The regulator is raising the stakes for operational resilience
The risks of technological outages have been drastically underestimated industry-wide. This year, glitches have resulted in financial losses in the millions, mass customer exodus and significant reputational damage to the firms and their executives. But still, outage after outage makes the headlines each week, suggesting the industry is continuing to miscalculate the risks - just as they are set to increase.
After a wave of high-profile glitches, the Bank of England and Financial Conduct Authority (FCA) could not ignore the resulting disruption felt by the affected clients and customers. In July the regulatory authorities published: Building the UK financial sector’s operational resilience. The paper discussed why achieving and maintaining operational resilience - a firms’ ability to protect and sustain its core business functions when experiencing technological disruption - was essential to preserving critical financial infrastructure.
But most importantly it raised the stakes. An organisations’ senior executives can be caught in the crossfire if, under their watch, they neglect to put in place systems to prevent and recover from an outage.
The discussion paper maps out an accountability framework, already in action under the Senior Managers and Certification Regime, (SM&CR) that will mean individuals with titles such as COO, CTO or CIO could be held personally responsible in the event of a technological glitch. Essentially, if the assigned individual fails to take the necessary steps to ensure operational resilience, it may be the case that they won’t just be facing reputational and financial consequences, they will be personally open to fines, losing their working licence or, in more extreme cases, criminal charges.
Although the regulator won’t be knocking at firms’ doors after every outage, clear steps must be taken to prove that systems are in place to protect the customer. Some outages are unavoidable, but alarmingly more than 30 per cent of outages are caused by firms mismanaging their data systems, which is an avoidable scenario. Firms need to understand the steps they should take to ensure operational resilience to protect their clients, their businesses and the individuals within them.
ITRS Group highlights the essential checklist for maintaining operational resilience:
- Careful change management: when a migration or system upgrade is taking place firms must understand when they need to halt the process to avoid potentially disastrous consequences of not having the right systems in place. Revert back to the old version if you are running out of time rather than putting yourself and your customers at risk with a poorly managed migration. And thoroughly test the change after it has been put live.
- Monitoring: your firm needs highly proactive monitoring to allow you to see what your systems are doing in real time. And real-time needs to mean real-time - not 60 seconds, 30 seconds or even 15 later. This insight is essential to shorten the time taken to identify an issue. For trading firms where markets move in milliseconds, the difference between real-time and 60 seconds could equate to hundreds and thousands of dollars in losses.
- Load testing: you wouldn’t walk onto a bridge without first testing that it was safe, so why do the same with your IT systems? In order to know for sure that your production environment is going to run properly, tests must be so you can understand what it can withstand. By running these tests through all of the infrastructure and software you can avoid glitches caused by poor capacity management.
- Resilient Architecture. Failure of software or hardware will happen, so systems need to be able to ‘fail over’ sufficiently quickly to achieve the required availability. It is essential to know any single points of failure where resilience isn’t available, and to monitor these particularly carefully. A manual recover plan is required for these.
There’s no getting away from it. Regulation around operational resilience will surface next year and will likely be in force the year after. Firms need to be ready, and ITRS Group is committed to helping find the solutions to stay compliant.