OPERATIONAL RESILIENCE

R&C: To what extent has operational resilience become a top priority for financial services regulators in the US? What factors are behind this trend?

Fagone: Prior to recent events associated with coronavirus (COVID-19), the dialogue between global regulators and leading financial services institutions increasingly focused on operational resilience as a core capability. This has been driven by a number of important factors. First, the interconnected nature of global financial services institutions and the utilities that support those firms. Second, the increasing reliance on third-party providers and a need to understand how those risks are assessed, managed and mitigated. Third, the direct harm to consumers caused by a number of high-profile events, such as data breaches and service disruptions, that increasingly highlight the fragility and susceptibility to disruption of the financial service infrastructure. Disruptions caused by COVID-19 will only reinforce and strengthen the resolve of the regulatory community in terms of focusing on operational resilience. We expect that in the postmortem of the impacts of COVID-19, regulators will focus resources on understanding the operational resilience capabilities of the financial institutions that operate within their respective mandates.

R&C: How are bank examinations – and related results – shaping the regulation of operational resilience? Are any new requirements for financial institutions (FIs) likely to emerge from these processes?

Hart: Discussions between some global regulators and leading financial services institutions have touched on the need to incorporate some degree of commonality in terms of the way in which firms define and assess critical services in order to facilitate cross bank comparisons. Some regulators have focused, among other things, on transparency in the rationale behind service level definitions, a clear articulation around the approach for setting impact tolerances, clarity around the manner in which plausible yet severe scenarios are defined and simulated, and linkage between scenario results and how they impact investment decisions around key controls. If history is any guide, leading practices as derived from on the ground discovery through examinations will likely influence their collective thinking. Perspectives are likely to evolve as they are exposed, through the examination process, to competing operational resilience models. With that said, we would expect, over time, that firms will be required to converge on some global standard.

Jul-Sep 2020 Issue

KPMG LLP