Operational Resilience.
MYRIAD’s CEO Simon Shepherd outlines why banks must focus on operational resilience as they upgrade their recovery and resolution plans .
Soon after the Global Financial Crisis (GFC), the U.S. Authorities asked the leading SIFIs (Systemically Important Financial Institutions) and their Global equivalents to submit updated Recovery and Resolution Plans (RRP) for renewed scrutiny. In the wake of the GFC, the timing of this request cannot be seen as surprising, but of more concern to Industry observers was that, without exception, the first drafts of those Recovery and Resolution Plans were all – universally – rejected.
The need to go back to the drawing board to ‘try again’ was based on a consistent flaw in each SIFI/GSIFI’s plan: each had focussed too much on front- and back-office challenges and had not paid anything like enough attention to the middle-office. Essentially, the Banks had mistaken a request to overhaul and update their RRPs as a need to re-focus their attention on trading, execution and liquidity concerns, among others, in light of the fallout from the GFC. But rejection of those Recovery and Resolution Plans was based much more on ‘how?’ and ‘where?’ rather than ‘what?’ and ‘why?’. There was insufficient focus on how to effect a workout, no matter how sophisticated the front- and back-office could become from a risk management point-of-view.
Significant aspects of Operational Resilience sit squarely in the middle-office and in times of crisis, both prior to distress and potentially during a workout, proper provision of the middle-office can protect interested parties before, during and after an event – and provision means resource in terms of both Systems and People. If Operational Resilience underpins day-to-day activities, then the very same sound practices can be used in any recovery or resolution scenario.
The Federal Reserve and the SEC were more focussed on how a distressed Institution could extricate itself, safely, as an extension of thinking around how not to become distressed in the first place. As executives involved at Lehman Brothers in Administration have subsequently stated, a lack of transparency in the middle office undoubtedly contributed to the duration of that workout.
Prior to those conclusions, the – wholly correct, as it turned out – message almost seemed to be that no matter how much you plan to mitigate trading and counterparty risks, there has to be an acceptance that a Bank failure will happen again and, therefore, we all need to know how best to resolve such a failure, just as much as how best to avoid one in the first place. Having the correct system or systems in place can substantially mitigate the failure if another part of the Institution has caused that failure.
Subsequently, although by no means linked to the RRP exercise above, the Office of the Comptroller of the Currency released OCC Bulletin 2013-29 entitled “Third-Party Relationships: Risk Management Guidance” and this has more recently been updated by Bulletin 2020-10. We at MYRIAD have always regarded the original Bulletin and its extension as something of a ‘Bible’ for the management of all third-party Vendors, not just those involved in each large SIFI’s Network. Sitting as it does in the pantheon of literature within the emerging cannon that is ‘Operational Resilience’, coherent management of an Institution’s third-party Vendors is a critical aspect covered by both of the OCC’s Bulletins. The conclusion to draw is that only a combination of Systems and People can present a truly robust response to the need to recover or resolve a life-threatening (from an Institution’s point-of-view) event.
What is Recovery & Resolution planning? The term refers to planning by a financial institution and the authorities for the eventuality the firm suffers life-threatening losses. Mitigation could include sales of businesses, capital raising and the cessation of dividend and coupon payments. The underlying theme is how best to effect a workout, to avoid a systemically important (threatening) event. Whilst prevention is almost always better than cure, the SIFI focus, when asked for updated RRPs, was on prevention. What was really needed in a fully comprehensive RRP was an anticipation that no matter how good the preventive planning, there will always be an event or chain of events that need resolving. To do this to best effect, there must be an understanding and an appreciation of how to bring about resolution in full. By ensuring operational resilience each Financial Institution, large or small, is already positioning itself to deal with any workout scenario, irrespective of the cause.
In another recent article linked to the fallout and operational challenges represented by the COVID-19 pandemic, we stated that “…..systems and procedures have been stretched and few Institutions have not wondered whether ‘things’ could and should be better – ‘things’ being defined as data security, quality of communication, immediate access to data (indeed data and access that persists through time), as well as more sophisticated systems, processes and procedures which both preserve the integrity of that data as well as providing an opportunity and a means to keep it current.” Of course, all of these topics are intimately linked with operational resilience, and the more resilient you are as an Institution, the less likely there will be a catastrophe. But that said, the current focus on upgrading RRPs should have at its heart a heightened focus on operational resilience during a workout: Recovery and Resolution Plans and Operational Resilience are closely linked, and the latter should be a critical component in the former.
How do we define operational resilience? It must be along the lines of how we as an Institution can ensure the smooth, uninterrupted running of systems and procedures, even in abnormal trading conditions. When a Bank relies on third parties for critical functions and operations, it is important to know who those third parties are, before it can contemplate managing them properly. Furthermore, fully understanding the role of the third party, its significance and the survivability of an event where that third party might fail, feed directly into any assessment of overall Operational Resilience as well as a truly comprehensive RRP. This is even more important where the distressed Entity itself might fail. Its books and records extend into account inventory, documentation, risk assessments, continued invoice processing and fundamentally exactly where cash and assets are and how to access them.
The EU’s Bank Recovery and Resolution Directive (BRRD 2014, amended 2016) requires Banks to prepare recovery plans to overcome financial distress. In so doing, the Directive grants national authorities powers to ensure an orderly resolution of failing Banks (with minimal costs for taxpayers). If the definition of Operational Resilience is ensuring continuity of a Bank’s critical functions, the maintenance of financial stability and the viability of all parts of the Bank, then there needs to be a direct link between any Recovery and Resolution Plan and Operational Resilience, not least in a workout. ‘Books and Records’ extends into the middle-office and the continuity of records – the ‘persistence of data’ – that might otherwise support that workout is absolutely critical. Indeed, such enhanced transparency beyond the front- and back-offices into the middle-office will underpin the workout. Demonstrable proof of this will be a great comfort to the Authorities, wherever.
The ability to run Continuous Risk Assessment is but one part of Operational Resilience. The ability to access good, clean, consolidated data as a launchpad for Continuous Risk Assessment (CRA), is a very obvious starting point. This is precisely where great Systems capability underpins the human effort to understand and manage risk; and being able to fall back on an archive of the same detailed material is an extension of Operational Resilience in any workout situation. Furthermore, being in a position to continue supporting Providers whose own ongoing (mutual) support and cooperation will help manage Cash and maintain Custody arrangements, will be critical in a workout. Not understanding bow best to leverage that Network is a major risk in itself.
The Digital Operational Resilience Act (DORA) adds weight to one aspect of all-round Operational Resilience. The EU will impose tighter controls around new incident responses and reporting, and improved third-party risk requirements and monitoring for firms operating within the EU. DORA touches aspects of many regulations that directly and indirectly impact both the buy-side and sell-side of firms active in the EU. Without the right systems or platforms in place, this represents a serious challenge from a regulatory standpoint, let alone an operational one. Addressing the latter in a coherent way will undoubtedly help address the former. The risks afforded by all of the above, not least reputational risk, will all need to be covered in an RRP.
In an article of this length, it is impossible to explore all aspects of this topic, but data persistence, security, sustainability of safe access, the preservation of transparency and the maintenance of audit trail can only happen in the most robust, proven and fit-for-purpose platforms. These facets are all key aspects of Operational Resilience and how this can positively contribute to Recovery and Resolution Planning.