Following the publication of the Discussion Paper by the Bank of England and FCA last Summer, Operational Resilience continues to be a growing topic for all regulated Financial Institutions, and the challenge for Building Societies is no exception. There appears to have been some growth in the number of specific posts created for Operational Resilience over the past twelve months, indicating perhaps that FIs are recognising a need to take an holistic and business services-orientated approach, rather than the traditional approach of focusing on systems and processes.
Most recognise the complexity in the multiple challenges faced to ensuring operational resilience, and whilst managing these challenges within one’s own organisation is one thing, managing the same challenges in third parties is altogether another; let alone fourth parties and beyond. The growth in technology and digital services has almost certainly compounded the issue, especially when one considers the sheer number of fintech start-ups in the past few years alone, upon which many FIs are relying to provide key services to their customers.
The successful management of third parties is being recognised as one of the most critical components of managing operational resilience, but for this to be truly robust FIs need to gain the same holistic insight into their third parties that they require within their own organisations, and there lies a challenge. What information is needed about the third party to ensure the business service is operationally resilient? How does one go about finding out this information and will third parties actually provide the information requested, particularly if to do so may be seen as a commercial risk to their business? How is the information kept updated on a continual basis throughout the period the third party is being used?
The extent of the challenge can be illustrated in data collected from around 3,000 third parties to a group of almost 20 FIs, large and small. Of those that provide services that need to be recovered in less than 2 hours, 90% have a Business Continuity Plan (leaving 1 in 10 that do not) and 30% are reliant on fourth parties. Of those that do have a BCP, 88% test the plan at least every 12 months but only 24% test at least every 6 months. On a slightly more positive note, 87% have a requirement in their policies to notify their customers of any incidents that impact the services provided. It would appear from this and other data collected that there is still much more to do to ensure all third parties are operationally resilient.
One thing is for sure; all FIs are facing the same challenges to a greater or lesser extent. It might be argued however that the smallest of regulated firms face a greater challenge as a result of their fewer resources and lower overall leverage over their third parties. And this presents an opportunity; for FIs to collaborate in a common approach to having the insight they need into their third parties, leveraging a collective power whilst making things much simpler for their third parties at the same time, by allowing them to provide information once that can then be shared.
It can be argued that there is no competitive advantage of each FI managing this problem alone, and that collaborating with peers to pool knowledge and expertise, whilst perhaps gaining a greater and more consistent insight into third parties, can only be a good thing.
Hellios Information is an organisation that collects and validates third party data on behalf of a growing community of financial institutions including Hinckley & Rugby, Nationwide, Bank of England, Lloyds Banking Group and RSA Insurance.
Philip will be on the ‘Operational Resilience’ panel session on Friday 24th May 2019, alongside Hinckley and Rugby, Stafford Railway and Nationwide Building Societies. The session will explore the management issues for our sector arising from the supervisory authorities proposed requirements and suggest some options for working collaboratively to address some of these challenges that our regulators have given us, focusing on the example of managing key third party relationships.
Find out more at https://www.bsaconference.org/seminar/operational-resilience/