presentation-blog

The regulator is raising the stakes for operational resilience

The risks of technological outages have been drastically underestimated industry-wide. This year, glitches have resulted in financial losses in the millions, mass customer exodus and significant reputational damage to the firms and their executives. But still, outage after outage makes the headlines each week, suggesting the industry is continuing to miscalculate the risks - just as they are set to increase.

After a wave of high-profile glitches, the Bank of England and Financial Conduct Authority (FCA) could not ignore the resulting disruption felt by the affected clients and customers. In July the regulatory authorities published: Building the UK financial sector’s operational resilience. The paper discussed why achieving and maintaining operational resilience - a firms’ ability to protect and sustain its core business functions when experiencing technological disruption - was essential to preserving critical financial infrastructure.

But most importantly it raised the stakes.  An organisations’ senior executives can be caught in the crossfire if, under their watch, they neglect to put in place systems to prevent and recover from an outage.

The discussion paper maps out an accountability framework, already in action under the Senior Managers and Certification Regime, (SM&CR) that will mean individuals with titles such as COO, CTO or CIO could be held personally responsible in the event of a technological glitch. Essentially, if the assigned individual fails to take the necessary steps to ensure operational resilience, it may be the case that they won’t just be facing reputational and financial consequences, they will be personally open to fines, losing their working licence or, in more extreme cases, criminal charges. 

Although the regulator won’t be knocking at firms’ doors after every outage, clear steps must be taken to prove that systems are in place to protect the customer. Some outages are unavoidable, but alarmingly more than 30 per cent of outages are caused by firms mismanaging their data systems, which is an avoidable scenario. Firms need to understand the steps they should take to ensure operational resilience to protect their clients, their businesses and the individuals within them.

ITRS Group highlights the essential checklist for maintaining operational resilience:

  • Careful change management: when a migration or system upgrade is taking place firms must understand when they need to halt the process to avoid potentially disastrous consequences of not having the right systems in place. Revert back to the old version if you are running out of time rather than putting yourself and your customers at risk with a poorly managed migration. And thoroughly test the change after it has been put live.

 

  • Monitoring: your firm needs highly proactive monitoring to allow you to see what your systems are doing in real time. And real-time needs to mean real-time - not 60 seconds, 30 seconds or even 15 later. This insight is essential to shorten the time taken to identify an issue. For trading firms where markets move in milliseconds, the difference between real-time and 60 seconds could equate to hundreds and thousands of dollars in losses.

 

  • Load testing: you wouldn’t walk onto a bridge without first testing that it was safe, so why do the same with your IT systems? In order to know for sure that your production environment is going to run properly, tests must be so you can understand what it can withstand. By running these tests through all of the infrastructure and software you can avoid glitches caused by poor capacity management.

 

  • Resilient Architecture. Failure of software or hardware will happen, so systems need to be able to ‘fail over’ sufficiently quickly to achieve the required availability. It is essential to know any single points of failure where resilience isn’t available, and to monitor these particularly carefully. A manual recover plan is required for these.

 

There’s no getting away from it. Regulation around operational resilience will surface next year and will likely be in force the year after. Firms need to be ready, and ITRS Group is committed to helping find the solutions to stay compliant.

Related posts

gambling monitoring

Gambling and IT: ‘Always on,’ yes, but also ‘always vigilant’

A recent slot machine outage at Las Vegas hotel and gambling venue MGM Resorts reminds us that while being an “always on” IT environment is important, there is also the need for your monitoring system to be “always vigilant.”

Read full post
regulation

LAMA reporting: Failure is not an option

To comply with India’s “technical glitches” regulation LAMA, brokerage firms need a monitoring platform that can provide a single-pane-of-glass view of their IT as well as perform analytics on runtime data in real time.

Read full post
certificate expiry image

The challenge of monitoring Zero Trust environments

When SpaceX’s satellite low-latency broadband service Starlink went down for a few hours in April, it not only annoyed users around the world but also highlighted a little-discussed issue. What caused it? An expired digital certificate.

Read full post
hedge funds unknowns

How to hedge against unknown economic challenges

The current macroeconomic climate is proving to be a challenge for businesses across the financial sector, and hedge funds are by no means exempt.

Read full post
SEE MORE