Rethinking Resilience, Part 1
What problems are firms facing with scenario testing ahead of the UK regulatory deadline?
With much of the talk around operational resilience in capital markets pertaining to the European Union’s Digital Operational Resilience Act (DORA), it is important to remember that other jurisdictions are also embarking on their own operational resilience regulatory journeys. In the UK, it is almost a year until UK-based financial institutions (FIs) must achieve legally-binding operational resilience standards laid out by the UK’s Prudential Regulation Authority (PRA), Financial Conduct Authority (FCA) and Bank of England (BoE). By no later than 31 March 2025, in-scope FIs will need to have:
Performed mapping and scenario testing so that they can remain within impact tolerances for each important business service. Impact tolerance is defined as the maximum level of disruption to an important business service as measured by a length of time, in addition to any other relevant metrics and;
Made the necessary investments to enable them to operate consistently within their impact tolerance.
This is on top of a spate of requirements that in-scope FIs should already have, including having identified important business services that, if disrupted, could cause intolerable harm to consumers, carried out mapping and testing to a level of sophistication necessary to identify important business services and prepared self-assessment documentation.
The UK’s operational resilience requirements are comparatively less prescriptive than the EU’s approach, utilising more of a principles-based approach that allows supervisors to use their judgements in assessing potential operational resilience outcomes. DORA primarily focuses on the risks arising from ICT disruptions, whereas the UK adopts a risk-agnostic approach that is more outcomes based. The UK regulations also do not include provisions on regulators’ oversight of critical third-parties and incident threat reporting/classification, whereas DORA does.
Now is the time for financial institutions (FIs) to rethink resilience and map out how they will deliver robust, functional and, above all, compliant operational resilience frameworks.
As digital transformation of the financial sector accelerates, the exposure of FIs to the risk of a major disruption if technology fails, such as a deliberate cyber attack or an ICT system flaw or breakdown, naturally increases. As such, operational resilience frameworks have had to keep pace with this reality in order to reduce system vulnerabilities.
The UK regulators have outlined four key areas where they expect firms to focus as they work towards meeting the policy expectations. This includes implementing operational resilience policy, scenario testing, building resilience and embedding operational resilience. More details of these can be found here.
As highlighted, a key ingredient to achieving a compliant operational resilience framework is scenario testing. A firm must carry out scenario testing to assess its ability to remain within its impact tolerance for each of its important business services in the event of a severe but plausible disruption of its operations. However, GreySpark observes that scenario testing is proving problematic for in-scope FIs.
The new regulations requires a pivot away from traditional scenario testing methods to more sophisticated, artificial intelligence-centric frameworks so that increasingly complex scenarios can be depicted and measured. Delivering such a framework is an operation within itself, requiring detailed data preparation and management so that scenario testing can be conducted with maximum efficiency and accuracy. To be clear, scenario testing is when banks test the functionality and resilience of their systems against a range of plausible scenarios using data inputs, often using simulations.
In particular, when it comes to delivering scenario testing frameworks subject to the UK’s operational resilience requirements, GreySpark observes four major problems that are holding back in-scope FIs in their quest to deliver an optimal digital operational resilience testing model. Below, we explore two of these problems and will follow up with another post covering the final two problems at a later date:
Lack of Dynamic Data Integration in Operational Resilience Models
In the capital markets industry, FIs are generally mandated to build operational resilience models for their important business services by regulators. These models are crucial for scenario testing, determining impact intolerances and identifying system weaknesses.
However, existing operational resilience models are largely static, in the sense that they are subject to pre-defined data sets and are unable to incorporate real-time data updates and integrations. Typically, data is input manually before the system simulation is run, and as a result, there are limitations on the number of different scenarios that can be simulated. This limitation makes it challenging for banks to conduct accurate scenario testing, set impact tolerances, and gather useful metrics because their models cannot reflect real-time changes in the business environment.
To make matters worse, many FIs operate with data silos across different geographies and departments, leading to costly inconsistencies and fragmentations. Therefore, there is a need for banks to adopt a holistic, dynamic digital model that can closely resemble the actual representation of their IBS, incorporating real-time data to enhance accuracy and responsiveness. Failure to deliver such a model will ultimately leave in-scope FIs short of the UK operational resilience requirements. Financial software company Ansarada estimates the cost of non-compliance when it comes to operational resilience is on average 2.7 times higher than the cost of compliance.
Inadequate Ongoing Monitoring and Adaptation in Operational Resilience Models
Regulatory requirements from the PRA and FCA mandate FIs to regularly update their operational resilience models to reflect changes in their business, ensuring the ongoing resilience of their important business systems. For example, FIs currently rely on historical data to set impact tolerances in their static operational resilience models. However, these models lack the agility to adapt to changing business dynamics and often require manual and labour-intensive interventions, which can distract from core business duties. For example, an employee may be required to organise and plug-in data inputs to the simulated model, which can lead to errors and the use of outdated data if the testing scenario quickly changes.
The result is that FIs require a more agile and adaptable digital operational resilience model that can automatically incorporate changes in business activities, reducing the need for frequent manual updates to impact tolerances and other parameters.
More to follow.