Operational Resilience Forum - TISA · Pinsent Masons LLP is a limited liability partnership,...
Transcript of Operational Resilience Forum - TISA · Pinsent Masons LLP is a limited liability partnership,...
2Information Classification: Limited Access
5 March 2020
Daniel Money
Head of EMEA Resiliency
Tackling the Challenges
of Operational Resilience
3Information Classification: Limited Access
Agenda
• A New Lens
• Resilience Continuum
• Building Blocks
• Strategic Solutions
• Subjectivity
• Vendor Interaction
4Information Classification: Limited Access
A New LensFrom functions & resources … to products & dependencies
5Information Classification: Limited Access
Resilience Continuum
Operational Resilience, Business Continuity, Recovery, and Resolution require different toolkits.
Firms need to understand the differences and links between them.
Resilience Continuity Recovery Resolution
Maintain delivery of
critical business
functions to clients
Revive a firm after a
material shock that
threatens viability
Strategies & planning for
the orderly dissolution of
a failed firm
Plan for and respond to
disruption
6Information Classification: Limited Access
Building BlocksFrom independent building blocks to a holistic view of Resilience
Third Party Risk
Management
Outsourcing
Oversight
Operational Risk
Management
Scenario
Analysis
Incident
Management
Business
Continuity
Management
Disaster Recovery
PlanningTechnology
Risk
Management
Cyber Risk
Management Cyber Risk
Management
Third Party
Risk
Management
Outsourcing
Oversight
Operational Risk
Management
Scenario
AnalysisIncident
Management
Disaster
Recovery
Planning
Technology Risk
Management
Business
Continuity
Management
8Information Classification: Limited Access
Metrics don’t solve everything
1. Define your subjective areas
2. Gain consensus
3. Apply metrics
4. Owner’s overview – incl. trends
Subjectivity
9Information Classification: Limited Access
Alignment
• Important Business
Services
• Impact Tolerances
Oversight
• Monitoring
• Testing
Communication
Incident Management
Substitutability
Availability of options
Transferability
Speed of options
Vendor Interaction
… and to have an Exit PlanRely on them to provide …
10Information Classification: Limited Access
The material presented herein is for informational purposes only and does not constitute, nor should it be considered or relied upon as, investment research or investment, legal, or
tax advice nor should it be considered an offer or solicitation to buy or sell any product, service, investment, security or financial instrument or to pursue any trading or investment
strategy. It should not serve as the basis for investment decisions. Any views expressed herein are subject to change based on market and other conditions and factors and are not
tailored to specific requirements, circumstances and / or investment philosophies. This material does not constitute any binding contractual arrangement or commitment of any kind.
All material, including information from or attributed to State Street, has been obtained from sources believed to be reliable, but its accuracy is not guaranteed and State Street does
not assume any responsibility for its accuracy, efficacy or use. Any information provided herein and obtained by State Street from third parties has not been reviewed for accuracy. In
addition, forward-looking statements, whether by State Street or third parties, are not guarantees of future results or future performance and actual outcomes may vary. State Street
does not undertake and is under no obligation to update or keep current the information or opinions contained in this communication.
To the fullest extent permitted by law, this information is provided “as-is” at your sole risk and neither State Street nor any of its affiliates or third party providers makes any guarantee,
representation, or warranty of any kind regarding such information, including, without limitation, any representation that any investment, security or other property is suitable for you or
for others or that any materials presented herein will achieve the results intended. State Street and its affiliates and third party providers disclaim any warranty and all liability to you or
any other person or entity, whether arising in contract, tort or otherwise, for any losses, liabilities, damages, expenses or costs, either direct, indirect, consequential, special or
punitive, arising from or in connection with your access to and / or use of the information herein.
No permission is granted to reprint, sell, copy, distribute, or modify any material herein, in any form or by any means without the prior written consent of State Street.
© 2020 State Street Corporation. All rights reserved.
Tracking number: 2970682.1.1.EMEA.RTL
What we’ll cover
• Regulatory focus on technology and outsourcing
• Key risk areas
• Outsourcing generally
• M&A angle
Most recent UK developments
Mid-2019 ------------------------------------ 2020 ------------------------------------------------------------ 2021 -----------------------------------
EBA Guidelines
on outsourcing
In force - Sept
EBA ICT &
security risk
Guidelines
In force - June
FCA Sector View
Outages, security
& data quality risks
flagged
EIOPA Cloud
Outsourcing
Guidelines
Published
EIOPA Cloud
Outsourcing
Guidelines
In force (Jan)
PRA / BofE / FCA
consultations
Published
PRA / BofE / FCA final
statements / rules
Expected
EBA Guidelines
on outsourcing
Transition ends
(Dec)
Some factors that affect tech resilience
• Outsourcing
• M&A
• System complexity
• Projects
• Incremental change
• Quality management
• Lack of support
• Lack of proactive
maintenance
• Data quality
• Human error
• Controls
• Testing
• Single points of failure
• Infrastructure
• Governance & oversight
• Culture
• Skills
• Security
• Supplier management
FCA’s outage analysis
Root cause:
Oct 2017 - Sept 2018 (incidents where root cause analysis completed)
• Moving between providers & technology
• Compound effect of “change” on internal team + clients
• Greater training and resource contingency next time
Change risk – case study
Change risk – common contract gaps
• Commercials v. risk / controls – different motivations
• Technology and business projects – clear “Go/No Go” – readiness, risk, and
customer, success criteria
• Don’t just rely upon the supplier:
– Understand the resource profile and contingency
– Manage around operational constraints (e.g. tax year end) – delay and
cost can multiply
– Manage transformation and BAU change closely
• Using your contract and Senior Management oversight
“Impact tolerance” = tech contract req’ts
• FCA / PRA draft: “[firms must]…remain within impact
tolerance for important business services, irrespective of
whether …[they] use third parties”
• Example: Annuity payments
– “Impact tolerance”: 36 hours (>2 days’ has significant
impact on vulnerable customers)
– Outsourced:
• Do the people, processes and systems support this?
• Supplier continuity and disaster recovery measures?
• Supplier part of firms’ regular scenario testing?
Headline: ContractsEBA
Outsourcing
EIOPA Cloud PRA draft SS
General (scope, description,
duration, commercials, law etc)
√ √ √
Sub-outsourcing & locations √ √ √
Access and audit rights √ √ √
Data and systems security √ √ √
Termination √ √ √
Continuity & Exit √ √ √
Monitoring & reporting √ √ √
Non-critical arrangements √ X √
Headline: Broader implications
EBA
Outsourcing
EIOPA Cloud PRA draft SS
Intra-group considerations √ √ √
Outsourcing / critical/non-critical
assessments
√ √ √
Governance √ √ √
Record keeping / register √ √ √
Risk assessments √ √ √
Due diligence √ √ √
Common EBA remediation debates
• Scope
– We are not an outsourcing services provider
– These are only guidelines they are not binding
• Practicalities
– Audit rights and sub-outsourcing controls not agreed
– Confusion on “data” provisions applying to all customer
data, not just personal data
• Commercial
– New termination rights
– Cost of complying (e.g. supporting your BC tests)
M&A angle
• High levels of M&A, esp. in tech and payments
• Controlled separation and transitional measures key – increasing focus for
deal value and compliance
• TSA is typical – often for critical or important functions
• New regulatory standards are a high bar:
– Service quality commitments – measurable?
– Resilience through separation states
– Recourse for quality failings and tested BC / DR?
Concluding messages
1. Ensure that you can meet the required standard of operational resilience
across:
o in-house functions,
o outsourced functions (intra-group and 3rd party), and
o other suppliers
2. Remain within impact tolerance for important business services, irrespective
of the use of suppliers
3. Sourcing practices need to improve to address this –focus on business
outcomes / impact tolerance and joining up tech, business, procurement,
and risk under senior management
Contact details
Angus McFadyen
Partner, Technology & Sourcing
T: +44 20 7490 6964
M: +44 7585 996 071
Pinsent Masons LLP is a limited liability partnership, registered in England and Wales (registered number: OC333653) authorised and regulated by the Solicitors Regulation Authority and the appropriate jurisdictions in which it operates.
Reference to "Pinsent Masons" is to Pinsent Masons LLP and/or one or more of the affiliated entities that practise under the name "Pinsent Masons" as the context requires. The word "partner", used in relation to the LLP, refers to a member or
an employee or consultant of the LLP or any affiliated firm, with equivalent standing. A list of members of Pinsent Masons, those non-members who are designated as partners, and non-member partners in affiliated entities, is available for
inspection at our offices or at www.pinsentmasons.com. © Pinsent Masons.
For a full list of the jurisdictions where we operate, see www.pinsentmasons.com