Operational Resilience is firmly at the top of the Asset and Wealth Management agenda following recent events; however, this has been a developing ‘hot topic’ for the FCA over the past few years. The Q4 2019 Consultation Paper (CP 19/32), moved the dial in terms of regulatory expectation and with chilling foresight inferred that is no longer a case of if but when firms will suffer operational disruption.
The pandemic has unexpectedly put resilience to the test in extreme conditions, bringing together a health emergency, market stress and technology disruption within one event. Large and small Asset and Wealth Managers alike are acutely aware of the coming together of heightened regulatory expectations, severe business challenges and new and increased levels of Senior Management accountability.
How has Regulation evolved to develop Asset and Wealth Manager’s approach to Operational Resilience?
The industry has seen the Regulator set out its increasing expectations of Asset and Wealth Managers in relation to the key components of Operational Resilience over the past decade, through guidance culminating in CP 19/32 (A Consumer Focus for Operational Resilience) including:
- Outsourcing Risks (TR13/10 2013)
- Cyber and Technology Resilience (2017/2018)
- Increased Responsibility of Senior Management through SM&CR (2019)
The FCA has often concluded from its work (such as Supervisory, Thematic and ICAAP Reviews), and the results of Internal Audits, that Asset and Wealth Managers have often underestimated Operational Risk and have had work to do to demonstrably meet Risk and Resilience requirements.
Alongside this, the approach to Operational Resilience by both Asset and Wealth Managers and Regulators has developed significantly from an early emphasis on data recovery and the robustness of technology, to now including financial, operational and client service considerations. We expect the current Operational Resilience requirements will continue to evolve, bringing renewed focus to wellbeing in the face of social events as well as actions to ensure the health of the workforce.
Ultimately, Regulation has developed beyond an emphasis on effective Business Continuity Planning, to require Asset and Wealth Managers to effectively self-assess critical services and the underlying processes from a customer perspective. With an expectation that firms will remediate potential failings that fall outside the ‘outages’ that Senior Management deem tolerable based on credible risk assessment.
What will be the key questions for Senior Management of Asset and Wealth Managers?
ExCo and COO responsibilities for Operational Resilience are now fully loaded through SM&CR. These senior stakeholders will have a number of concerns about how they move from prolonged stability in the short term through to a more resilient future operating model in a less certain environment. Senior Management will want to answer several challenging questions:
- Does the risk management framework help us to effectively manage risks to operational resilience?
- Do we have the capacity and capability to identify, assess and maintain in a stress event our most important services?
- Does our ICAAP still make sense in the ‘new world’?
- What are our recovery and resolution planning scenarios, and how do these work in a globally integrated operating model?
- What does best practice look like for us?
- What have we learnt from this crisis, and how can we make the business better able to withstand future disruption while responding to regulatory expectations?
What are the challenges ahead of recovery?
Developing an effective resilience framework is not a straightforward process due to the increasingly complex operating models utilised by Asset and Wealth Managers and the uncertain environment ahead. Some of the most pressing challenges to this include:
- Understanding the impact of new Regulation and dealing with it well
- Defining critical services and the tolerances that should apply
- Effective risk management and oversight of third-party vendors
- Developing a plan to ensure sustained recovery from the shocks experienced so far this year
Regulatory demands are increasing but, just as importantly, so are the expectations of the Board and investors. Meeting these increased expectations will be a challenge for Risk and Compliance teams in the coming months but done correctly, will leave firms with a stronger risk management approach and a more resilient organisation for future challenges.
Alpha has significant experience in supporting firms with the design, review and implementation of Risk and Operational Resilience frameworks to provide Senior Management with the assurance they need to fulfil their responsibilities and improve operational efficiency and effectiveness.
If you are interested in finding out more about how Alpha can support, please get in touch.