In recent years, operational resilience in organizations worldwide has been tested and re-tested by a global pandemic, major supply chain disruptions, the war in Ukraine, and the ever-increasing threats of cyberattacks – to name just a few unprecedented, not to mention simultaneous, situations. These disruptions served as a wake-up call for many organizations and regulators alike and have proven that operational resilience is no longer a “nice to have” but a “need to have.”
Regulators in most leading jurisdictions are taking operational resilience very seriously and are increasingly cracking down on organizations that fail to meet the minimum requirements. Recent regulatory actions make it clear: operational resilience must remain a priority for everyone – especially for those in the financial services sector.
Regulators across the globe are taking prescriptive action to ensure that critical infrastructure sectors, including financial services, can continue to operate when disruption strikes. The UK took the global lead on operational resilience regulations for financial services firms when the Bank of England (BoE), Prudential Regulation Authority (PRA), and Financial Conduct Authority (FCA) defined a framework and set a firm deadline for compliance: by 2025, financial services organizations will need to implement all aspects of operational resilience requirements so they can continue to deliver important business services to their customer and market within defined impact tolerances in the event of a disruption.
Following the UK’s regulation, additional countries also began enacting similar laws. For instance, in Hong Kong, the Hong Kong Monetary Authority (HKMA) finalized the Banking Capital Amendment Rules 2022 (BCAR 2022), which require authorized institutions to deploy an operational resilience framework and determine a timeline to become resilient before May 31, 2023, and subsequently enact the framework to become operationally resilient before May 31, 2026.
Other countries that are working to strengthen financial services sector operational resilience include Ireland, Singapore, Australia/New Zealand, the U.S., the EU, and Canada. Additional related regulations, such as the Digital Operational Resilience Act (DORA) in the EU which extends the demonstration of resilience to entities’ third- to nth-party relationships, have also been agreed on and actioned.
Achieve Compliance and Resilience
Considering these evolving regulations, financial institutions with global operations must remain compliant in numerous jurisdictions – but jurisdiction-based program silos are not sustainable. The culture shift required for true operational resilience includes removing a siloed approach, which often delivers duplicative and disjointed efforts. A proactive and holistic approach across the whole of an organization that considers all local regulations can ensure compliance while fostering a true culture of resilience. In other words, operational resilience should not be a one-time box-tick exercise that is completed just to satisfy regulators – instead, it should be a continuous journey.
Technology is a critical enabler that helps organizations achieve compliance and also build a culture of resilience across the institution. Often, key risk disciplines that make up resilience are managed in siloed platforms that require substantial long-term investment with minimum integrations. Although these solutions can serve a specific role within the risk function, they are not fit for broader operational resilience compliance programs or the overall vision of the entire organization. Organizations should look to bring together siloed measures through technology tools that can connect and integrate data to provide a high-level overview of resilience across the organization. Connecting critical data points, rather than replacing existing systems, can best position a financial institution to remain compliant while also achieving resilience and remaining flexible enough to address unforeseen disruptions in a timely manner.
Looking Ahead – 2023 and Beyond
This year and beyond, regulators will expect firms to achieve and demonstrate operational resilience through a full picture of their business operations with a focus on important business services and associated data sets. Also going forward, organizations will need to take a serious approach to resilience. This includes defining critical business services and breaking down silos to aggregate data and meet regulatory deadlines.
As the world emerges from the pandemic state to newly normalized business processes, organizations must remain vigilant, mature their thinking around resilience, and understand how to anticipate, prepare for, respond to, and learn from supply chain disruptions, cyberattacks, data breaches, and other imminent threats – but this is no longer just a matter of being able to deliver on your brand promise through disruption. It is also now an issue of compliance – and regulators are watching. Keeping your business in business through changeable times, while also demonstrating resilience and delivering on regulatory requirements, has never been more important.