When COVID-19 hit, the uncertainty which followed knocked the financial sector into a period of instability.
Firms that paused their business lost out on revenue. Profits dropped. It was a challenging time, but valuable lessons were learnt. Namely, COVID-19 underlined the critical importance of investing in a robust operational resilience strategy.
On the 31st March this year, the Financial Conduct Authority, Bank of England and Prudential Regulation Authority’s introduced a series of regulatory changes to ensure all UK financial firms are investing in maximising their operational resilience. Banks, building societies, insurers, and several other types of financial institution all fall under the new legislation’s scope.
CP13/32, or the ‘building operational resilience policy statement’, requires financial firms to scrutinise their business services and consider the consequences if these were to be disrupted. Over the next three years, all financial services firms in the UK must have stress tested to check whether their key business services can operate within an agreed impact tolerance.
Expect the unexpected
Impact tolerance means the maximum tolerable level of disruption that a business service can withstand before the customer is unacceptably affected. If a banking platform goes down, for example, this would qualify as intolerable harm to the customer: they can’t access their money, and their direct debits aren’t paid.
To comply with the new legislation, firms will need to produce a detailed self-assessment document that records every step of their review process, as well as proof of planned communications strategies in the event of a system failure.
But how to go about this?
Third-party consultants can be useful in assisting with the creation of a robust plan that is designed around each company’s unique business objectives. They look at the services provided and work out a bespoke definition for intolerable harm for each firm on a case-by-case basis. For instance, for some banks and building societies, it doesn’t matter too much if a banking app suddenly stops working at 3am. It’s an off-peak time for activity, and users can still access their money and login online. Life goes on.
However, for other banks, a 3am shutdown could be disastrous. Perhaps that’s the time when all of their customers' direct debits go through. If that customer’s payments are abruptly stopped, they could miss monetary commitments such as mortgage or loan repayments, potentially affecting credit scores and jeopardising their trust in the lender.
Financial firms impacted by CP13/32 must be willing to probe their technical architecture for weak spots that could cause a disruption later down the line.
Chaos testing
Another way of checking a firm’s resilience is chaos testing. This test introduces chaos into a dummy version of a business service to gather data, measure the impact on the customer, and prepare for the future. These rigorous tests help firms to assess the resilience, redundancy, scalability, and security of their core business services.
A firm could either conduct these stress tests inhouse, reach out to an external consultant, or draw insight from both. The point is the same. By carrying out these tests, firms will learn much more than just their threshold for risk and can make robust remediation plans for when things go wrong. This could involve a communications plan, a backup server, or a strategy for making good with affected customers.
The building operational resilience policy statement has wide ranging implications for all UK financial firms. However, these changes can be bridged if firms plan ahead. In a post-pandemic world, investing into operational resilience has rarely been more important than it is today. And the preparation should begin now.
