Written by a human
A seismic outage for TSB Bank led to fines of £48 million for operational risk management and governance failures in 2022. Upon acquisition, the bank attempted to transfer its data between systems over the course of three years. And while the data transfer was successful, the system switch led to severe in-branch errors, with many customers also locked out of their online accounts.
Operational resilience is one of the most important parts of running any business, but even more so for critical service-providers in finance. Explore why the focus is growing on operational resilience in financial services, and how to protect your firm.
What is operational resilience in financial services?
Operational resilience refers to the ability to continue daily tasks while under pressure from disruptions, threats and mistakes. In financial services, for example, operational resilience is often required in the context of sudden economic market shifts and data breaches. It’s important to ensure that customers still have access to their bank accounts, and can continue to make payments, withdraw cash and transfer funds.
Operational resilience is directly tied to the risks that, if realised, threaten access to integral financial services. Alongside a risk assessment, operational resilience includes planning detection, prevention and response of risk events to maintain ongoing operations.
A growing spotlight on operational resilience
Perhaps the most famous example of the need for operational resilience came in July 2024, when IT firm Crowdstrike had a faulty update. This led to the complete outage of IT systems in airports, rail companies, huge firms like Microsoft, hospitals and doctor surgeries and more.
It caused havoc in financial firms relying on the IT supplier, as shops like Sainsburys and McDonalds used POS systems that went down, leaving retailers unable to collect payments. In fact, the banking sector as a whole was hit hard, losing an estimated $1.15 billion in direct losses.
It’s clear that better operational resilience is required to prevent such losses and help customers continue to access their integral financial services.
A growing spotlight on operational resilience
Perhaps the most famous example of the need for operational resilience came in July 2024, when IT firm Crowdstrike had a faulty update. This led to the complete outage of IT systems in airports, rail companies, huge firms like Microsoft, hospitals and doctor surgeries and more.
It caused havoc in financial firms relying on the IT supplier, as shops like Sainsburys and McDonalds used POS systems that went down, leaving retailers unable to collect payments. In fact, the banking sector as a whole was hit hard, losing an estimated $1.15 billion in direct losses.
It’s clear that better operational resilience is required to prevent such losses and help customers continue to access their integral financial services.
Why are regulators concerned about operational resilience?
One of the biggest trends affecting financial services is a growing threat to operational resilience. This includes the growth of intentional cybersecurity attacks. In fact, during 2024, 20% of all ransomware attacks have been against banking institutions.
Of course, regulators have taken note of this change in landscape, and put new impact tolerance frameworks in place to help mitigate the impacts of these risk events. It’s not about ‘if’ banks get hit by phishing attacks, it’s ‘when’, and how they should respond.
But a recent study revealed that Chief Risk Officers at banks are most likely to say that climate change is their top emerging risk. Since climate change data suggests that an increasing number of environmental incidents, financial institutions are forced to consider how:
- Staff can continue to operate if their workplace building becomes damaged or inaccessible
- IT teams can keep data secure and accessible in case their storage centres are hit by an environmental disaster
- Risk assessors can increase lending thresholds when customers are hit by the effects of climate change
Regulators have been focused on operational disruption for a long time now, and continue to hold it in the spotlight as threats evolve. Similarly, there has been an increasing focus on third parties since supply chains were left so vulnerable during the covid-19 pandemic.
What are the most relevant global regulations?
It’s important to highlight the most far-reaching operational resilience regulations:
- The USA’s rules
- The EU’s DORA
- The UK’s PS21/3
Rules in the USA
There are a number of notable regulations in the US, although they don’t directly compare to the likes of DORA compliance.
The OCIE released guidance which detailed the general practices that most financial organisations include:
1. Development of a plan
2. Addressing applicable reporting requirements
3. Assigning staff to execute specific areas of the plan
4. Testing and assessing the plan
The regulator also noted that “maintaining an inventory of core business operations and systems, assessing risks, and considering additional safeguards” is important.
Moreover, the Sound Practices to Strengthen Operational Resilience was released jointly by the OCC, Fed and FDIC in 2020. It provides guidance on governance, operational risk management and business continuity management (including third parties).
Finally, the US’ Computer-Security Incident Notification Rules brought in the requirement for transparency around risk events which have been realised in financial institutions.
EU’s DORA
The Digital Operational Resilience Act (DORA) was published in September of 2020 as part of the EU’s wider Digital Finance package. The regulators noticed that financial services as a sector has become increasingly reliant on digital and IT data, and wanted to ensure that institutions could continue to operate even while these services came under threat.
DORA has five pillars:
- ICT risk management: identify and manage the risks of digital operations
- Incident reporting: know what to report, when and who to when an incident occurs
- Resilience testing: also known as stress testing, create realistic scenarios and undergo response plans
- Third-party risk management: protect the entire supply chain by ensuring that even your vendors’ vendors are applying best practices in terms of IT risk
- Transparent information sharing: consult with the regulator when a risk event occurs, and share threat and strategy information to improve whole industry defence
UK’s PS21/3
In 2021, the UK’s FCA, PRA and Bank of England jointly released their new rules on operational resilience in financial services.
The PS21/3 regulation has four key areas of interest:
- Identify important business services
- Set impact tolerances for each business service
- Perform risk mapping and scenario testing
- Create internal and external communication strategies
This regulation extends the previous Senior Managers and Certification Regime (SMCR), updating it to consider new threats.
“In line with good standards of general governance and the Senior Managers & Certification Regime – which is about to be extended to all firms – every Senior Manager should know what they are responsible and accountable for. This includes the need for firms to establish clear lines of responsibility for the management of operational resilience.”, said the FCA.
Choosing a compliance solution
Developing your operational resilience strategy means using these regulations as a guide, and applying them directly to the risks threatening your firm. Knowing your vendor is essential to conducting due diligence and avoiding unexpected risks.