Over this series of three short blogs (all posted today), I’ve begun to explore different aspects - Governance, Risk Tolerance and Outsourcing - of the regulators’ recent consultation papers on operational resilience and their potential impact on firms and the industry as a whole.
Risk tolerance is a well-understood term among financial services professionals. There is some overlap in meaning with risk appetite and risk limits but the idea of setting a limit on the amount of risk a firm is prepared to tolerate in a given area is familiar to many. And the regulators’ illustration of the concept in the Operational Resilience Discussion Paper– the period of time (two days is suggested) for which a firm would be willing to tolerate an outage – supports this familiarity. However, little of the commentary so far has explored the implications of applying risk tolerances in practice.
These implications are profound and, over time, are likely to reshape how firms think about their business models. As a starter, here are five that warrant careful consideration as the dialogue with the regulators develops:
1. Firms’ contingency plans to prevent an operational event extending beyond tolerance will, in some cases, need significant resources behind them if they are to be credible. In some instances, this will already be factored in, but in others the scale of them may come as a surprise.
2. The governance implications have already been touched upon in the first blog of this series, but it’s worth adding in this context because operational resilience events often involve a high degree of uncertainty. In particular, the central importance of technology, the potential for a direct impact on customers, and the frequent presence of conscious opponents (e.g. hackers) often make operational resilience events qualitatively different. Even well-laid governance and escalation plans can prove fatally flawed when faced with an unforeseen scenario.
3. Establishing risk tolerances may also lead to firms reviewing their investment plans and, for example, increasing the priority given to replacing legacy systems for which it is difficult and/or prohibitively expensive to are provide a substitute. This, in turn, might have knock-on effects on wider strategy.
4. There is also the possibility that the regulators’ view of acceptable risk tolerance may be different from those of firms. Regulatory orthodoxy is that individual firms will typically have a lower risk tolerance than a micro-regulator such as the PRA and FCA, who will in turn have a lower tolerance than a macro-regulatory body like the FPC, which is focused on the system as a whole. Operational resilience will test this theory.
5. Linked to this, the regulators’ argument that operational resilience is analogous to Herstatt risk raises the possibility that the endgame will include a set of common risk tolerances (even if only at a high level). My impression is that this is not how many firms currently see operational resilience. If I am right, it will be quite a journey to get to a set of collective industry standards.
The Bank of England, PRA and FCA have today published a shared policy summary and co-ordinated consultation papers on new requirements to strengthen operational resilience in the financial services sector.