5 steps towards successful operational resilience

Operational resilience is now at the top of the global regulatory agenda. Driven by unpredictable and volatile market events, from COVID-19 to climate change and war, regulators are looking to ensure that financial organisations are able to withstand these turbulent shifts, both now and into the future.

The digitisation of the financial industry brought with it myriad benefits and efficiencies as new technologies streamlined manual or outdated processes. However, as firms look to technology to solve increasing compliance complexities, so too must they focus on the ability of that technology to withstand unpredictable or volatile market events. As the compliance team sets out renewed business continuity plans to manage the fallout, regulators have made clear that operational resilience should be top of mind.

Emerging regulation for operational resilience

This has been made most clear through a swathe of new rules, regulation, and expectation surrounding operational resilience:

In the UK, the Financial Conduct Authority (FCA) has published final rules on Building Operational Resilience, which came into effect on March 31, 2022. In July, the Bank of England’s PRA published a discussion paper exploring the need for additional measures to “manage the systemic risks posed by critical third parties”.

In the EU, the Digital Operational Resilience Act (DORA) has been hailed as a progressive and transformational approach to the specific operational challenges surrounding technology. And, in the U.S., the Securities and Exchange Commission’s (SEC) Division of Examination has highlighted “information security and operational resiliency” as one of its five significant areas of focus for 2022.

Global firms must now contend with new and emerging operational resilience programs that are always-on and meeting regulatory scrutiny across borders. We’ve highlighted the key areas of focus for businesses to ensure longevity, efficiency and compliance.

1. Beware the risks of end-of-life tech

The dawn of digitisation saw firms scramble to implement technological solutions to new and emerging risks and rules. As we move towards the beginning of 2023, we’re seeing a number of older technologies – including Dell’s EMC SourceOne Archive – approach end of life (EOL). Now is the time to revaluate your needs and ensure that you have a plan in place for migrating your data or operations to new solutions.

Complying with operational resilience requirements calls for your technology to be ‘always on’ with no room for error or gaps. Migrating away from EOL technology can therefore cause operational challenges. Regulators will want to see that you have factored EOL into your business continuity plans (BCPs) and have sought a solution that causes minimal businesses disruption. This will likely require choosing an experienced migration partner with demonstrable expertise in EOL transition.

Global Relay has more than 20 years’ experience in managing and migrating data. We can seamlessly transition your data from SourceOne. Find out more.

2. Take stock of third-party risk and consolidate where possible

Along with global digitisation came an increased movement towards third-party activity. Firms that were unable to build their own innovative solutions outsourced to technology-savvy solutions as a means of receiving best-in-tech without the in-house legwork. While this is arguably the most effective means of ensuring your firm is using the best compliance technology, third parties are not without risk.

Both the FCA and the EU Parliament have made clear the importance of third-party risk in remaining operationally resilient. This is especially true where third parties carry out “critical” business functions.

Consolidation here will be key. While third parties are vital for effective processes, using multiple third parties for critical operations adds layers of complexity which, in turn, can expose firms to compliance gaps. As technology has evolved, many firms have patched together a series of solutions which generally work in principle. However, in the event of volatility this presents multiple challenges in:

– Managing multiple relationships
– Understanding what happens if one of the many parties fail
– Establishing roles, responsibilities, and accountability for different vendors

In the face of increasingly stringent regulatory requirements, firms should use this opportunity to take stock and simplify their processes. If processes are simplified, there’s less to do when things go wrong. Instead of relying on multiple solutions, invest in technology that can streamline and centralise compliance end-to-end. Explore the market for technology that can solve multiple compliance solutions in one, holistic platform.

3. Evaluate the operational resilience of your public cloud reliance

The IDG Cloud Computing Survey 2020 estimated that “92% of organizations are at least somewhat in the cloud”. Two years later, this reliance will likely have grown. When considering cloud offerings firms often think of the big three; Google, AWS, and Microsoft. Despite having a majority stake in the world’s business data, concerns are often raised around the security of that data within the public cloud. Firms should take stock of their reliance on public cloud and ask whether it is secure and operable in the face of volatility, or whether it acts as a bottleneck. Consider instead whether a tailored private cloud could better meet operational resilience goals.

4. Know where your vulnerabilities lie

The FCA’s rules implement a requirement that firms have in place “sound, effective, and comprehensive strategies, processes and systems” to comply with operational resilience goals. In order to do this, firms will need to first take stock of what their operational resilience goals are and where vulnerabilities in existing systems current exist.

Firms should look at their current policies, systems, and controls and stress test them to understand how far they can be pushed before they break. That understanding should then be used as the basis for operational reform. Processes that break easily, or that are already broken, should be revisited as a priority. Firms should demonstrate a commitment to operational resilience through investment in technological solutions which can remove weaknesses and demonstrate to regulators and key stakeholders that they have a commitment to proactive compliance.

5. Make operational resilience a company-wide priority

The real challenge here is demonstrating the importance of continued, considered operational resilience across all business functions. All organisations inevitably rely on a complex web of tools and processes. Having complete oversight is both incredibly difficult and incredibly necessary to ensure an operational resilience plan that will stand up to regulatory scrutiny – and volatile market movements.

In order to break down the inevitable silos from this complexity, it’s important to instil within all teams an understanding of the importance of operational resilience. Invest in new tools, consolidate where possible, find gaps and fix them. The compliance and operations functions should not have to battle this alone.

Global Relay can ensure your communication and archive functions are operationally resilient.