How firms deal with the growing number of operational threats, how they prevent or recover from them and how they protect customers will be critical to maintaining their reputation, future competitiveness and long-term sustainability. That’s according to new report issued by TheCityUK and PwC.
These threats range from cyber crime, climate change and complex and interconnected supply chains through to technological innovation and ageing legacy systems. Increasingly, those challenges are becoming inevitabilities rather than possibilities.
The report, entitled ‘Operational Resilience in Financial Services: Time to Act’, notes that although UK-based institutions are now financially resilient and able to meet the most stringent of financial stress tests, their operational resilience faces a range of threats.
However, financial services firms and regulators are well placed to boost operational resilience and support businesses facing operational difficulties. The positive impacts of doing so are significant. They include more sustainable performance, leadership in the global context and a boost to confidence, reputation and the ability to attract investment into UK plc.
Miles Celic, CEO of TheCityUK, said: “Operational resilience isn’t a choice. Rather, it’s a commercial imperative. Thousands of businesses and millions of customers rely on the financial services industry to save, borrow, purchase products and services and to go about their everyday activities with the expectation that everything will always work smoothly. Firms that maintain safety and efficiency through a crisis will have a clear commercial advantage and be more sustainable over the longer term. Those who don’t might not last very long.”
Celic went on to state: “Operational resilience cannot be achieved in isolation. There must be cross-sector collaboration to support resilience as well as close engagement with, and indeed action from, the regulators. Given the UK’s position as a global hub for finance, there must also be global consistency and co-operation. Any business is only as strong as its weakest link. Poor operational resilience in the supply chain can have dire consequences for all other component parts.”
Simon Chard, financial services partner at PwC, commented: “Technological advances are a double-edged sword for the industry as consumers and businesses demand more tailored, more efficient and more secure technology. The upsides of automation and Artificial Intelligence can be offset by firms’ vulnerability to attacks, system outages or simple human error. Current market conditions mean that the risk and potential impact of these events is growing.”
In conclusion, Chard stated: “The firms best positioned to deal with potential issues are recognising that the speed of technological innovation and the rapid adoption of relatively untested technologies is increasing business risk. The cost of ensuring operational resilience is actually relatively small compared to financial resilience and conduct demands. However, it brings with it significant opportunities for firms and the wider UK economy.”
Recommendations for industry and regulators
TheCityUK and PwC make a number of recommendations for industry and regulators to become operationally resilient, duly focusing on the following core areas:
Innovation and technological change Firms must review their approach to change and adapt their risk frameworks, governance and strategy to keep pace with innovation. They must prioritise the resilience of key services, building this into strategy and business plans
Good governance Good quality, future-looking management and information are essential. Culture has a key role to play and operational resilience should be built into management development programmes. Transparency on the potential threats, as well as clear lines of accountability and collective responsibility, will be key
Regulators UK regulators should continue to take a leading role in driving global standards on operational resilience. They will need to enhance capacity by expanding their skills and experience, while also providing greater clarity to firms on what they need to do
Connectedness Regulators should seek to map the sector to understand operational dependencies. The sector will need to work together to identify collective solutions to common challenges, integrating recovery and resolution arrangements where and when necessary. Working with technology providers, the industry should develop standardised support frameworks for key infrastructure services
TheCityUK and PwC have also identified five core areas of risk pertaining to a firm’s operational resilience:
Cyber crime Cyber attack is consistently cited as the single most urgent concern among senior industry executives. Attacks are going deeper and becoming more sophisticated, with attackers using more complex strategies and focusing on the most valuable targets
Climate change Climate-related risks have the potential to cause significant disruption and reputational damage. Physical risk can arise from extreme weather events such as storms, floods and heatwaves, as well as longer-term changes such as gradual increases in temperatures and rising sea levels. Transition risks such as changing market sentiment, or the gradual move towards a lower-carbon economy, will entail extensive policy, legal, technology and market evolutions to which the industry must adapt
Technological innovation Firms must make sure that data is available, accurate and confidential. They must also comply with an ever-growing roster of cyber and privacy regulations
Rising connectedness Whatever their cause, outages can lead to significant operational breakdowns, while increasing connectedness raises the chance – and the potential impact – of a systemic event
Managing change Business model evolution, IT infrastructure renewal and the changing competitive and regulatory landscape all pose challenges to a business’ ability to operate