Over this series of three short blogs (all posted today), I’ve begun to explore different aspects – in this case Governance, Risk Tolerance and Outsourcing - of the regulators’ recent consultation papers on operational resilience and their potential impact on firms and the industry as a whole.
The recently published consultation papers on operational resilience are the latest step towards raising the bar of regulatory expectations for governance in financial services. The vehicle for this is SMCR, only last month extended across the industry, which is turning into something different (or at least beyond) what the Parliamentary Commission on Banking Standards (PCBS) envisaged back in 2013. This is not to say the evolution is wrong, but it’s important to understand how far from its origins these proposals take us and the challenges that lie in wait.
The original purpose of SMCR was to prevent a recurrence of regulators not being able to hold senior management to account for their actions during the financial crisis. However, while we are still waiting for genuine SMCR enforcement cases to come through, there has been great emphasis from regulators, most notably the new Bank Governor Andrew Bailey, put on its role in improving the culture in firms. Separate but related, each new regulatory initiative now requires a Senior Manager (SM) to be accountable for it. For operational resilience, this will be SMF24, the Chief Operations Officer.
Arguably, this was all implied in the original concept of SMCR but the cultural aspects have been given steadily greater attention and the specified accountability for new initiatives introduces some complications around firm governance. For operational resilience, there are four aspects in particular that need to be sorted out over the next few months and years:
1. Designed in 2013 to fix a 2008 problem, SMCR has a primarily vertical view of the world. However, operational resilience, and climate change for that matter, needs to apply horizontally across the firm, so assigning accountability to a single SM creates a series of dependencies with other SMs (who will have vertically-organised accountabilities).
2. The crisis exposed many NEDs’ and Executives’ relative lack of specialist knowledge about the highly complex risk profiles of their firms. Subsequent, and planned future, regulatory initiatives have only made this weakness more acute. The combination of these operational resilience proposals and the increased individual accountability of SMCR will add to this.
3. By its nature, creating an effective operational resilience framework will be an iterative process. It isn’t yet clear how this will fit in practice with the more binary language of SMCR around ensuring compliance and control. Whatever the answer, it is likely to involve new interpretations of the “reasonable steps” concept.
4. Setting risk tolerances will require many firms to re-think their business models. Formalising these thresholds and giving them substance will force firms to articulate their approach to operational resilience in a way only a few have done so far (see next blog). This may well set off a domino pattern of implications for many of their lines of business.
The Bank of England, PRA and FCA have today published a shared policy summary and co-ordinated consultation papers on new requirements to strengthen operational resilience in the financial services sector.