How firms deal with the growing number of operational threats, how they prevent or recover from these and how they protect customers will be critical to maintaining their reputation, future competitiveness and long-term sustainability, according to a new report from TheCityUK and PwC.
These threats range from cybercrime, climate change and complex and interconnected supply chains to technological innovation and ageing legacy systems. Increasingly, these challenges are becoming inevitabilities rather than possibilities.
The report, ‘Operational resilience in financial services: time to act,’ notes that although UK-based institutions are now financially resilient and able to meet the most stringent of financial stress tests, their operational resilience faces a range of threats.
However, financial services firms and regulators are well placed to boost operational resilience and support businesses facing operational difficulties. The positive impacts of doing so are significant. They include more sustainable performance, leadership in the global context and a boost to confidence, reputation and the ability to attract investment into UK.
Miles Celic, Chief Executive Officer, TheCityUK, said,
Operational resilience is not a choice, it is a commercial imperative. Thousands of businesses and millions of customers rely on the financial services industry to save, borrow, purchase products and services, and to go about their everyday activities, with the expectation that everything will always work smoothly. Firms that maintain safety and efficiency through a crisis will have a clear commercial advantage and be more sustainable over the long term. Those who don’t, might not last very long.
“Operational resilience is not possible to achieve in isolation. There must be cross-sector collaboration to support resilience, as well as close engagement with, and action from, the regulators. Given the UK’s position as a global hub for finance, there must also be global consistency and cooperation. Any business is only as strong as its weakest link, and poor operational resilience in the supply chain can have dire consequences for all other component parts.”
Simon Chard, financial services partner at PwC, said,
Technological advances are a double-edged sword for the industry as consumers and businesses demand more tailored, more efficient and more secure technology. The upsides of automation and artificial intelligence can be offset by firms' vulnerability to attacks, system outages or simple human error. Current market conditions mean that the risk and potential impact of these events is growing.
"The firms best positioned to deal with potential issues are recognising that the speed of technological innovation and the rapid adoption of relatively untested technologies is increasing business risk. The cost of ensuring operational resilience is actually relatively small compared to financial resilience and conduct demands. However it brings with it significant opportunities for firms and the wider UK economy.”
TheCityUK and PwC make a number of recommendations for industry and regulators to become operationally resilient, focusing on the following core areas:
- Innovation and technological change: firms must review their approach to change and adapt their risk frameworks, governance and strategy to keep pace with innovation. They must prioritise the resilience of key services, building this into strategy and business plans.
- Good governance: Good-quality, future-looking management and information are essential. Culture has a key role to play and operational resilience should be built into management development programmes. Transparency on the potential threats, and clear lines of accountability and collective responsibility will be key.
- Regulators: UK regulators should continue to take a leading role driving global standards in operational resilience. They will need to enhance capacity by expanding their skills and experience, while also providing greater clarity to firms on what they need to do.
- Connectedness: Regulators should seek to map the sector to understand operational dependencies. The sector will need to work together to identify collective solutions to common challenges, integrating recovery and resolution arrangements where necessary. Working with technology providers, the industry should develop standardised support frameworks for key infrastructure services.
TheCityUK and PwC identify five core areas of risk to a firm’s operational resilience:
- Cybercrime: Cyber attack is consistently cited as the single most urgent concern among senior industry executives. Attacks are going deeper and becoming more sophisticated, with attackers using more complex strategies and focusing on the most valuable targets.
- Climate change: Climate-related risks have the potential to cause significant disruption and reputational damage. Physical risk can arise from extreme weather events such as storms, floods and heatwaves, as well as longer-term changes such as gradual increases in temperatures and rising sea levels. Transition risks such as changing market sentiment, or the gradual move towards a lower-carbon economy, will entail extensive policy, legal, technology and market evolutions to which the industry must adapt.
- Technological innovation: Firms must make sure that data is available, accurate and confidential, and they must comply with an ever-growing roster of cyber and privacy regulations.
- Rising connectedness: Outages, whatever their cause, can lead to significant operational breakdowns, and increasing connectedness raises the chance, and potential impact, of a systemic event.
- Managing Change: Business model evolution, IT infrastructure renewal, and the changing competitive and regulatory landscape all pose challenges to a business’ ability to operate.