Earlier this month, the Financial Conduct Authority, Prudential Regulation Authority and the Bank of England published a discussion paper on Building the UK Financial Sector’s Operational Resilience.
The paper explores how boards and senior management should work to minimise the risk of disruption to financial services from, for instance, a cyber attack or other technological failing.
We look here at the role boards should play in setting strategies for resilience and continuity.
What operational resilience challenges does the finance sector face?
Launching the paper for discussion, the FCA says that operational resilience challenges have become ‘even more demanding’ as a result of ’a hostile cyber-environment and large scale technological changes’.
Any operational disruption can impact infrastructure, firms and consumers. It can affect financial stability by interrupting the supply of essential services.
What does the discussion paper propose?
The paper focuses on how, in the event of any disruption, ‘the provision of these products and services can be maintained within reasonable tolerances’.
In particular, it suggests, firms should focus their response on ‘The speed and effectiveness of communication with the people and institutions most affected, in particular customers’.
Any plans should assume that disruption will occur, as well as trying to prevent it.
Board-approved tolerance levels for disruption should be set, so that firms know how much interruption they can face while maintaining some semblance of ‘business as usual’. The most important business services should be identified and prioritised for continuity in the event of any disruption.
What is the board’s role in operational resilience?
As with all business strategy, the board of directors plays a central role, setting the course of action by the firm and taking important decisions on future direction and priorities.
This will include deciding how much tolerance the organisation has for business interruption. The paper says that:
‘Setting impact tolerances which quantify the amount of disruption that could be tolerated in the event of an incident may be an efficient way for boards and senior management to set their own standards for operational resilience, prioritise and take investment decisions’.
Boards need to decide how much time and money should be devoted to mitigating solutions. What is the tolerable outage time for the business, and what investment is acceptable to prevent exceeding this? A recent report suggested that many directors are focused on risk at the expense of success. A balance needs to be struck.
They need to understand any regulatory implications – do any specific rules apply to their sector, and affect tolerance levels?
The board and senior management will also be central to any communications strategy around the disruption. With the paper clear that swift communication with any impacted parties is vital, a definite plan of action to inform customers and stakeholders is vital.
Your directors need to understand all the ramifications of any disruption. Having a full picture of the organisation and its operations is essential – yet an executive coaching expert believes that many directors fail to do their homework and therefore don’t understand the background to the decisions they have to make. Make sure this isn’t a trap your board members fall into by ensuring they have all the information they need.
Identifying and mitigating risk is a core responsibility of the board, according to new corporate governance principles outlined recently by the Financial Reporting Council. Business interruption, whether from cyber attack or other digital disruption, or any other cause, is a key risk faced by firms in all sectors.
But with the financial industry’s increasing reliance on technology, and the centrality of our banking system to almost everything we do, it’s a particular threat for banking and financial services.
Give your board the tools they need to deliver
Ensuring your board can mitigate the risks your organisation faces means giving them the information they need to make rounded, informed decisions. It means making board meetings – both the preparation and the meeting itself – as efficient as possible to maximise the limited time CEOs and directors have.
You can read tips here to help make your board more efficient.
And to find out how Scottish Building Society increased the efficiency of their board meetings, you can download our free case study.
Nothing in this document should be treated as an authoritative statement of the law. Action should not be taken as a result of this document alone. We make no warranty and accept no responsibility for consequences arising from relying on this document.