Where next for operational resilience?
Chris Hamblin, Editor, London, 17 March 2021
The UK's Financial Conduct Authority defines operational resilience as the ability of financial firms to prevent, adapt, respond to, recover and learn from operational disruptions. As it plans to regulate in this area, the compliance software firm of Capco has published a small treatise on the subject, authored by the expert Will Packard.
As part of their efforts to make financial firms' operations more 'resilient,' i.e. less swayable by IT disasters, regulators are concentrating on the ways in which they outsource various functions to third parties and manage the risks that arise when processes that underpin the performance of services are involved.
The paper looks at the way in which firms should use third parties that are involved in the delivery of important or crucial business services using three tricks from Capco’s approach to operational resilience – preparing, managing and learning. Firms have to align third parties with their approaches to operational resilience and meet the regulators’ expectations of they ways in which they should manage those third parties at the same time.
British regulators have defined outsourced third-party services as those that would ordinarily be carried out by a firm when it performs services. They further say that "material outsourcing" happens where the weakness or failure of a service would make it unlikely that the firm could meet its regulatory obligations. This, by default, includes the performance of "important business services" within "impact tolerances." As a result, the FCA's incoming wave of operational resilience regulation is going to add to firms' obligations when they engage third-party outsourcing providers. Capco thinks that firms ought to define third-party outsourcing providers as those entities that are directly involved in performing any services that those firms do not control directly. This takes in all manner of regulated firms.
From the perspective of operational resilience, firms need to be cognisant of - and comfortable with - two primary elements when they outsource jobs to third parties:
- Capability – does the third party have the necessary resources and management in place to continue to satisfy the contractual agreements/service-level agreements when disruptive events strike?
- Control – in the event of disruption, will the needs of the firm be appropriately prioritised by the third party in terms of resuming services?
If a firm uses a third party to perform an important business service, the service provider should at least be as ready and able to cope with disruption as the firm would be itself if it were not outsourcing the function in question. This is particularly relevant if the third party is not a regulated entity.
If a third party further outsources (sub-outsources) parts of the process to a fourth party, the same standards should apply to that party. The service provision should be viewed end-to-end. Internal third parties should be assessed in the same way as their external counterparts in terms of capability and control.
Capco's working definition for internal outsourcing is a process by which the legal entity that provides the services is not the same as the one that transacts the business. This can be tempered if the entity that provides the service is regulated in the same jurisdiction, or if the service provider is a subsidiary.
From a control perspective, Capco argues in favour of a written agreement among managers to govern "prioritisation" that covers both the reporting and servicing legal entity.