following what happened on in 2008, banks basically started to build their own frameworks and implement structural changes that can help to address and strengthen financial resilience. The reason why I speak about financial resilience is because a lot of people (including banks) lost a lot of money as a result of the financial crisis. And so the thing about this issue is they were looking at it from a financial perspective, rather than instead of an operational perspective. An operational perspective looks at how a bank operates from day to day. So, they're not considering things like, OK, whenever we have a disruption, or we have a incident, like what happened in 2008, what do we do? How do we go about it? Hence, the impact of the crash was greater than what it could have been. As a result, regulators started bringing out operational resiliency frameworks, starting in the UK in 2018. This was basically the first regulation to look at how firms can prevent, adapt and recover from disruptions or incidents that affect their business services, and how they can mitigate any risks from these disruptions. After this, in 2021, the Basel committee realised that something needed to be done to strengthen firm's abilities to absorb any operational risk-related events, such as pandemics, cyber attacks, and technology failures. As you already know, COVID was a totally unexpected thing, with nobody ever imagining that a pandemic would happen. This is when operational resilience started to become a priority and an agenda because not many firms had the right protections in place. Also, the reason why it became such a focus for regulators was because markets are interconnected. If anything happens to one bank, it could affect its participants. Again, they're trying to avoid what happened with the crash in 2008. That's why — especially the UK Regulations — focus on things like consumer harm, if anything goes wrong, how would it affect customers? The UK regulations look at firm soundness if anything goes wrong and how it affects the firm and its peers. So the reason why regulators are trying to avoid these failures is because they want to protect the market.
Elliott: Yeah, sure. I guess when you look at it from a legislative standpoint, we've seen the UK become the first movers if you like in terms of establishing a unified, recognised framework. We had the work from the PRA, and then DORA, (the digital operational resilience act) that came into force earlier this year, and I believe it's due to be implemented in 2025. So, with DORA, do you think the EU can take after what the UK has done?
Mark: Yes definitely. So the difference between what DORA looks at and what the UK looks at is basically, DORA looks at IT-related incidents that affect business services. The UK looks at it from a broader perspective, where regulators here look at operational incidents, which can also include IT incidents. That’s the main difference. The UK framework took effect in March 2022 and is currently going through an implementation period that ends in March 2025. The UK objective for operational resilience is to protect customers, the financial sector and the economy from the impact of operational disruptions, and so the methodology behind this is that firms and financial market infrastructures (FMIs) have to look at important business services and set impact tolerances. This basically means looking at how long services can withstand disruption before it impacts a wider group. For example, say your mobile banking app went down — how long can it be down for before it affects your direct debit payments? Crucially, banks need to ensure that they test scenarios that remain within their tolerance. If the scenario remains within that tolerance, then that’s a good thing, because the service is able to withstand that scenario. If there's a scenario where it goes beyond that banks’ service tolerance levels, the banks need to look into it to see what they can do to mitigate that.
Elliott: Yes, so in terms of actually achieving operational resilience, I guess it's quite a complex task. Because, on a firm-to-firm basis, it might be different from one firm to another. Say you've got a big bank or a fintech provider, they're clearly going to have different requirements. With the regulations, and especially with DORA, we’ve observed that there is still some ambiguity there, with the absence of a clearly defined path on how these companies can actually achieve operational resiliency frameworks. It sounds like EU regulators are outlining all of these requirements, and they're just saying it's up to the bank to decide how to achieve compliance. Obviously, that creates a bit of uncertainty, so are there any specific challenges you see with firms becoming operationally resilient?
Mark: There’s a few that I’ve noticed. The biggest challenge is probably silos, where different functions within the banks, such as business teams, IT teams and compliance teams each have different approaches when it comes to dealing with disruptions. So it's not collaborative. It's not consistent. Everyone is just doing their own thing. The issue of that is, people start pointing fingers at each other to say ‘no, it's your fault. It's your responsibility.’ Nobody wants to take accountability. And that's the issue. However, DORA requires a cross-functional approach, where first line, second line and senior stakeholders have to work together. Another one is third-party risk. Because a lot of financial firms rely on third-parties, there is a need of oversight of third-party providers to ensure the contracts that banks and third-party providers agree are compliant, and that risk management procedures are followed. However, some banks have immature third-party risk management strategies, which exposes them to risks. They're vulnerable to security breaches, data leaks, and other operational disruptions. The consequence of that is, it could lead to non-compliance, which could cause that firm to stop using the third-party services, which will have serious implications. The final one is creating a DORA framework. This is obviously a new framework that banks are currently not that familiar with. Adapting to this framework is going to require time and resources because they have to update their policies, their procedures, and any other relevant tools to protect the bank.
Elliott: And I guess conducting adequate scenario testing is also a real challenge for financial institutions, especially banks?
Mark: Yes, testing is too. Testing can fall under third-party risk. This is because banks are relying on vendors providing information about what happens when they fail - for instance, what recovery systems and procedures are in place whenever a system fails? That’s what banks are relying on. However, these vendors aren’t always providing this information. These vendors are not always willing to participate in scenario exercises that banks have to do, because these exercises don’t provide any value to the vendor; why should vendors share their sensitive information if they aren’t getting any value out of it? I think this leaves the banks feeling quite lost. That’s why with the use of a digital twin, banks have something over the third-party vendors. Third-parties only have a singular product, whereas banks have a whole system of products. These products that banks take from these third-party vendors are put into a system, so they can see how it interacts with all systems that the bank has, which is useful for the third parties. Therefore, if banks say that they can run rapid simulation of their product, using digital twin technology, the mindset of the third-party may change, and they’ll be a lot more willing to work with the bank. Even so, banks can conduct data testing themselves using a digital twin without third-party reliance.
Elliott: That’s interesting. In the coming weeks, we’ll be looking more closely at how digital twins will transform operational resilience in capital markets, so I’m looking forward to that. Finally then, just in terms of trends you might have seen in your recent operational resiliency work, have you noticed anything in terms of how banks and financial institutions are applying operational resiliency, and certain things they might be doing?
Mark: So we’ve spoken to about three or four firms, mainly European ones. One bank we’ve spoken to has already started doing their current-state assessment, which basically means: how do we comply with the regulations? They reached out to us to do a gap analysis for them, to compare their policies and procedures against the DORA regulation, and see if there's any gaps so that we can actually advise them. We can also show them where they are not compliant, and what they can do to remediate that. Another bank is having framework issues. When I say framework, think of it as the components of the operational resiliency regulatory framework (i.e. DORA) put together. Banks aren’t so sure on what a ‘good framework’ is, hence why GreySpark has built its own framework to show what components firms should consider to meet those standards, and if there is anything missing. Then, there was a US firm following UK operational resilience, but more from a best practices standpoint rather than a regulatory standpoint. This particular firm was having trouble with resource issues when it came to testing, because the amount of required testing didn’t correspond with the team size, meaning personnel at this firm were having to conduct testing on top of their day-to-day work, ultimately leading to inefficiencies. This therefore meant greater resource usage and higher costs. However, the idea of this digital twin takes that effort away from all these testing teams and has other advantages over traditional scenario testing methods, which as you said, we’ll be looking at more closely in the coming weeks.
End of transcript.
If you would like to reach out to us with any questions regarding your operational resiliency framework, or have any other queries, please reach out to us here.