On 13 June 2018, the Bank of England published a speech on resilience and continuity in an interconnected and changing world. The speech, delivered by Lyndon Nelson, Deputy CEO of the Prudential Regulation Authority and Executive Director of the Bank of England, tracked developments in the financial services sector over the last 30 years, focussing on the increasing dependency of the financial system on technology and data and the resultant importance of operational resilience.
Mr Nelson set out that he envisages that operational resilience will soon be on a par with financial resilience and a key part of a firm’s risk profile. In recent years, polls of regulated entities have shown cyber security risk to now be considered the number one risk to firms, with increasing numbers of operational incidents occurring, stemming from both internal failures and external attack. Mr Nelson suggested that the cyber threat is bringing operational resilience into greater focus and that it is the job of regulators to set clear expectations of firms and their operational resilience.
The speech highlighted examples of both recent and ongoing work of regulators in the operational resilience space, including the work of the Financial Policy Committee (FPC) around setting expectations for the minimum levels of service provision that firms must provide in relation to key economic functions in the event of disruption, and the development of supervisory tools that will allow for the assessment of firms’ resilience against the FPC’s expectations. The speech also touched on the importance of ensuring that financial regulators operate under a common framework, providing a joined up approach to regulation.
While Mr Nelson explained that this ongoing work will be the subject of a future Discussion Paper, published jointly with the FCA, he outlined his expectation that firms will be on a ‘WAR’ footing: able to ‘withstand’, ‘absorb’, and ‘recover’ from operational disruptions. To withstand such risks, he proposed that firms will need to set their own tolerances for key business services, identifying when a disruption would pose a threat to the firm, consumers, or financial stability; and that firms will be responsible for testing those tolerances and demonstrating that they have the capability to deliver a resilient service. While the intention is that the focus on building the capability to ‘withstand’ will reduce the likelihood of operational incidents occurring, firms will nevertheless need to have incident management strategies in place in order to allow them to properly ‘absorb’ any operational shocks that do occur. Finally, firms will need to be able to ‘recover’ from operational incidents, with viable and tested contingency plans in place to enable them to resume critical functions.
While acknowledging that technology is opening up opportunities for financial sector firms and for customers, Mr Nelson concluded his speech by emphasising the need to build a more resilient financial system, “able to withstand growing threats, able to absorb shocks when they do occur and able to recover quickly from any operational incident so that the critical functions in which customers, the sector and the economy rely are unaffected“.
and then 