Outcomes in Practice: a shared challenge

With the major regulatory milestone approaching in March 2025, it would be tempting to focus on the “compliance victory” rather than driving to deliver operational resilience as an outcome.

Back in 2021, Lyndon Nelson, formerly Deputy CEO and Executive Director for Regulatory Operations and Supervisory Risk Specialists, Bank of England, talked about “outcomes in practice” urging firms to recognise that the concept of operational resilience extends far beyond regulatory compliance. The financial sector has crossed an inflection point and is collectively trying to drive the cultural shift towards this outcome. There is a recognition that a single imbalance, disruption or failure may not just be one organisation’s problem but can have far reaching consequences for the entire ecosystem.

UK Finance has continued to support firms in this endeavour to deepen firms’ understanding in critical and the interconnected areas of the ecosystem and facilitate dialogue and sharing of information between financial market infrastructure firms (FMIs) and critical third parties (CTP’s).

On 8 February, UK Finance and Ashurst Risk Advisory LLP co-hosted a symposium with Amazon Web Service (AWS). UK Finance recognise the need for the sector to better understand individual and collective capabilities so that in the event of a disruption, the sector can be well co-ordinated, identify gaps and build a level of collective resilience that is effective in absorbing the impact. The session allowed firms to hear directly from AWS their concepts of resilience, leadership principles, resilience capabilities as well as their approach to testing. 

There were some clear insights gained by AWS and the firms attending the session;

  • The importance of consistent and defined nomenclature, terminology and consistent application will help provide a deeper understanding of sector resilience between firms. For example, a common understanding of firms’ assessment of their threats and vulnerabilities feed into the development of severe but plausible scenarios so that appropriate response and recovery actions can be developed.
  • There is a clear need for shared understanding of how severe but plausible scenarios are developed and calibrated for severity and how the CTP policy aligns to existing operational resilience policy SS1/21.
  •  There is benefit in a well-defined documented response and communication strategy for outages including threshold considerations for invocation and communication channels.
  • AWS recognise their responsibility given the financial sector’s increasing reliance on cloud. Firms also recognise that effective use of cloud technology could improve their resilience to disruption.
  • Firms and CTP’s welcome the opportunity to work collectively as greater direct regulatory oversight is implemented on the resilience of the services they provide.
  • Everyone in the sector recognises that impact of a cyber threat may be catastrophic, potentially resulting in complete destruction and that firms should not be thinking about recovery but instead “re-build the infrastructure from scratch”. 
  • When firms developed strategies to “re-build” and restore from scratch, they would want CTPs to be their partners, rather than doing it by themselves.

The Bank of England was part of a panel discussion and provided some context on evolution of the policy, including insights on industry feedback, international engagements and how this helps shape the authorities approach to policy creation.  

We, as an industry, have a big role to play in identifying effective and efficient solutions that mitigates  systemic vulnerabilities that are inherent in our increasingly interconnected eco-system. Information sharing is necessary but increasing insufficient, and we hope these sessions are the first step of an ongoing transparent dialogue and collaboration to overcome collective challenges.