Clarity from Chaos: the Global Regulatory Challenge

---

If you ask most resilience students or apprenticeship trainees what their ultimate career goal position might be, heading up the global resilience team for financial services market leaders would likely be high up there. However, once you have reached those lofty echelons, you have a massive challenge on your hands.

These types of institutions have been called ‘too big to fail’ in the past, so given the scale and complexity of them, how do you ensure that they don’t fail? You can try aligning programmes to best practice, certifying to standards, developing control frameworks, and you should be complying with regulations. But, given that what ‘good’ looks like differs subtly worldwide, you would need to implement a slightly different approach in each region – multiplying your workload and depleting your resources.

The challenges over the next year are many; be it increased regulations, civil unrest, economic recessions, extreme weather due to climate change, or outright war.

“Looking out 12 months, the five largest year-over-year increases are interest rate risk, geopolitical shifts and regional conflicts, risks related to global trade and market forces reshaping globalisation, shareholder activist risk pursuant to performance shortfalls (including with respect to ESG expectations), and political uncertainty.”

(Protiviti.com, Executive Perspectives on Top Risks for 2023 & 2032)

Resilience Lessons Learned

The foreshadowing of compounding crises is enough to make the most stoic resilience manager break out in a light sweat. So, how can you work smartly, rather than round the clock, to ensure you are compliant with a range of regulations but also prepared for the disruptions ahead?

The challenges are many, but in general, the solution is: utilise the technology available to you so that you can think globally and act locally. The idea here being that you can have one holistic approach to your resilience programme that is implemented worldwide, but that the tactical details which require documenting or reporting on can differ by region.

In 2022, we were fortunate enough to hear directly from the PRA at the Operational Resilience Conference in London, the American regulators at the GFMI event in New York, and a wide range of clients and industry leads at other conferences and roundtables throughout the year, many of whom currently hold those key roles leading resilience at major financial services firms.

We heard some smart snippets of advice from Brian Donadio (Vanguard) at GFMI, which can and probably should be adopted by resilience teams, especially in light of new regulations, including:

• “Test, don’t talk”
• “Alternates, not secondary / deputy / back-up CMT members” – they should be equally substitutable and exercised
• “Don’t chase perfection, choose progress”
• “Beware paper cuts, aftershocks, and winning / complacency”

Think Globally. Act Locally.

Whilst the collaboration between regulators and the consistency of approach has been impressive, a couple of common themes have emerged that all firms face as the amount of regulation increases:

• The scale of data which needs analysing to ensure resilience is only growing
• The complexity of trying to run one programme which complies with regulators worldwide is increasing

The map below shows just how widespread the interest in regulating the resilience of the financial services sector has spread:

(https://www.nortonrosefulbright.com/en/knowledge/publications/3215deb7/operational-resilience-regulation-around-the-world)

The increased regulation of the industry has been instrumental in helping to shift the focus to mitigate impacts to stakeholders rather than just the firm itself. Globally speaking, general requirements of all financial services firms include the ability to map their important or critical business services and interrogate all of the processes, assets, and resources that support those services, both in house and in their supply chain.

“Fundamentally, instilling operational resilience throughout the organization requires a deliberate approach driven top-down by senior management and the board, who will need to be involved in defining the operational resilience strategy and how it links to the business strategy.”

(https://www.oliverwyman.com/content/dam/oliver-wyman/v2/publications/2022/dec/digital-operational-resilience-pov(with-appendix)-final.pdf)

This holistic view of an organisation, when combined with the customer and market views of the services, has directly led to the need to draw data in from all across the firm and break down the silos between complementary departments, e.g. Risk, TPM, ITDR, Crisis Management, etc. Preferably, this would be done through one aggregating platform so that data and analyses could be viewed through one pane of glass.

The Impacts of Globalisation on the Scope of Crises

So, whilst it is evident that the ‘stick’ of regulations is very much needed and has been incredibly valuable over the past couple of years in revealing vulnerabilities and helping guide investment strategies, the challenge of complying with all regulators’ requirements remains.

This need for aggregation of data and breaking down of silos has been highlighted in recent years by the range of knock-on impacts encountered as supply chains and workforces become more widespread. At a range of conferences this year, we heard on countless occasions that we are living in a VUCA (volatile, uncertain, complex, and ambiguous) environment and also through a ‘decade of disruption’; even the Collins Dictionary, that stalwart defender against exaggerated language, jumped on the trend and declared ‘permacrisis’ its word of the year. The frequency of compounding crises seems to be on the rise.

Organisations are expected to combat the immediate impacts of the rising cost of living, reduced energy supplies at a time of peak demand, critical infrastructure firms going on strike, the war in Ukraine, a rise in extreme weather conditions, and the occasional cyber-attack. They are also asked to combat the impacts of the compounding or knock-on crises though, and further still, to interrogate the data and pre-emptively identify where they have vulnerabilities and remediate against them where possible.

A Morgan Stanley representative spoke at the GFMI event expanding on this, to illustrate the end-to-end picture of crisis management. They explained that you need a way to monitor for disruptions across a wide range of systems – cyber, fraud, technology, weather, geopolitics, etc. – and then check that your documented responses are aligned, be that processes, playbooks, tooling, intelligence, communications, or people. Once you’ve done that, it’s becoming increasingly important to train all of your teams, not just the crisis management team, on how to respond to disruptions.

Also at the GFMI event, the panel (including representatives from Goldman Sachs, Silicon Valley Bank, and Global Atlantic Financial) speaking on geopolitical risks noted a vital consideration in preparing for these crises which is rarely taken into consideration: the concentration risks around response firms. Many will have considered putting a consultancy on retainer (we all saw how many bodies needed throwing at the Maersk NotPetya attack), but what about the other crisis response firms, the forensic accountants or cybersecurity experts, the comms and PR teams, or the call centres? How many firms have considered their ability to access these specialty resources when everyone across the sector is clamouring for them simultaneously?

“Looking out 10 years, the five largest increases are risks related to geopolitical shifts and regional conflicts, activist shareholder risk, global trade and changing assumptions underlying globalisation, adjusting to a remote and hybrid work environment, and political uncertainty. The world is changing now, with more change to come.”

(Protiviti.com, Executive Perspectives on Top Risks for 2023 & 2032)

The Power of Resilience Regulations

The recent fining of TSB by the PRA and FCA served to highlight both the serious nature of the consequences of not being resilient as well as the potential benefits of having an effective programme in place. The regulations in the UK were designed to help ensure that levels of resilience would be prioritised when conducting any major business changes, and that all changes to any resources or assets that support an important business service would be interrogated thoroughly, prior to any change going live.

The final notice from the FCA reveals an interesting scenario which several resilience managers will feel familiar with – from only exercising with the gold team, or assuming that recovery would be possible within a couple of days based on resource owners’ insights, to not having capacity or time to fully inspect critical fourth parties. It was revealing to read that whilst BC programmes have been in place for years, and much work has been done on them, many simply haven’t kept pace with the scale, complexity, and frequency of modern crises.

“2.26: Following MME, TSB quickly found itself in a crisis situation for which it was not prepared. Whilst TSB undertook a large programme of work in relation to business continuity planning ahead of MME, and had been prepared to deal with ‘bumps in the road’, there were gaps in its oversight of the preparations of SABIS. In TSB’s view, it would not have decided to proceed with the migration had it considered that an incident of the scale of the issues that arose post-migration might occur. Consequently, TSB’s business continuity preparations were inadequate for the scale of the incident which ultimately took place.”

(https://www.fca.org.uk/publication/final-notices/tsb-bank-plc-2022.pdf)

Many other challenges still remain for many firms, such as how to prioritise and treat vulnerable customers differently in a crisis (2.31), how to staff up at pace given regular onboarding timelines (4.303-6), and how much to budget for putting customers back to the right financial position or where to draw the line for harm becoming intolerable (2.32).

Taking the First Step

In a world where the demands on our time from both regulators and stakeholders are ever increasing with each compounding crisis, it is incredibly challenging to try and keep ahead of everything. One of the few things that can help us to keep pace and remain efficient is the utilisation of technology. The ability to roll out new versions of BIAs across a firm at the click of a button, or simulate changes being made prior to going live, to the ability to run reports and dashboards with live data for committee meetings, or even simply to monitor which services are still ‘important’ – all help us to focus on prominent threats and responses, rather than on the administrative burden.

If interested, do book in a session with us so we can demo our solution which can help you take strides on that path to compliance, as a resilience endeavour rather than a tick-box exercise.

Useful Resources

• Norton Rose Fulbright: https://www.nortonrosefulbright.com/en/knowledge/publications/3215deb7/operational-resilience-regulation-around-the-world
• PwC: https://www.pwc.co.uk/financial-services/assets/pdf/comparing-international-expectations-on-operational-resilience.pdf
• Herbert Smith Freehills: https://insights.hsf.com/operational-resilience-timeline/p/1
• White & Case: https://www.whitecase.com/insight-our-thinking/financial-regulatory-observer-2022-operational-resilience-uk-eu-and-us