The operational resilience of the financial market infrastructure is crucial to UK financial stability and financial services firms should step up efforts ahead of new rules that come into force next year.
At least, that was the message from Sasha Mills, executive director at the Bank of England (BoE), who said “testing the unlikely” should become common practice for financial services firms.
Ahead of the BoE’s new Operational Resilience Policy, which will take effect in March 2025, Mills outlined the key expectations for banks and other finance players in a speech at the London Institute of Banking and Finance.
The City insider explained to attendees that the policy is designed so “crucial bits of financial market infrastructure are able to respond to and recover from an extreme but plausible disruption scenario before the market or payments ecosystem it serves is destabilised.”
Mills went on to provide more detail about where the focus of such market infrastructure providers should be in terms of building this resilience.
“Confidence in financial services is critical to having a vibrant and prosperous economy,” she stated. “So when the underlying infrastructure fails, this confidence can be damaged, and this puts financial stability and growth at risk.”
“When we talk about firms being ‘operationally resilient’, we mean firms can prevent, respond to, recover from, and learn from these disruptions.”
Obviously, disruptions could come from a variety of places. Cyber-attacks are one of the most frequently cited risks to UK financial stability the Bank of England sees in its industry engagement, but Mills is also concerned about events like natural disasters or operational errors.
Over recent years, the BoE put in place policies on Operational Resilience, and outsourcing and third party risk management.
Operational resilience
Coming up with a standard for Operational Resilience is more complex “than simply asking firms to always run flawlessly, across all business areas,” Mills said.
“Firstly, it is impossible to prevent every disruption or disruptions of every conceivable kind. And secondly, some operations are more important than others.”
The first component of the BoE’s Operational Resilience policy asks financial firms to identify which business services are important to financial stability, or put another way, services which, if disrupted, could threaten financial stability.
“Then, we ask firms to say what level of disruption those important business services could experience before risking financial stability, and we call this an ‘impact tolerance’,” Mills continued.
“While expressing impact tolerances in terms of time is necessary to plan for continuity of an important business service, finance firms should consider if there are other metrics that could play a useful role,” she explained during her speech in London.
“Now, having processes and operations which meet this bar does not happen overnight, so we have given firms several years and a deadline of March 2025 to meet this required standard of resilience.”
Testing approach
One area that still requires significant work, as Mills put it, is the approach and method firms use to test disruption to important business services.
“How firms design the scenarios used to test their ability to respond to and recover from an incident, is critical to ensuring firm’s capabilities are adequate,” she said.
“For example, firms should be asking themselves the following questions: Are the scenarios extreme enough? How many scenarios are sufficient to ensure the risk has been looked at from several angles? Do the scenarios ‘think the unthinkable’?”
Mills said the BoE wants to see firms prevent incidents where they can, and it needs to know they know what to do when things do go wrong and ‘the worst’ does indeed happen.
“Mature scenario testing requires depth and consistency of approach across scenarios and the design needs to be really clear: the cause of the disruption, the scale of the disruption and the key risk factors and vulnerabilities that are being tested are clearly set out,” she said.
“Test the unlikely. Think the unthinkable. Yesterday’s ‘unlikely’ may be tomorrow’s reality, and finance firms need to consider this.”
– Sasha Mills
Mills also expects to see firms working to ensure that the ‘extreme but plausible’ scenarios they have planned for directly link to the risks and vulnerabilities they face and have mapped.
“This is not an off the shelf set of scenarios,” she stressed.
“It is important that the scenarios chosen are indeed of an ‘extreme but plausible’ scale. What could these be? Well, loss of an important third party provider, or a severe cyber-attack impacting multiple data centres at once could be a couple of examples.”
Testing for these kinds of scenarios helps ensure firms are “thoroughly testing their response and recovery capabilities,” Mills continued.
“It also means firms are challenging assumptions they may be making about the suitability of their response and recovery plans, especially over what will happen over longer timeframes or within heightened impact scenarios.”
Testing quality
Mills said that firms need to do further work to improve on the sophistication of their testing approaches, looking for testing methods in addition to tabletop and desktop exercises.
“Testing types and methods should be as realistic and sophisticated as possible, covering recovery of all critical systems, services, and data, whilst also of course ensuring the testing itself does not introduce any additional risk,” she warned.
Operational resilience testing should also consider the impact of disruption on the wider eco-system that the firms operate in, and firms should increase their efforts to involve critical third parties and their participants within their testing, the BoE veteran told attendees.
“This could be through industry wide tests as well as tests designed and tailored by a finance firm or bank, to test impact and recovery actions, both for themselves and their participants and wider ecosystem.”
“Mature scenario testing requires depth and consistency of approach across scenarios and the design needs to be really clear.”
– Sasha Mills
Moreover, the BoE expects firms to prioritise their efforts on scenario testing over the next year so that they can identify vulnerabilities sufficiently early to remediate them before March 2025.
“We will be continuing to look over the coming year for robust remediation plans from financial firms, with appropriate funding and resources dedicated to address weaknesses found during testing.”
Mills added that “the speed at which vulnerabilities are remediated should reflect the potential impact to the financial sector that disruption, associated with that vulnerability, would cause.”
For Mills, it’s vital to “test the unlikely. Think the unthinkable. Yesterday’s ‘unlikely’ may be tomorrow’s reality, and finance firms need to consider this when deciding what scenarios are extreme but plausible.”
Data integrity
Apart from running more and better tests, firms should also need to consider how data integrity, or lack of, may impact time to recover – any recovered data that will be used in critical processes, once restored, needs to be checked to be accurate, complete, valid, and reliable, Mills noted.
“Obviously as supervisors we will probe how firms are thinking about these questions, this is not ‘one size fits all’,” she stressed.
Having identified the important business services and impact tolerances, the BoE expects firms to show they can meet those impact tolerances – that is to recover their services within tolerance – under a variety of “extreme but plausible disruption scenarios,” Mills noted.
Priorities
Apart from testing methods, less than a year out from the March 2025 deadline, there is still a lot of other work for financial services firms and the BoE, Mills continued.
“Over the past few years, the Bank has been engaging with firms to understand their progress towards meeting this regulatory deadline. We are encouraged by some progress that has been made, however there is still considerable work to be done for many financial firms,” she shared.
When thinking about how firms implement the Operational Resilience policy, Mills said the BoE considers the wider business model and company structure they operate within.
Whilst the March 2025 deadline represents a significant milestone, “it is also not the end of the story and should not be seen as a ‘one off’ event – after the deadline, firms will need to continue to monitor and improve their operational resilience as risks and technologies evolve,” she said.
Stay up to date and receive our news, features and interviews for free
Our e-newsletter lands in your inbox every Friday. Sign up HERE in one simple step.
Mills pointed out that “cyber threat actors who seek to harm the financial system will not stop developing their techniques, so firms need to remain vigilant to the changing threats they are exposed to.”
Emergence of new tech
Mills told attendees that the BoE thinks that firms need to make sure that they are both addressing known vulnerabilities and taking into account changing or increasing risks, for example from increasing digitalisation and the emergence of new technologies such as cloud services, artificial intelligence, or Distributed Ledger Technology (DLT).
“Whilst these emerging technologies can bring efficiencies and improved risk management, firms also need to be aware of and manage the risks when these technologies are introduced to their ecosystem, risks from either adoption of these technologies within their businesses or use by customers and suppliers.”
Moreover, “some technologies may also heighten threats from malicious actors – such as AI or quantum computing being leveraged to make cyber-attacks more powerful,” she said.
Expectations
Over the next year, as the March 2025 approaches, the BoE expect to see firms accelerating their efforts to ensure that they have “calibrated their tolerance for negative impacts on their important business services, and mapped the key people, processes, technology, facilities, and information needed to deliver these services,” Mills explained.
She added: “Firms should then be fully testing their ability to remain within impact tolerances for ‘extreme but plausible’ scenarios – ensuring that response plans and capabilities are robust, and where not, that strategic investment is being made.”
Mills called this “a key requirement.”
“For the calibration of impact tolerances, we expect to see greater engagement than we have seen thus far between firms, their participants, and the wider market.”
She concluded by saying that “when designing impact tolerances, firms should ensure they are considering the impact of disruption to their services on the market they serve – recognising that, where an incident is not contained within a short period of time, this could cause contagion and additional risks to crystallise.”
NEXT WEEK
ON MAY 15 IN NEW YORK CITY
DO NOT miss our upcoming Financial Forum in NYC
