The view from the regulator on Operational Resilience

Speech by Megan Butler, Executive Director of Supervision: Investment, Wholesale and Specialist, delivered at TISA’s Operational Resilience Forum, London.

fca board megan butler 340 180.jpg

Speaker: Megan Butler, Executive Director of Supervision – Investment, Wholesale and Specialists
Location: TISA’s Operational Resilience Forum, London
Delivered: 5 December 2019
Note: this is the speech as drafted and may differ from the delivered version

Highlights:

  • On 5 December 2019, the FCA, PRA and Bank of England published their joint Consultation Papers on Operational Resilience
  • These proposals develop and expand on the ideas set out in their 2018 Discussion Paper
  • The proposals set requirements and expectations for firms and financial market infrastructure (FMI) to identify their important business services by considering how disruption to the business services they provide can have impacts beyond their own commercial interests
  • They must set a tolerance for disruption for each important business service and ensure they can continue to deliver their important business services and are able to remain within their impact tolerances during severe but plausible scenarios
  • The proposals also include requirements to map and test important business services to identify vulnerabilities in their operational resilience and drive change where it is needed.
  • The consultation closes on 3 April 2020.

I’m delighted to have been invited to give the keynote address today, especially as today is the day we, the PRA and the Bank of England have published our much-anticipated Consultation Papers on Operational Resilience.

I’d like to set out what we have collectively been working on in order to build a more resilient financial system.

Whilst I hope you will all read the details of the proposals for yourselves, I’d like to focus your minds today on the outcomes we are seeking from this consultation exercise.

Our intention is to bring about change in how the industry thinks about operational resilience – a shift in mindset as it were – informed and driven by the public interest.

It is fair to say there have been a number of cyber-attacks over the past three years which have shown that it is more important than ever to remain vigilant against cyber adversaries. From the Eurofins attacks to the data breaches affecting Ticketmaster and Tesco Bank.

But it is not just the external threat we need to be vigilant against. The disruption resulting from TSB’s IT upgrade served as an important reminder that our organisations need to be resilient to a far wider range of potential operational issues than cyber-attacks alone.

The proposals in the Consultation Papers make it clear that we expect you to understand your vulnerabilities, invest in protecting those and protecting yourselves, consumers and the market.

It is for this reason that we have published the Consultation Papers. It picks up where the joint discussion paper left off.

Our starting point is the premise that operational disruptions happen.

We want to dispel the belief, which many firms hold, that we expect them to stop all operational disruptions altogether. We understand these happen.

The outcomes we are seeking are more focussed on the continuity of supply of the financial products and services that people, businesses and the wider economy rely on most. Even in the event of severe operational disruptions. 

Let’s unpack that a bit further.

Definition of Operational Resilience

We define operational resilience as the ability of firms and FMIs and the financial sector as a whole to prevent, adapt, respond to, recover and learn from operational disruptions.

Given this was in our discussion paper, hopefully this does not come as a surprise!

Since our discussion paper, we have had a significant amount of engagement with industry from roundtables, operational resilience panels and numerous speeches.

And of course, the responses to the Discussion Paper itself.

Respondents supported our approach of focussing on the delivery of important business services as a way of strengthening operational resilience. Which shows that we are all on the same page.

We've considered the feedback we received on the Discussion Paper and we've provided more detailed explanations and definitions of the main concepts: such as important business services, setting impact tolerances and taking actions to remain within impact tolerances.

We also took on board feedback in terms of scope.

The proposals in this Consultation Papers will apply to banks, building societies, Prudential Regulation Authority (PRA) designated investment firms, Solvency II firms, Recognised Investment Exchanges, Enhanced scope Senior Managers & Certification Regime (SM&CR) firms, entities authorised or registered under the Payment Services Regulations 2017 (PSRs 2017), and Electronic Money Regulations 2011 (EMRs 2011).

As we lay out in our consultation, we want firms to build operational resilience because we believe it is in the public interest to do so.

This definition of operational resilience also helps clear up the uncertainty we often see between operational risk and operational resilience.

Operational risk is, as the name suggests, a risk.

Its management is a process which results in acceptance, mitigation or avoidance of risk and of course a commensurate level of financial resources, both capital and liquidity, to manage this.

Operational risk management is not infallible. In risk management, you can assume harm will occur and still be comfortable so long as you are able to stay within your agreed risk appetite. 

Operational resilience on the other hand is an outcome.  It is a step change, where we expect you to be forward looking and making decisions today that help prevent harm tomorrow.

Outcomes we are seeking

The proposals in the Consultation Papers make it clear that we expect you to understand your vulnerabilities, invest in protecting those and protecting yourselves, consumers and the market.

We are confident that as a result of firms applying these concepts, customers will be better served by more resilient firms.

This is why the proposals require firms to consider the impact of operational disruption with reference to each authorities’ public interest objectives.

Operational resilience is not about protecting the reputation of your firms or the reputation of the industry as a whole. It is about preventing operational incidents from impacting consumers, financial markets and UK financial system.

Operational resilience is not about protecting the reputation of your firms or the reputation of the industry as a whole. It is about preventing operational incidents from impacting consumers, financial markets and UK financial system.

We will not accept operational failures that – but for a lack of sufficient contingency planning – see consumers stuck on the phone for hours trying to speak to their bank, unable to complete a house sale or purchase or facing uncertainty over whether they will be able to pay their rent on time because they cannot transfer their money.

Let me put this in other terms.

Do you remember the power blackout in August of this year?

The cause of the disruption was lightning striking a high-voltage transmission line near Bedford. This caused two generators to trip out. Around one million customers were affected across most regions of England. The risk of serious harm was real. Passengers were stranded on trains, and Ipswich hospital and Newcastle airport lost power.

Two generators tripping off the system at once is apparently exceptional, and the safeguards worked largely as they should.  But the fact remains - a routine lightning strike knocked two providers offline. Priority services such as an airport were badly hit by the supply cut.

It took a major incident for unforeseen vulnerabilities to be exposed.

Taking this example into financial services, we know that currently a high impact but low probability risk event like this may not be given enough focus at firms.

As a result, when the unexpected happens, firms are not prepared and cannot achieve good consumer outcomes. As I have already mentioned, the concepts in the Consultation Papers must be applied in relation to creating good outcomes for consumers, financial markets and the UK financial system.

This is not new. These outcomes are core to the FCA Mission and our public statements in response to TSB are a reminder of this.

We have been clear that we were dissatisfied with TSB’s initial communications to customers. In the Consultation Papers, we explain that we will expect firms to have effective internal and external communication plans to reduce harm when things do go wrong.

What will we ask?

I will be asking your Chairs and CEOs what strategic decisions and investment choices they are making to build operational resilience and to maintain the supply of important business services in the event of a major incident, or, as we say in the Consultation Papers ‘a severe, but plausible, scenario’.

Considering the definition of operational resilience, and our intended outcomes, we will look for the following:

First, firms should identify their important business services and map successful delivery back to the key underlying resources,

Second, they should test their ability to withstand a severe event with reference to an impact tolerance, and

Third, they should use the test results to identify resilience gaps - and make investment choices that increase their ability to provide these important business services - even when severe disruptive events happen.

Let’s take each of these in turn.

Mapping

We propose that firms should identify and document the resources that deliver and support their important business services. This is called mapping.

When we launched the discussion paper, we referred to the increasingly interconnected and technology-driven operating environment.

Firms should identify their important business services and map successful delivery back to the key underlying resources.

We are concerned that these complex interdependencies increase the likelihood of a major disruptive event spreading quickly.

It could be the failure of a shared piece of connectivity used in wholesale markets or loss of access to a major cloud provider.

The types of solution we might expect to see more of include joined up engagement with these important suppliers by the authorised firms that rely on them, to properly understand those suppliers’ resilience arrangements.

Take the example of the Ipswich Hospital I mentioned earlier.

When I read some of the media coverage of the national power outage, it was interesting to see how Ipswich hospital dealt with the situation when a circuit breaker failed to work and its own back-up generators did not kick in immediately.

It was reported that staff enacted contingency plans and calmly managed the situation during the 15-minute loss of electricity – a response that kept patients reassured and unharmed. 

This example serves to illustrate how important it is to test contingency plans rather than wait for a crisis to see if everything will actually work. The hospital had clearly thought about the impact of the event on their services to their patients as it unfolded, and the response they delivered ultimately kept patients safe.    

Impact Tolerances

This takes me on to impact tolerances; which means: the maximum tolerable level of disruption to an important business service, including the maximum tolerable duration of a disruption.

I’d also like to make it absolutely clear that identifying your firm’s maximum tolerable level of disruption to an important business service - from a public interest perspective – should produce a threshold that is quite different to your established risk appetite and risk tolerance metrics. 

In simpler terms, this means that impact tolerance is not a recovery time objective or a recovery point objective. 

When you read the Consultation Papers, you will see that an impact tolerance and a recovery time objective exist in the same risk universe, but they are very different measures. The latter is very much a time bound metric that does not consider a wider range of factors such as potential harm to consumers and the market.

This is not a box ticking exercise.

This is not about what you are willing to, or think you can, ‘get away with’, because you think the worst is unlikely to happen. We need to know that you have planned for the worst and are able to continue to deliver your important business services when the worst does happen.

I know the industry is still working through what we mean by “impact tolerance”. Let me illustrate how we think about this with an example.

In 2016 cyber attackers netted 2.26 million pounds by exploiting vulnerabilities at Tesco Bank, causing harm to the current account customers who saw money leaving their accounts. Following the attack, Tesco Bank did put in place a comprehensive redress programme and customers were compensated.

But had the firm mapped the systems and processes that support its current account service and tested whether it could continue to protect consumers from harm in the scenario it was faced with, it would have identified the vulnerabilities it had and could have taken steps to increase resilience.

This is why we care; we want customers protected by actions you can take now.

Impact tolerance requires firms to think about services from the perspective of their consumers, as well as the wider UK financial system and financial markets.

Testing

So, this brings me to the purpose of testing.

Testing your ability to remain within your impact tolerance, during a severe event, is likely to reveal gaps and weak points in the resources that support delivery of the important business service. 

Used properly, testing your ability to remain within your impact tolerance should lead firms to taking actions that make a real difference to your operational resilience.

Firms should test their ability to withstand a severe event with reference to an impact tolerance, and they should use the test results to identify resilience gaps.

In the Consultation Papers, we go further than we did in the Discussion Paper and explain that where these gaps are identified we expect firms to take actions to ensure they can remain within their impact tolerances.

You cannot ‘game the system’ by setting an excessively high impact tolerance that you know will never require you to take additional steps. When it comes to supervising firms, you can expect this to be an area where we will pay close attention.

We know that firms currently focus on the recovery of systems that support business services. There has been less focus on limiting the wider impact of disruption on end-users, and even less focus on achieving continuity of supply of the affected business service during disruption.

And if risk appetite is only set in line with corporate strategic objectives, which are inevitably anchored to profitability and cost reduction, this can work against achieving the continuity of supply of an important business service.

A few firms have asked us what an ‘important business service’ actually is.

Let me make it simple.

A business service is a service provided by a firm or FMI to an external end user or participant.

This business service becomes an ‘important business service’ where a disruption to the provision of the service could cause intolerable harm to consumers or market participants the soundness, stability or resilience of the UK financial system or the orderly operation of the financial markets. It could threaten policyholder protection, safety and soundness, or financial stability.

Some respondents to the discussion paper asked us to help them by publishing a list of important business services. We have not done this.

We believe firms are best-placed to determine their most important business services.

Whilst we have not been prescriptive in this regard, we have provided guidance as to how to go about identifying an important business service.

Why now? Why more rules?

You may be asking yourselves, ‘why now?’ – operational resilience has been priority for the regulatory community for years, and if there is nothing wrong with current regulations, why the move to more rules?’

We need to know that you have planned for the worst and are able to continue to deliver your important business services when the worst does happen.

Rules can help to give clarity around our expectations on operational resilience, but this is also about a cultural change. Where possible we will build on existing policies and rules, placing them within a clear and consistent framework.

The proposed new requirements we are consulting on sit alongside established operational risk management practices. They are not replacing risk management. 

We believe that, in the public interest, a resilient financial system should always aim to supply its important business services with minimal interruption even during severe operational events.

It’s the resilience outcome that’s most important to the supervisory authorities, not simply a firm’s ability to demonstrate compliance.

I want to stress that this is not just an industry change. Aligning our supervisory approach and strategy towards continuity of business services necessitates a review of our approach to overseeing the industry too.

Key elements of our existing approach, such as reviewing the effectiveness of firms’ governance, will continue to be an important component in assessing firms’ operational resilience capability.

But in line with good standards of general governance and the Senior Managers & Certification Regime – which is about to be extended to all firms – every Senior Manager should know what they are responsible and accountable for. This includes the need for firms to establish clear lines of responsibility for the management of operational resilience.

The Consultation Process

Opportunities like this event today provide a welcome opportunity to get our message out to a wider audience. And as we progress our work on operational resilience, we are keen to seek your views.

This is a joint undertaking – by both the UK financial authorities and the UK financial sector. The positive response to our discussion paper is evidence that our interests are aligned on this most crucial of issues, and should be working together to create a more resilient financial sector.

The consultation will be open for four months and close on 3 April 2020. 

During that time, we’ll continue to engage with industry and the wider public on the proposals. You’ll see us talking about the consultation at more events and you can expect this to remain a key focus for the FCA in the future.

After the consultation closes, and following consideration of the responses and feedback we receive, we will publish a Policy Statement in which you’ll see our response to your feedback alongside our final rules. We expect this to be towards the second half of 2020.

I encourage you all to read, discuss and respond to the joint Consultation Papers. This is your chance to influence how we work together with all the entities we supervise to build a resilient financial system. 

Thank you very much for letting me use today to launch the consultation.