Sionic is sharing some of the findings from its latest survey and discussions with members of Sionic Signals – a forum for asset managers and owners.
Held on 30th March 2021, the Sionic Signals discussion hosted by asset management specialists Clare Vincent-Silk and James Hockley focused on how asset managers and owners are preparing for the forthcoming Operational Resilience regulation. Attendance was high, with representation from 20 asset managers and asset owners. The forum met the day after the Policy Statement PS21/3 – Building Operational Resilience was published by the Bank of England, PRA and FCA with the objective of strengthening operational resilience and preparedness across the sector.
Sionic’s analysis of the survey and discussion shows that:
- COVID-19 has been a wake-up call for firms in their response to Operational Resilience with 64% ranking their Operational Resilience initiatives as high priority.
- Of those that participated in our survey, 70% have formalised programmes underway with the majority having completed their impact assessments and key business process mapping. Interestingly, firms are split as to where responsibility lies for Operational Resilience, on the whole it is split between Operations and the Risk functions but with a smaller number seeing it as the responsibility of IT, Finance or shared between business function heads.
- One challenge is defining the scope across the business, however a broad scope can only be a benefit, in particular when marketing to clients. Firms need to include all aspects of their ecosystems, including third party service providers. 82% of respondents have made, or plan to make changes to their third party oversight and due diligence procedures. There is greater comfort around virtual ‘on-site’ due diligence alongside enhanced security due diligence and increased team sizes for supplier management. Outsourced technology providers must not be forgotten, especially being thinly capitalised and unregulated entities.
- As anticipated, firms see Cyber-attack as the greatest threat, with 63% having it in their top three with increasing focus on detection, remediation as well as prevention. This is good news for CSOs and specialists in this field, with increasing demand and associated high salaries; third-party system failure was a close second. In terms of “harms”, the inability to execute trades was also a significant priority.
- Very topical is the challenge of embedding better resilience around home working. Increased security training e.g. phishing awareness was most widely implemented with changes to process approvals such as involving more people in sign offs, and changes to seniority levels. Restrictions have been imposed on printing and network connections; a number have subscribed to cloud-based phone services that can record calls, integrating this with Teams.
- This is not going to be positive time for those providing Disaster Recovery services, the pandemic has shown that working from home works. Three quarters of firms have or are planning to make significant changes to their Disaster Recovery site requirements, 18% have already or plan to cancel their contracts. Some firms still see a requirement for hardware related activities such as paper scanning or printing.
In addition, it is clear that firms have made a good start and so far, are in-line to meet the requirements of the dates set by PS21/3 of 31 March 2022 to have:
- Identified their important business services
- Set impact tolerances for the maximum tolerable disruption
- Carried out mapping and testing.
Greater rationalisation of the operating model components and increased standardisation should also be a positive step in the right direction.