Operational resilience in the face of technology innovation
Innovation continues to advance across the financial services industry with more market participants using new technology to enhance their business operations, improve resilience, automate and enhance cyber capabilities and identify novel ways to deliver offerings.
Cloud services are being leveraged to provide scale, deliver business efficiencies and standardise technology stacks. Artificial intelligence (AI) and machine learning (ML) are allowing financial institutions to better utilise their cybersecurity staff and improve their abilities to identify anomalous behaviours. Distributed ledger and blockchain are providing new capabilities to re-imagine how financial services are delivered as well as providing a future framework for user identification.
While the value of new technology adoption is known, every benefit can come with a measure of risk, including the potential impact that an operational event could have on the financial ecosystem where interconnectivity continues to grow. As a result, any technology implementation must be continuously evaluated to identify potential weaknesses inherent to the nature of the technology or how it is being utilised.
Financial institutions are keenly aware of the dangers posed by cyber risk. DTCC’s annual Systemic Risk Barometer, which acts as a pulse check to monitor risks that may impact the safety and soundness of the global financial system, showed that risk managers continue to consider cyber risk as the greatest threat to the global financial markets. The geopolitical landscape serves to only increase the cyberthreat as conflicts escalate.
As the threat of an operational event continues to grow, financial authorities and institutions must focus not only on the detection and protection of business information and operations but also on their ability to rapidly and safely recover from these events.
Operational resilience focuses on the capabilities that financial institutions must develop to enhance their overall preparedness to restore business operations. In support of this, financial authorities and institutions partnered to develop the Basel Committee On Banking Supervision (BCBS) Principles for Operational Resilience. These principles set the foundation for new rulemaking in this area.
The pillars of these principles include:
- identifying and documenting critical operations;
- determining the maximum allowable downtime for the critical operations;
- developing process maps for each critical operation;
- determining extreme but plausible scenarios and building resilience capabilities where possible; and
- extending resilience through the third party/supply chain.
Incidents like SolarWinds and Kaseya demonstrate the potential impacts that a third-party operational event can create and, therefore, focus must continue to be directed towards how the financial services industry can effectively raise the preparedness of its supply chain within this evolving threat landscape. This risk is particularly important considering many financial institutions are actively using information and communications technology (ICT) vendors for cloud, AI, and ML services.
Fortunately, the dialogue between financial authorities and financial institutions continues to increase around the topic of operational resilience and third-party/outsourcing risks, which will likely shape expectations and strengthen preparedness across the global financial services industry.
Understanding that operational resilience is not a destination but a continuous journey will foster an approach that is evolutionary. Rulemaking should address today’s risks while being flexible enough to address those risks on the horizon.
Ultimately, how financial institutions manage through operational events and how quickly they recover will be critical to ensuring continued confidence in the financial markets and that we are collectively able to preserve the integrity of the financial system. It will take the entire industry working together to foster this result.
About the author
Jason Harrell is managing director, operational and technology risk and head of external engagement at DTCC. In this role, he partners with industry peers, supervisors and regulators, international standards-setting bodies, government officials and trade associations to address policy initiatives and implement solutions that improve the overall resilience of the financial services sector.
Harrell contributes to a number of global trade association cyber and operational resilience working groups and is currently vice chairman of the Cyber Risk Institute, a non-profit coalition of financial institutions and trade associations focused on aligning cyber risk frameworks to supervisory cyber obligations.
Prior to DTCC, he was the corporate senior information risk officer for BNY Mellon Investment Management.
Harrell has over 20 years of experience in IT, privacy, and cybersecurity risk management within the financial services sector.