On Thursday 20th October 2022, technology leaders joined Airwalk Reply for our first-ever Financial Services Breakfast Briefing in the London. In partnership with AWS, the session - The role of technology in Operational Resilience - tackled how to modernise Operational Resilience to take account of the ever-increasing direct-to-consumer digital channels, interconnectivity, and globalisation.
The expert panel was comprised of:
The session offered a slightly different perspective on Operational Resilience, with thoughts on what role technology plays, the function of the regulator going forward, and where organisations are getting things right. As a reminder for those who attended and a catch up for those who couldn’t make it, we’ve put together a roundup of everything discussed on the day.
How has Operational Resilience changed in recent years, and what has made it more challenging/important?
The initial challenge of Operational Resilience is the fact that it’s made up of different, important initiatives which apply not just in the UK, but also globally. This adds complexity, as there is no single definition. When you add in the increasing number of non-regulated parties involved in digital transformation – such as Cloud Services Providers (CSPs) – as well as the demand for online platforms in an “always on” world, Operational Resilience can seem a mammoth task. It will likely to take the same amount of time to embed and evolve as Financial Resilience (and the associated capital requirements), which took a decade to become core to the way FSIs operate.
Another risk facing Financial Services Institutions (FSIs) is that as those who built the legacy systems retire from work and with few of today’s generation of tech experts replacing them, there is a danger that those systems will cease to be adequately supported. Further challenges identified include complex supply chains which support critical systems, and the increasing reliance on non-regulated parties like Cloud Service Providers (CSPs).
Our panel agreed that there is a need to take a broader approach that does more than fulfil regulatory requirements. By seeing technology as an enabler for Operational Resilience and making it a strategic capability, FSIs can gain advantage by being more resilient, able to scale up, adapt to change and respond more effectively to threats.
What is the role of technology in Operational Resilience?
There has traditionally been a clash of ideologies between risk management and technology professionals. For risk management, technology is often seen as the biggest source of risk, whereas for techies, Operational Resilience and regulation can be seen as a stifler of innovation. Of course, without successful collaboration, they are both correct.
Operational Resilience can be modernised, just as any other part of your organisation. However, our panel warned that if you’re trying to implement the minimum amount possible to fulfil regulatory requirements, it will be a challenge. This approach also supresses the mentality that investment in real change is essential to move the needle; if you’re operating on legacy systems and a “traditional” mindset in your ways of working, it will be near impossible. And with those technical experts that built legacy platforms potentially reaching retirement age, the systems that underpin a bank’s mainframe, for example, can become a massive risk. Without adoption now, this will become an industry-wide issue.
Conversely, for those FSIs which see technology as an enabler for operational resilience, a way to make it a strategic capability and to gain an advantage, there is a real opportunity to minimise the impact when something goes wrong – or even prevent it altogether. Key factors in ensuring Operational Resilience are Security and Resilience as Code, as well as automation to remove the “human error” element and to free up your teams’ time. But to ensure the best protection, technology has to be used in conjunction with modern delivery principles and operating models. Your adaptability to change, how you set up your teams, their skillsets, and the way risk and security interact can be critical for success.
Whilst it’s almost impossible to eradicate threats completely, if you’ve built things in the right way, you have the right skills, have automated as much as possible, have built these principles into your code and therefore your systems, it massively reduces the impact if things do go wrong. And by building Security and Resilience as Code, integrating modern delivery principles, and taking a low-risk incremental approach, FSIs can achieve resilience for whatever changes the future brings.
Where are we seeing organisations get this right?
Operational Resilience is still seen by many as something to be driven by the regulator; a manual, audit-driven exercise, with some FSIs taking a reactive rather than proactive approach. However, the panel reported that some organisations have already taken big steps in the right direction to change the operation of their technology estate, such as automation for documentation, security, and compliance and reporting. A few of Airwalk Reply’s clients have gone even further to encompass the automation of budgets, identification of gaps and risks in capacity and capability, providing visibility to any future resilience issues. In some instances, we’ve completely changed how our clients operate their technology estate. Not all of this is new technology; concepts such as Policy as Code and Secure Design were conceptualised a couple of years ago, but they can play a key role in Operational Resilience if done right.
Many FSIs are still in the midst of their digital transformation journey, but choosing a trusted, highly-experienced partner to help take things to the next level can be the difference between success and failure. By codifying more areas of the business, Airwalk Reply enable our clients to address any problems well ahead of time, ensuring there are no nasty surprises. With the use of data and automation to predict future resilience issues, teams who are no longer firefighting can focus more of their time on achieving their organisation’s strategic objective. Next steps would be to apply this to budgets, teams, capabilities, capacity, gaps and risks.
What is the role of the regulator moving forward, and does this need to change?
There is currently a lack of consistency, which slows things down and adds complexity for everyone, particularly the regulator. Regulations are being interpreted in different ways by disparate organisations, leading to the same problems being solved in a manner of different ways.
However, the regulator is beginning to build more frameworks and structure around how they expect FSIs to manage their critical systems, and are starting to examine how critical third parties (CSPs etc) might need to become regulated as part of a resilient UK financial system. While this is still in early stages, the panel agreed that in general, there is a movement towards a different model of engagement and reporting by FSIs.
The panel also shared the view that the regulator may need to become more opinionated on how FSIs execute. As technology evolves and becomes more central to the way in which organisations tackle resilience, and the technology players become equally more integrated and critical, the regulator will need to be able to front up in different ways than before.
We’ll be holding more Breakfast Briefings in 2023, and we’d love you to join us! To keep up to date with all of our events, follow us on LinkedIn.
