The Bank of England regulator said the financial sector must improve operational resilience in its first annual review of the topic since rules came into force last year.
In particular, David Bailey, executive director of deposit takers supervision at the PRA, said there were too many outages. Frequently occurring operational outages included payments, app and website failure, and problems caused by third parties.
“These incidents often attract significant attention from both customers and the media, emphasising the need for demonstrable resilience to underpin broader confidence in the financial sector,” he said.
Under the rules financial organisations must identify their important business service. Businesses must take a holistic approach in assessing the core services. For example, important services are those the firm provides to an external end user and that could threaten regulatory rules if they go down.
In addition, firms need to clearly define their tolerances for these services. That means setting clearly defined time-based metrics for when disruption happens and defining the thresholds at which the disruption would threaten regulatory objectives.
Finally, firms need to map and test these services and metrics so that they can show the regulator they are under control. “Firms’ testing strategies should incorporate the risks and vulnerabilities they will face in severe but plausible scenarios and then demonstrate how they will remediate any disruption in a timely manner,” said Bailey.
The report comes as the bank released a consultation on outsourcing and third party risk.
One of the key risks the consultation identifies is concentration risk. That can arise when firms are dependent on just a few companies for their core services. For example, if all banks are locked into contracts with the same few cloud providers that could create a serious risk to the sector’s viability.
“The cloud services market is focused on a relatively small number of key players, and while that continues concentration risk is going to be an important area of focus for financial institutions and their regulators,” said Yvonne Dunne, partner at the law firm Pinsent Masons.
IRM’s sister organisation the Institute of Operational Risk provides an extensive series of guides on all aspects of operational risk. There are available here.