Series 6 Episode 2: Building the mosaic - a threat-led approach to operational resilience

Transcript

Tessa Norman: Hello everyone, and welcome to the latest episode of Risk and Regulation Rundown. The podcast where we share our views and insights on financial services, risk and regulatory hot topics. In today's episode, we're going to be talking about how firms can build their operational resilience. We're going to be talking about some of the practical steps they need to take to meet upcoming deadlines for UK operational resilience rules and the EU Digital Operational Resilience Act, known as DORA, some best-practice examples of what good looks like and how to build resilience for the future. I'm delighted to be joined by Duncan Scott and Danny Chamings who are both directors at PwC UK and Moira Cronin, a partner at PwC Ireland who are joining us today to share their insights and experiences in the market with us. Let's start with the UK operational resilience framework, which has an implementation deadline of March 2025, I know it's going to be front of mind for a lot of our listeners. Duncan, where are firms currently at in their operational resilience journey and how much work is there to do in order to meet that deadline?

Duncan Scott: Thanks Tessa. It's great to be back talking with you again on this important topic. To your question, I think it's well worth stepping back and just considering where we are in the regulatory cycle. I remember talking on an earlier podcast and other blogs that we've written about it being a marathon rather than a sprint. We're now very much towards the end of that, so we're feeling that sprint stage. What I'll probably do is just adapt that analogy a little bit. If you think about a 400m running track, that's the sort of thing I find myself running around more often than not, if the start line was when the policy came into force and then the finish is next March when the deadline is, we've got about 80m left of the 400. We're coming around the bend and seeing that finish line in sight, so it's coming quite quickly. What we'll see is that firms are accelerating their work to try and get there in the best possible state.

Equally, looking at that acceleration, it's going to feel fast and it will arrive quickly. We're very much at the business end of this work now. In terms of where firms are, they're naturally at different places but rather than talk about where they are, I think it's worth focusing on what they will need to do towards that deadline. It's important that they focus on mitigating and addressing vulnerabilities. Those are the things that are actually going to change firms’ resilience. In the earlier part of the cycle, there was a lot of work on methodologies and building some sophistication which we'll come on to talk about, but those things only allow firms to hold a mirror up to themselves and understand their resilience. They can test to understand it better but that's the same sort of thing; it doesn't shift the dial. Really making changes around addressing vulnerabilities to become more resilient is where firms need to be focusing now through to the deadline.

Tessa: Thank you. I think that's a clear articulation of where we are and what the end goal is but given-, if that's the end goal, what are some of the practical steps that firms need to be taking in order to get to that point by March 2025.

Duncan: Thanks. Knowing that I was coming onto this, I did a poll of our resilience team to get their thoughts on that particular point and there were three things that came up. Testing was the first. Reporting was the second. Then importantly, underpinning those was tooling and technology. From a testing side of things, it's all about sophistication. Originally firms were looking at testing individual important business services and how they responded in a very specific point outage. They've then broadened to think about issues that affect more than one service, which is more practical and realistic anyway and then moving more towards simulation, so feeling a bit more alive. It's important that firms think about that testing and how that interacts with other tests that are going on in the organisation. There are more benefits to be gained by aligning with understanding what's going on in the crisis space, what's going on in the market in terms of the SimEx, simulated exercises. How that creates a full view of testing. I think that's important.

On the reporting side of things, what I'd say is there's a lot of development going on in that space and there's a lot of information but it's about putting it in the right shape to really understand what's going on. If you imagine resilience health being a picture that's made out of mosaic tiles, these individual mosaic tiles, these pieces of information exist, it's about putting them in the right context with each other to paint that picture. There's no one metric that's going to get you to that answer. Knowing that and getting a sense of that mosaic is important to know what you can do to affect resilience. Then coming onto that point around tooling, this is about sustainability and how resilience can be delivered into the future. There are many tools out there, a particular tool being fusion risk management that allows firms to specifically bring this data together, create that mosaic I've talked about but also create the right tiles to fit into that that we haven't seen before.

Where firms are able to do that, they're able to create a sustainable approach but one that's filled with insight and quick insight so that if there is a disruption, they're able to respond quickly and have that reflex built faster, rather than turning to each other and going, 'Well, I thought you did this and you did that'. That doesn't tend to work at pace. Those are the three things I'd say to focus on.

Tessa: Brilliant, thanks Duncan. Of course, for many firms they're grappling with all of those complex issues at the same time as preparing to comply with other rules and regulations, DORA being a key one. Danny, can you talk us through, how does the UK operational resilience regime compare to DORA, and what are some of the key additional areas that firms really need to address to make sure that they're in compliance with DORA.

Danny Chamings: Thanks Tessa. The question of, 'Can't I just leverage UK operational resilience?' is one that Duncan and I got asked quite a lot, maybe six months ago, early 2024, late 2023. We don't get asked that question as much anymore and unfortunately, our poker faces failed at times when people assumed they could just leverage UK operational resilience and they'd be fine. It's important to note that both UK and European regulation are driving towards a similar objective. They want a more resilient financial services ecosystem, but they go about it in really different ways. UK operational resilience is really focused on principles and there's some excellent guidance underneath that as well, as we've just seen with the FCA paper around operational resilience.

However, DORA has got a set of much more specific requirements. So, although there are opportunities for proportional pragmatism within DORA, it has a much more specific set of needs than UK operational resilience. That said, there are areas where, when we're working with our clients that have already done work on UK operational resilience, we can look to leverage it. What we don't want and what is absolutely fatal is to have fifteen different resilience frameworks, one for each regulation that you're exposed to. Some of the things we look at leveraging are looking at methodologies around important business services, or IBSs, the approach to resilience testing, as Duncan's mentioned, and the work firms have already done around third-party risk management. When we think about important business services, DORA brings in this concept of critical or important functions, or CIFs. Now there's also European regulation if we think about outsourcing and others that also have these concepts about criticality. It's important that when firms are looking at identifying their critical important functions, which is an underpinning dependency for most of the rest of DORA, that they follow a similar methodology to things they've already built on.

Ideally, you want to have a data model where you know your functions, your services, you know whether they are an important business service in the UK, whether they're critical or important in Europe and you can then look to onboard those as other regulation comes on in other territories that will look to have similar methodologies around it. Having a separate methodology just doesn't work and we've seen firms get really tied up in knots around that. It's important to notice that your IBSs are probably not going to be the same as your CIFs though and Duncan is nodding at me furiously at that point. The next point around resilience testing, a lot of the requirements within DORA are not dissimilar to some of the points that Duncan has just articulated. We're looking at scenario testing, we're looking at ITDR testing. We're looking at what we do around security testing. We're looking at how, with crisis exercises, we can pull those together and fundamentally, we're looking at how we can take silos out of the organisation so we know our true resilience posture.

Again, there's huge opportunity to build up the things that firms are already doing around UK operational resilience, scale that across their European entities and get this mosaic that Duncan was talking about where we know what's going on across the patch. Also, we can then think about how we best invest in our resilience testing activities, so we don't look at something that will give us insight into one scenario for one location and it is an expensive exercise. The last area for leverage is around third-party risk management. Now most firms will have done quite a lot already within the UK. A number of firms will have had to do work around outsourcing, whether it's EIOPA, EBA. There's quite a lot there that you can leverage. Now there are still challenges under DORA but we're seeing that firms that have got their house in order around UK and existing European regulations on third party can really push ahead on what they need to do on DORA there. The inevitable question is there are other areas to work on and there's a lot of work needs to be done over and above the UK regulation.

Fundamentally, firms will need to uplift their ICT risk management frameworks and quite a few firms, even those that you might anticipate were in a good place, have found the specific requirements of DORA really quite difficult to bring into their framework, to embed and to operationalise. Firms need to be able to report on major incidents. Now some firms under PSD2 will have had to do that, but there's a level of complexity that firms really need to work on. I've seen great progress on that and some firms have really driven that forward. Then also, there's a number of obligations around third parties, and the particular thing that people are struggling with, well, two particular things is this record of information needed for third parties which is comprehensive, large and difficult and then the re-papering needed across contracts to bring in DORA clauses. Again, firms are starting to progress on that but need to push hard.

Tessa: Great, thank you. Really helpful summary there of both how the two regimes compare and then, really unpicking some of the detail. Moira, it'd be great to bring you in here. What's your take on what impact DORA's going to have? I think particularly in terms of how does it interact with some of the other regimes and how should firms be approaching that challenge of having to comply with multiple regimes?

Moira Cronin: Thanks Tessa. For me, DORA is a ground-breaking piece of legislation, but it really should not be viewed as a tick-box or a complaints requirement. The whole cadence of DORA is that we're working to strengthen the stability of the financial services sector across Europe, and to do that you need to understand the role that your organisation plays in that. My own view is that you should not focus on the regulation itself but rather focus on the risk that you face as an organisation, and actively work to manage that risk.

I think organisations need to stand back and take a more strategic view to how you can protect your organisation and how that contributes to the stability of the financial services sector. Otherwise, it becomes a tick-box exercise and what we're working with firms to do is build that resilience into their own organisation and then, by default, it will help the whole financial ecosystem in the EU. I think that when we look at the other regulations that leverage aspects of DORA, there are more that are coming down the track. If we're telling organisations right now to focus just on one piece of regulation, then it's wasteful because you really need to stand back, look at the resilience of your organisation, look at the risk that-, you know, the risks associated with that and build the resilience rather than focusing on one regulation. That way when, you know, you have the likes of NIS2, you have the EU AI Act, you have all of these other regulations that are coming down the tracks. If your organisation is resilient, you're going to be in a better place to deal with the regulations that are coming and that's what the key point is.

Tessa: So Danny's talked quite a lot about the different approaches and challenges we're seeing towards DORA in the UK. How does that compare with what you're seeing in EU jurisdictions?

Moira: I think Tessa, when we look at UK and Ireland, they're somewhat blessed in that they had operational resilience before they had DORA, but, obviously, there's plenty of other regulations that have come before it, EBA guidelines, EIOPA, ESMA, that obviously would prepare you, and you can leverage. Everybody hates that word, 'leverage', when I say it, because it always means there's more work to do. Really, when we look at the UK in particular, you've had OpRes, obviously there's the CTP framework now as well, but I think that, really, across Europe, you have a number of organisations that have leveraged existing regulations and are now laying DORA on top of that. Danny would have spoken about the real step up, and the real new bar with DORA, and what needs to be done there. So much of the guidance that has been provided in the past, it's not too dissimilar to what we have in DORA, but there is that step up, and that's really what firms are grappling with right now.

Tessa: Yes definitely. I think one of those particular challenges that we're hearing a lot about are the requirements around third parties. Danny, I know that's something that you spoke about. It would be great to get a bit more of a sense from you, and a bit more detail about what are some of the challenges around third parties that firms are grappling with, and how can they overcome those challenges?

Moira: On the third-party piece, I suppose, if you look at it, it's not surprising that third parties are now included. I suppose, for people like myself, and Duncan, and Danny, who have been looking at this for a number of years, the impact that a third party can have on your organisation is really significant. It's not surprising to us that legislation has come in in this space. Having said all that, it's a very, very big change for the ICT providers who have never actually been regulated by a financial services regime in the past. That is a marked change for that, and I think that there's a real big ask, on their side, but, ultimately, it is the FS organisation's responsibility to ask them to engage with them. I think that that's probably the first big challenge, to get that buy-in from the other side. While, obviously, the ESAs have put an oversight regime on the critical third parties, that's not necessarily going to be all third parties. Therefore, there's a big push from FS firms to try and get their third parties to play ball with them. So, I'd definitely say that's one.

The second one, I'd say, is to actually understand the mapping. So obviously, you identify your critical important functions, that then flow through to your third parties. The thing with DORA is that it actually ignores that legal entity. So, you need to follow that value chain all the way out. What often can happen is that it becomes almost like a black box of outsourcing, which firms have built in the last number of years. Outsourcing has been absolutely huge. Now what we're trying to do is unravel that black box, and, for certain organisations, that is really, really difficult, particularly when you look at the asset wealth management industry, where there's been a huge amount of outsourcing. I think even understanding the flow of data can be quite difficult there. That's definitely one that's very important. I think, when you look, Danny mentioned this earlier. When you look at the contractual requirements, when you look at the uplift of what needs to go in, DORA is very, very prescriptive of what needs to go into your third-party contracts. It's important that you start those conversations, because a lot of them will cost money. A lot of them will take time to negotiate. So, a lot of what we're encouraging organisations to do at this point is make sure-, it's early and often, to communicate with these guys. Then, I think the last one that I'd probably mention is really understanding how to do testing at scale. So, some of the providers have thousands of financial services firms relying on them. While we know pool testing is allowed, how does that work in practice? So, how can that work for every organisation? Really getting down to specifics. While the bigger financial services firms will have a little bit more power in that, the smaller ones may not. I think there's really a lot that needs to be done between your FS organisations and your ICT providers to ensure that level of communication is there, and that they're starting to work through those issues together.

Tessa: Brilliant, thank you. I think that really brings to life the scale of the challenge that some firms are facing, given that's just one area that we're looking at. Danny, aside from those points around third parties that Moira's talked us through, what else are you seeing in the market around how firms are working towards the 2025 deadline, and where they're focusing their efforts?

Danny: I think it's important to think of DORA as part of a broader resilience programme. Organisations have looked at DORA, they've analysed DORA, and they've seen some real opportunities to standardise, to simplify a process, to update their operating model around how they embed resilience within their organisations. Now that said, they also have a practical challenge of a deadline, and a compliance deadline. So, some organisations that started early on their DORA journey have managed to embed tooling uplift in this year, operating model uplift in 2024, and are driving forward with uplifted processes, technologies, to get to the regulatory deadline. That's not the case for a lot of other firms. Some things have proved much more difficult as they've gone through the programme. Funding has been difficult for a lot of firms, and they've really had to strip down and look at what the minimal viable product is for 2024 but using that as a vehicle to then get funding agreed into 2025 and beyond. A lot of firms, we're seeing this almost two-stage activity, of drive towards an MVP in 2024, moving in to what a longer-term uplift of capability looks like in 2025 and beyond.

What does this MVP look like? Well, I think we've touched on it around the table a few times. It's a combination of what Duncan's talked about from a UK perspective, what Moira and I have touched on from DORA. Fundamentally, firms have got to nail down their critical or important functions, their CIFs. That creates a dependency across huge other areas, whether it's building out registers of information through to specific controls, where you have additional requirements for controls relating to a critical or important function. They need to use that and build out their third-party register of information. We're seeing that as a clear priority for regulators. A number of firms we work with have been invited to join a voluntary dry run, to populate the register of information, which is happening through summer 2024. That underpins a number of decisions that local regulators and the European supervisory authorities will need to make early in 2025. Firms have got to get that information right.

Then, there's a huge amount of work to be done around frameworks policy standards and procedures, to make sure that firms can demonstrate that they are addressing the DORA requirement through 2025. Now, in some cases, there will be gaps, they will need to build a remediation plan, but they need to understand the risk that they're exposed to and what they need to do around that. Moving into 2025, or for those lucky firms that have made good progress, firms are evolving their operating models. They're looking at centralising things like third-party risk management and identifying who can be responsible for things in local entities and at group entities. To Duncan's point around tooling, there are some real opportunities to do more with what you've already got and to look at where there are gaps with your existing resilience tooling ecosystem architecture and bring in additional tools. A lot of that's around automating existing processes to take cost out, for example third-party risk management, or looking at combining, aggregating data, so you can get that across the organisation view on your resilience posture.

The other piece with all of this is data. We've not really touched on data, but data is so fundamental to DORA, because when we look at a lot of these things, you're pulling data from, conservatively, ten or fifteen different systems, data points across an organisation, anything from a contract database to a general ledger, to a GRC tool, to resilience tooling. All of that needs to be pulled together. You'll have different systems for different entities within the group. There's a massive piece of work to be done around data architecture, but a huge benefit of getting that right, and doing that thinking upfront. So, there's a lot to do. I think the key, with all of this, as I said, and as we've said, is that you don't think of DORA as a January 2025 challenge. It's the next step in how you drive forward resilience within your organisation. How do you make sure you've got the right people, processes, data, technology to drive that forward?

Tessa: Yes, absolutely. I think that longer-term view is something that's key and has really stood out in this whole conversation. Duncan, sticking with that theme, how do you see the operational resilience agenda evolving as we look beyond the immediate deadlines that some firms are working towards? What does that look like, looking a bit further out?

Duncan: I like this question. It gives a chance to indulge in thinking about the future and getting into some really interesting things. So, yes, I think it's easy to get quite bogged down in some of the detail that we cover. I know there are some firms out there that are fine-tuning impact tolerances, or debating what's 'severe and plausible', and then DORA brings its level of prescription with it, and you can get caught in this lower level of specificity that doesn't drive bigger-picture thinking. So, I do think it's important to step back. What's happened with DORA, and with the UK operational resilience requirements, is that firms have been brought on to this same, sort of track that they're having to run on for a few years for DORA, and then slightly longer for UK OpRes, and then that's going to change. We'll get to January, or March, and firms will then have open space to go into. Now they'll have brought everything they've done over the last few years to that, but then they've got this chance to move forward, and they're not going to be told quite what to do in the same way.

The requirements will still exist. The way in which they're addressed could be different. There's scope for innovation and thought at this point, which could be really interesting. With the evolution of AI, and generative AI, and all of these other tools that are there, how could those be used to support resilience going forward? I think having put everyone on the same track, they now can diverge a little bit, and that could be interesting. My own perspective is one that, I think resilience becomes very threat-led in the future. We've done all of this work to understand our organisations, our third parties, and general infrastructure. It then becomes, 'What's the threat that worries me most?' Then, 'Within the organisation, what does that mean for us?' If it's limited to resilience, then you lose part of the benefit as well. So what does it mean for us, through a financial stress testing perspective? What does it mean for our strategy? So being able to use resilience as a way of looking at the broader organisation then becomes much more interesting. When these threats come in, which important business services does this impact? Which locations and assets? What does this do to us financially? What does this mean for the strategy that we've set for ourselves going forward? It becomes that elevated question. I find that more fascinating than tinkering with important business services and impact tolerances. I'm pretty sure that the threats of the future, the things that are going to get me out of bed in the morning, to come and work with firms on resilience, and it's that that I think all three of us are probably most passionate about helping firms with.

Tessa: Absolutely, taking that threat lead approach and being able to look at resilence more broadly is more important than ever in today’s current risk environment and as it is increasingly complex and uncertain and so much disruption that firms are facing, and of course as you said Duncan, resilience is going to continue to evolve. We don’t know what the threat landscape of the future is going to look like, but if firms can get this right now, get those frameworks in place, they.re going to be able to respond to future disruption and uncertainty and that’s where they’re going to get the value out of all this important work that firms have being doing to prepare for the upcoming deadlines.

Thank you to all three of you for joining us and sharing your valuable insights, and what you're seeing in the market, and what firms need to be focusing on in order to be fit for the future. To our listeners, I really hope you've enjoyed this conversation, and thank you very much for listening. As always, please subscribe to future episodes, and please rate and review this series, as it helps other listeners to find us. If you'd like to hear more from us on risk and regulation, please look out for our regular publications on our website, which we'll link to in the show notes, and we look forward to returning next month with our next episode.