De-risking the UK Financial Sector

The Bank of England, the Prudential Regulation Authority (PRA), and the Financial Conduct Authority (FCA) have jointly issued a discussion paper titled “Building the UK financial sector’s operational resilience”. I can’t say I’m at all surprised after some high-profile incidents this year (I’ve commented before on the TSB debacle but they appear to have fouled up again last weekend). Does this suggest banking Armageddon is just around the corner (yet again)?

Well, it’s very easy to stand at arm’s length and throw out all those adages about legacy systems being held together by sticky tape, but that is a very ignorant view. The major finance companies in the UK – those that really are at the heart of our banking industry – take this subject extremely seriously and put an enormous effort into building highly reliable systems that are moving huge volumes of transactions (and money) not only around our secluded island but right across the globe.

The problem is that it is a very complex network of systems – complex systems within each of those financial institutions, and complex systems connecting those financial institutions together.

That doesn’t mean it’s held together with loose bits of string, but with complexity comes risk. Not only risk of monetary or reputational damage to the Bank that suffers a system outage, but also the risk of that incident impacting on the wider interconnected world of finance. Clearly, some institutions are closer to the thick of this than others.

Cyber is an increasing threat, though it’s one that everybody recognises. Whether everyone is putting all the right defences in place is a moot point (this blog has been written just after British Airways have suffered a hack on what appears to be a front-end booking system).

The other big factor today is the ubiquitous Cloud. Lots of companies are outsourcing parts of their IT estate to third parties and relying more heavily on Cloud services. That prompts the question how much consideration is given to the effect of such outsourcing on operational risk? How stringent are the agreements about keeping services up and restoring them at speed should they fail?

Frankly, I can’t believe any third party will ever be as strongly committed to sorting a problem out as the company who’s responsible for facing up to the Regulator when the dust settles. After all, the majority of those third parties aren’t financial institutions.


Taking a “Business Service” view

I was particularly interested to see that the discussion paper advocates “Operational Risk is most effectively addressed by taking focusing on business services” rather than concentrating on individual IT systems, applications, and processes.

This was very much the approach taken when I was leading a review of systems a few years ago. A review based first and foremost on the delivery of a business service challenges everybody to come together and look at the end-to-end picture of IT systems that support the company’s ability to deliver that service to the client or customer. It will also take into account the way in which the business process works and which buildings are of vital importance, dependencies on key individuals, and seamless integration of third parties.

Going about a review in this way will force the need for people from all walks of the company to take part, not just the IT folks. And that’s a very engaging experience.


What should you be doing about it?

If you’re affected by the Discussion Paper (and it cites UK banks, building societies, insurers, PRA regulated investment firms, and more) I’d recommend you plan to get ahead of the game. What constitutes a Discussion Paper today will soon become policy and regulation.

  1. Make sure you’ve got a clear understanding of what “business services” you offer to your customer base.
  2. Get your IT operational risks reviewed and make sure they are going to form a solid base from which to work. For example: if you’ve got more than 20 risks listed, or if you have cyber listed as a risk, then you’ve been given some poor guidance.
  3. Go over your list of “self-identified” issues with a critical eye – make sure they each relate back via one of your controls to one of your risks; and make sure you know what you’re doing to fix each of them (and when).

Then you can start thinking about how your labyrinth of IT services go towards supporting the business services you drew up in item 1.

Brian Lancaster is a Director at BLMS Consulting