Operational resilience challenges in banking and financial markets

At the beginning of the year, I was invited by the IBM Institute for Business Value (IBV) to join 44 IBM global experts — members of Industry Academy and Academy of Technology — to reflect on key trends driving investments and actions in 2021. We identified eight trends that will dominate, and push banking and financial markets leaders to take action toward new cloud-based business architectures:

• Muted financial performance
• Accelerated digital adaptation
• New cloud-based business architectures
• Escalating competition
• Operational resilience challenges
• Increasing open and free data
• Security and fraud risks
• New ways of working.

Let’s explore together the challenges of operational resilience as everyone’s responsibility.

With mid- and post-pandemic uncertainty, financial services CEOs and senior managers are learning the importance of digitizing at a faster speed. Leaders are also being proactive and anticipating impacts on their businesses. Business continuity plans are being revised and cybercrime is up significantly.

No firm is immune to disruptions. Outages in the financial services industry occur more often than governments, regulators, and boards are comfortable with (see Reuters article, “Factbox: From hungry squirrels to cyberattacks, exchange outages roil market” for some public examples).

From a controls point-of-view, this acceleration introduces new risks, and it has never been more important to:

• Have strict evidence-based practices
• Have a traceable, expeditious means for handover and delegation of processes
• Comply with stricter cloud and other outsourcing obligations
• Focus on potentially winding down business and engage in exit planning for your organization, as well as key suppliers, in the event of failure.

An everlasting barrage of new regulation is coming in 2021 as many regulators are tightening industry standards to withstand the effects of pandemics, cyber events, natural disasters, and technology failures. For example, discussion papers are available from the UK’s Prudential Regulation Authority (PRA), Financial Conduct Authority (FCA), and Bank of England (BOE) on operational resilience.

Also in the European Union (EU), the Digital Operational Resilience Act (DORA), was recently announced as part of the new digital finance strategy, which is designed to “consolidate and upgrade information and communication technology (ICT) risk requirements” across financial entities to ensure all firms are “subject to a common set of standards to mitigate ICT risks.” The Bank for International Settlements itself, which coordinates work globally for the banking industry, is planning to create its own standards.

Operational excellence and resilience in an increasingly interdependent and complex world

We know the world is more interconnected than ever. There are more technology domains appearing and new technologies being created, resulting in a limited pool of skilled workers in a competitive financial services environment. There is a constant need to adapt to change with people, processes, technologies, services and suppliers also all presenting risks to organizations.

Financial markets are the backbone of the overall economic system. There is a clear obligation to fulfil the expectations of the market, shareholders, governments, and regulators. Their failure could disrupt the ability to supply goods and services and impact the pace of economic activities. But really, it is about people. If a cash/payments system goes wrong, someone doesn’t get paid. Then that person can’t meet their financial obligations, can’t buy food, can’t buy medicine, triggering a potential domino effect.

Businesses may never feel totally comfortable because there will always be changes that threaten to hinder resilience outcomes. Therefore, it is critical to learn from near misses, incidents, and service outages. Financial institutions have to continuously invest and evolve to tame an increasing trend of diverse disruptions.

For example, as reported by the Reserve Bank of Australia (RBA) in 2020, the number of banking outages surged to about 2,300 total hours in Australia, and the number is up over each of the past three years, from less than 1,000 incidents in 2017.

Outages in Australian retail payments

A key challenge in financial services exists because the industry is highly interconnected and dynamic in nature, whether that be cash flows, securities movements, or other technology dependencies. Financial regulators in the UK, for example, recognize the “system of systems” complexity within an organization. Therefore, there is a unique need to define and map important business services.

Financial institutions need to consider the chain of activities that make up an important business service, from taking on an obligation to delivery of the service. They must also determine which part of the chain is critical to delivery. Regulators require that all resources necessary to deliver each part of the service be operationally resilient.

How and when to address operational resilience?

Ideally, efforts to improve operational resilience are considered a common, business-as-usual function. Financial services institutions will always be confronted with trigger points. For example:

• A significant outage to a critical service after an upgrade that didn’t go as planned
• External scrutiny from regulators leads to a full reassessment of policies and practices
• A change in management invites a reassessment of C-suite awareness of resilience
• A new business or a change in technology — for example, migrating business critical workflows to cloud — can require reprioritizing resilience practices.

Financial services institutions need to examine typical causes of operational disruption and regularly consider how best to invest time and resources to improve. The National Institute of Standards and Technology (NIST) offers a framework that helps organizations get started with a capability assessment to identify, prevent, detect, respond, and recover from cyber incidents. This type of framework fosters communication between technical teams and business stakeholders. It helps to develop an organizational understanding of managing cybersecurity risk across systems, people, assets, data, and capabilities. It is just as relevant for operational resilience as it is purely for cyber-resilience.

Who addresses operational resilience?

Operational resilience should not be considered a point-in-time activity, but instead part of a cornerstone set of principles and behaviours within the firm’s DNA and culture. It must be considered everyone’s responsibility, and planning starts at the top of the firm. A board wants actions and progress across the business, and enforcement of a unified approach to achieve resilient services. This should translate to senior level engagement and critical thinking across the organization, resulting in appropriate investments, accountability, and continuous oversight.

Because operational resilience is linked to change, financial institutions should perform continuous assessments and constantly adapt to defeat new threats and enact new solutions. A few people can understand a system in detail, but even fewer can truly understand the complexities of a business and technical “system of systems.” Therefore, navigating the uncharted waters of operational resilience requires financial firms to:

• Start planning at the top of the firm
• Establish operational resilience as an ongoing business-as-usual activity
• Encourage everyone to play their parts.

An action guide to succeed in the operational resilience journey

I encourage and recommend a consistent set of actions founded on three pillars:

• Take an organizational perspective. Put sufficient operational resilience expertise at the board level. Senior management should demonstrate measurable progress and implement appropriate KPIs for execution and control.
• Prioritize a shared culture and common understanding. Use a multidimensional operational resilience framework as a guide to establish better practices among people, process, governance, and technology domains.
• Seek an external independent market perspective. Seek alternative, independent views from similar organizations and adjacent industries to complement your in-house expertise.

Operational resilience is a critical component of a financial institution’s value proposition. Successful operational resilience is not a program, but a business-as-usual capability, supported with investment in skills and technology that empower everyone in the ecosystem.

For additional insights about how to consider resilience in the new age of risk where amplified risk and overlapping disruptions demand a new approach to strategy development, I encourage you to download the recent IBV paper, “Resilience in the new age of risk.”