The Central Bank’s current strategic plan has a core aim of strengthening the resilience of the financial system. Noel O’Grady of Sungard Availability Services explores its guidelines for achieving this objective
In its Strategic Plan 2019-2021, The Central Bank of Ireland set out strategic priorities for Ireland’s economic landscape based on a set of strategic themes, statutory objectives and organisational objectives. One of the core aims is to strengthen the resilience of Ireland’s financial system, in order to be better able to withstand external shocks and future crises.
The plan was drafted in response to the major changes underway in Ireland’s financial services sector, driven mainly by the forces of rapid technological innovation, growing economic clout on the world stage, and major shifts in European banking regulations. While these will all be hugely beneficial for the country, preparations must be made for the sheer scale of change on the way, as Sharon Donnery, Deputy Governor of the Central Bank recently stated, “the wide range of possible future paths means building resilience is not only desirable, it is necessary.”
Clearly, the effective and robust use of technology will play a central role in this change. However, the Central Bank has recently scrutinised the resilience of Irish firms, noting “particular weaknesses in the area of governance risk management and business continuity management” in a report on IT-related risk. While firms in the financial services sector are finding new ways of delivering value, being more agile and improving cost efficiencies through technologies such as cloud, modern applications and hyperextended supply chains, they must also be aware of the new risk landscape this has created.
Taking stock of capabilities
Conducting IT risk assessments at regular intervals is critical for ensuring resilience. Assessments should be comprehensive, consider internal and external sources of risk, and have appropriate parameters for evaluating and prioritising risk such as risk likelihood and potential impact on the business operations of the firm. Notably, in the financial services sector must set ‘impact tolerances’ for each important business service. These are thresholds for the maximum level of disruption tolerable before consumer protection and/or market integrity becomes compromised.
Impact tolerance is expressed through specific outcomes and metrics, which the report stipulates should always include the maximum length of time that a disruption can continue. It can also comprise other considerations, such as the volume of disruption, for example, the number and types of consumers affected or a measure of data which has been breached, stolen or lost. When setting impact tolerances, banks need to consider any factor which will drive a significant increase in demand for business services, as these are the times when availability is the most critical.
Once this has been set, organisations can set about finding ways of expanding their impact tolerance – for example, hosting private data centres within co-located facilities or arranging for workplace recovery solutions.
Demonstrating business continuity capabilities
Given the huge importance attributed to the ability to view and access funds by both business and consumers, firms must regularly simulate a range of severe but plausible disruption scenarios and conduct lessons-learned exercises to invest in their ability to respond to real-life disruptions. This shouldn’t only focus on preventing incidents from occurring or the probability of the incident taking place, but the response and recovery actions firms would take to protect the continuity of operations.
Scenarios can be based on anything from the loss or reduced provision of technology to the unavailability of facilities, key stakeholders or third-party services. An effective method of conducting tests is to base scenarios on previous incidents or near misses from across the financial sector and in other sectors and jurisdictions. Firms could also consider future risks, such as evolving cyber threats, technological developments and business model changes. An example of this can be seen in The Bank of England’s recent announcement of its plans to perform climate change-related stress tests on the UK’s top banks and insurers, to assess how firms would deal with more frequent weather events and mass sell-offs of “brown assets” – those considered detrimental to the environment.
Vetting the resilience of outsourcing agreements
According to a recent survey by the Central Bank, there is a total of 7,700 outsourcing arrangements reported by firms in Ireland’s financial services sector, of which 3,600 were deemed to be “critical” or “important.” This is driven largely by the rapid adoption of cloud computing, due to its benefits in terms of mobility, speed and its ability to quickly launch new products and services. However, with a majority of firms relying on third parties for cloud infrastructure, not only do they need to be aware of the resilience of their own systems, but also must be able to trust in the resilience of third-party providers and the technology solutions they provide.
Firms must take the due diligence to ensure the third parties they use to connect with their customers adhere to similar standards as they do. For example, third-party providers may exist outside of a firm’s regulatory perimeter or in multiple jurisdictions with different, or lower quality, resilience requirements. Firms should therefore thoroughly investigate how third-party relationships could undermine their ability to absorb disruption, asking questions such as: which legal jurisdiction is the provider subject to? What are the physical security characteristics offered by the provider (i.e. physical controls in the data centre or staff vetting)? Are there suitable arrangements for dispute resolution?
With the right backup and cloud storage provider effectively acting as a first line of defence against both expected and purely circumstantial disruption, businesses will be able to establish an infrastructure built with resilience and prepared for every eventuality.
The future of financial services
It’s the responsibility of each regulated firm in Ireland’s financial services sector to review current practices and make any necessary enhancements to mitigate the risk brought on by technological change. Firms should engage in ongoing supervisory activities to regularly check-up on their resilience capability and the effectiveness of their business continuity planning. Moreover, under increasing scrutiny from regulatory bodies, both domestically and institutionally, to protect the economic interests of businesses and consumers alike, being able to provide evidence of these two capabilities will be especially important.
In increasingly complex and fast changing business environments, firms must be able to prevent, adapt, respond, recover and learn from disruptive operational incidents. The Irish financial services sector must be aware not only of the threats of disruption which come from within and outside, but also the ability to anticipate threats. Being resilient and ensuring availability will be critical for Irish consumers, businesses and our economy as a whole.
- Sungard AS specialises in IT disaster recovery, managed IT services, business continuity, and consulting