Sponsored by ?

This article was paid for by a contributing third party.More Information.

A growing focus on op risk

A growing focus on op risk

Operational risk and resilience have taken centre stage over the past year. While op risk concerns all systems and controls that deliver effective solutions against the risks financial services businesses regularly face, Jonathan Peddie, partner at Baker McKenzie and chair of its Financial Institutions industry group, explores those that concern IT and outsourcing-related failures

Jonathan Peddie, Baker McKenzie
Jonathan Peddie, Baker McKenzie

While business continuity planning has always been important, the growing number and impact of IT-related events – linked to increasing digitalisation and outsourcing in financial services – have changed priorities. Andrew Bailey, chief executive of the UK Financial Conduct Authority (FCA) and incoming governor of the Bank of England, told the UK Parliament’s Treasury Select Committee last year (in evidence): “As we have hopefully mitigated some of the key risks of the financial crisis, the relative standing of operational risk – both growing as a risk in its own right, and as we have mitigated other things – has come up.”1 

The UK authorities are not alone in responding to op risk. The European Commission is consulting on harmonising European Union rules to make the financial sector more secure and resilient – with cyber attacks a particular concern. The upshot is that the authorities are giving heightened attention to op risk and the need for resilient systems and processes.


The consequences of failure

Last year’s events exemplified this trend. Joint action was taken by the Prudential Regulation Authority (PRA) and the FCA against Raphaels Bank, a small retail bank offering prepaid cards and charge cards in Europe. Following a technology malfunction by the bank’s outsourced card processor, there was a complete failure of IT services for more than eight hours, during which thousands of customers were unable to use their prepaid or charge cards. 

Raphaels Bank was found to have lacked adequate processes to identify and monitor these arrangements, especially over how they would support their continued operation during such a disruptive event. This resulted in a £1.9 million fine and probably an even larger dent in the bank’s reputation. 


Managerial accountability

Illustrative of the spotlight cast on op risk is the political pressure on regulators. The Treasury Select Committee’s report last autumn into significant IT failures in financial services made recommendations to improve operational resilience, including ensuring accountability of individuals and firms.

This reference to holding individuals to account is a reminder of the growing responsibilities on senior staff under the Senior Managers and Certified Persons Regime (SMCR). Regulators will, for example, look at the actions of the senior manager holding the chief operations function responsible for a firm’s internal operations and technology. Individuals who fail to take reasonable steps – including training or appropriate oversight – to prevent or stop regulatory breaches in their area of responsibility will be identifiable and liable to disciplinary action. 

The SMCR regime has applied to banks, insurers and large investment firms since 2016 and was extended to most of the sector last year. Although enforcement cases are slow in coming through the investigations pipeline, given the regulatory focus it can only be a matter of time before we see the first cases.


Building resilience

In December 2019, following a discussion paper, the PRA and FCA published a consultation paper entitled Building operational resilience – Impact tolerances for important business services. With this publication, the UK’s prudential and conduct regulators aim to strengthen the regulatory framework to improve operational resilience in financial institutions. The regulatory expectation is for the sector to identify its critical business services and then, crucially, to establish an ‘impact tolerance’ for each of them, setting maximum acceptable levels of disruption using severe but realistic scenarios. Where necessary, boards and senior managers must strengthen resilience for services likely to exceed their maximum tolerances, and this is where they should expect to be scrutinised and held to account by regulators.


What good looks like

What will firms resilient to op risk look like? According to the PRA and FCA, having identified their most important services, they should develop a comprehensive understanding of and map of the systems and processes that support them, including those that are outsourced. They need to understand the impact of an individual system or process should it fail, together with its substitutability or recoverability.

As with all business continuity preparation, regular testing of contingency plans is essential. Operational incidents are worsened by communication failures, so robust communication plans are vital to allow decision-makers to mobilise the resources necessary to resolve incidents and to manage the expectations of customers and business partners as relevant. A key element of any communication plan is compliance with regulatory notification requirements, for example, as required under the EU’s General Data Protection Regulation and second Payment Services Directive.

Firms can expect to see new resilience proposals from the regulators in the second half of 2020.

Jonathan Peddie is a partner at Baker McKenzie and chair of its Financial Institutions Industry Group

+44 20 7919 1222


Read more about Risk.net’s Top 10 operational risks for 2020

You need to sign in to use this feature. If you don’t have a Risk.net account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here