ITRS Group: financial institutions must act now to avoid risk of noncompliance with FCA’s operational resilience regulations
Leading software provider outlines best practice for firms to ensure compliance with regulator’s crackdown on operational resilience
London, 30th March 2022: The Financial Conduct Authority (FCA)’s long-awaited and highly anticipated regulatory framework on operational resilience for financial institutions come into force this week.
But according to leading software provider ITRS Group, despite the long lead time firms have had for this regulatory deadline, there is still a long way to go to ensure compliance, with the pandemic-induced digital transformation and online activity, plus high market volatility due to the Ukraine invasion, having further exacerbated firms’ ability to reach compliance. According to Guy Warren, CEO at ITRS Group, “far from moving towards greater operational resilience since the FCA set the timer for this deadline last year, businesses’ IT estates have only grown larger, more complex and unwieldy.
“The rush to adapt to pandemic-enforced digital transformation has seen many rapidly move to remote working, increased on-line activity, combine cloud and physical premises, and spread their estates over numerous new third-party providers with a view to slimming down their business models through outsourcing and use of third-party services.
“As a result, the financial services sector has opened its doors to new monitoring silos and operational blind spots and weaknesses, putting the industry at greater risk of IT failures and capital loss – not to mention creating huge inefficiencies.”
In line with new regulations, firms must have identified any vulnerabilities in their operational resilience, as well as set impact tolerances for the maximum tolerable disruption, and carried out mapping and testing to a level of sophistication necessary to do so.
However, that doesn’t mean that firms have to have perfect operational resilience by tomorrow. A three-year transitional period means that firms have until 31st March 2025 before the regulator expects them to be operating consistently within the impact tolerances they have set – but they are expected to be sufficiently prepared for such disruptions, be able to respond effectively, and restore services efficiently.
To support firms through their compliance journey, ITRS Group has provided guidance for financial institutions to ensure maximum preparedness for disruptions:
• Identify transaction flows to target and remove any points of weakness and build robust monitoring that can operate across multiple platforms and technologies. Define the performance and availability you are trying to achieve, and measure it.
• Understand performance and uptime to identify and quickly fix degrading performance levels. Analysis of the estate with advanced machine learning allows an understanding of the load different business transactions put on the applications and infrastructure.
• Optimise Cloud usage by analysing workload behaviour and demand profiles to ensure that firms are using cloud in a cost-effective and efficient way.
• Pre-test limits to understand the overall capacity limits of their estates, as well as specific bottlenecks and pinch points that can affect overall performance, to avoid outages and failures at peak demand.
• Integrate security into operations to ensure that operational resilience is instilled within the organisation from the bottom up as well as top down, including cybersecurity training to ensure that staff are not creating or inviting vulnerabilities (particularly in a post-COVID world where remote working is the norm) and the adoption of Zero Trust Networks.
• Nominate a Chief Resilience Officer to ensure there is personal liability for poor operational resilience and get on the front foot of new senior management requirements like SMF24 – and empower the CRO to take action where necessary.