Despite the number of security breaches and IT incidents we have witnessed in financial services in recent years, no sector does operational resilience better. Characteristically, financial services is well regulated and requires high levels of uptime. Best practices introduced by the sector are often taken and more widely adopted by other industries.
According to our annual Data Health Check survey, taken from over 400 IT decision-makers, compared to the average, financial firms are more likely to have a business continuity plan, have an IT disaster recovery plan, have tested it in the last 12 months and to have specifically tested that plan against cyber threats.
While these findings reinforce the strength of the industry’s operational resilience, incidents like TSB’s much publicised problematic IT upgrade demonstrate that the industry is not immune to failures. The Bank of England, Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) recently issued a discussion paper that aims to engage with the industry, to improve its operational resilience and reduce the impact of disruptions on the wider financial system.
Operational resilience in financial services
Despite its relative excellence in business continuity management and operational resilience, regulators are pushing the industry to do better still. The discussion paper highlights several challenges the industry faces. The interconnectedness of firms and financial market infrastructures mean the overall financial system is dependent on the resilience of its constituent parts.
The report takes a mature view to the kind of incidents firms may face and accepts some disruptions are inevitable. It provides useful advice that can actually be taken and applied not only to the financial services community but other industries too.
Learning from the regulators
One of the key takeaways from the report includes setting board-approved impact tolerances, which is an excellent starting point for firms. This describes the amount of disruption a firm can tolerate and helps senior management prioritise their investment decisions when preparing for possible incidents. This is fundamental to all good continuity planning; particularly as new technologies emerge, and customer demand for instant access to information intensifies. These tolerances are essential for defining how a business builds its operational practices.
Focusing on business services rather than systems is also another important recommendation that should be applied by all businesses. Designing businesses systems and processes on the assumption that there will be disruptions – but ensuring that you can continue to deliver your core services is crucial.
>Read more on 10 tips to ensure your company’s business continuity
The report also highlights the increased concentration of risk due to a limited number of technology providers. This is particularly prevalent in the financial sector for payment systems, but again there are parallels for other industries and technologies. In cloud computing, for example, we’re reaching a state of oligopoly, with the market dominated by a small number of key players. For the end-user, it can lead to a heavy reliance on a single company. This poses a significant supplier risk.
Learning from financial services
All organisations, regardless of the sector they operate in, are dealing with growing cyber incidents and cost pressures. All organisations have increased customer demands for accessibility and speed of transactions. All industries are facing disruption by AI and distributed ledger technologies. Therefore, the challenges and questions the BoE, PRA and FCA raised are relevant to all businesses.
The report also provides sound advice for any organisation, regardless of its industry so those interested in improving operational resilience should take advantage of the FCA, PRA & BoE’s recommendations.