Operational Resilience ForumPreparing for disruption

Kindly hosted by

2Information Classification: Limited Access

5 March 2020

Daniel Money

Head of EMEA Resiliency

Tackling the Challenges

of Operational Resilience

3Information Classification: Limited Access

Agenda

• A New Lens

• Resilience Continuum

• Building Blocks

• Strategic Solutions

• Subjectivity

• Vendor Interaction

4Information Classification: Limited Access

A New LensFrom functions & resources … to products & dependencies

5Information Classification: Limited Access

Resilience Continuum

Operational Resilience, Business Continuity, Recovery, and Resolution require different toolkits.

Firms need to understand the differences and links between them.

Resilience Continuity Recovery Resolution

Maintain delivery of

critical business

functions to clients

Revive a firm after a

material shock that

threatens viability

Strategies & planning for

the orderly dissolution of

a failed firm

Plan for and respond to

disruption

6Information Classification: Limited Access

Building BlocksFrom independent building blocks to a holistic view of Resilience

Third Party Risk

Management

Outsourcing

Oversight

Operational Risk

Management

Scenario

Analysis

Incident

Management

Business

Continuity

Management

Disaster Recovery

PlanningTechnology

Risk

Management

Cyber Risk

Management Cyber Risk

Management

Third Party

Risk

Management

Outsourcing

Oversight

Operational Risk

Management

Scenario

AnalysisIncident

Management

Disaster

Recovery

Planning

Technology Risk

Management

Business

Continuity

Management

7Information Classification: Limited Access

Simple Practical Outcomes-driven

Strategic Solutions

8Information Classification: Limited Access

Metrics don’t solve everything

1. Define your subjective areas

2. Gain consensus

3. Apply metrics

4. Owner’s overview – incl. trends

Subjectivity

9Information Classification: Limited Access

Alignment

• Important Business

Services

• Impact Tolerances

Oversight

• Monitoring

• Testing

Communication

Incident Management

Substitutability

Availability of options

Transferability

Speed of options

Vendor Interaction

… and to have an Exit PlanRely on them to provide …

10Information Classification: Limited Access

The material presented herein is for informational purposes only and does not constitute, nor should it be considered or relied upon as, investment research or investment, legal, or

tax advice nor should it be considered an offer or solicitation to buy or sell any product, service, investment, security or financial instrument or to pursue any trading or investment

strategy. It should not serve as the basis for investment decisions. Any views expressed herein are subject to change based on market and other conditions and factors and are not

tailored to specific requirements, circumstances and / or investment philosophies. This material does not constitute any binding contractual arrangement or commitment of any kind.

All material, including information from or attributed to State Street, has been obtained from sources believed to be reliable, but its accuracy is not guaranteed and State Street does

not assume any responsibility for its accuracy, efficacy or use. Any information provided herein and obtained by State Street from third parties has not been reviewed for accuracy. In

addition, forward-looking statements, whether by State Street or third parties, are not guarantees of future results or future performance and actual outcomes may vary. State Street

does not undertake and is under no obligation to update or keep current the information or opinions contained in this communication.

To the fullest extent permitted by law, this information is provided “as-is” at your sole risk and neither State Street nor any of its affiliates or third party providers makes any guarantee,

representation, or warranty of any kind regarding such information, including, without limitation, any representation that any investment, security or other property is suitable for you or

for others or that any materials presented herein will achieve the results intended. State Street and its affiliates and third party providers disclaim any warranty and all liability to you or

any other person or entity, whether arising in contract, tort or otherwise, for any losses, liabilities, damages, expenses or costs, either direct, indirect, consequential, special or

punitive, arising from or in connection with your access to and / or use of the information herein.

No permission is granted to reprint, sell, copy, distribute, or modify any material herein, in any form or by any means without the prior written consent of State Street.

© 2020 State Street Corporation. All rights reserved.

Tracking number: 2970682.1.1.EMEA.RTL

Angus McFadyen

Partner

March 2020

Operational resilience:

Technology &

(Out)sourcing

What we’ll cover

• Regulatory focus on technology and outsourcing

• Key risk areas

• Outsourcing generally

• M&A angle

REGULATORY FOCUS

Global area of focus

Most recent UK developments

Mid-2019 ------------------------------------ 2020 ------------------------------------------------------------ 2021 -----------------------------------

EBA Guidelines

on outsourcing

In force - Sept

EBA ICT &

security risk

Guidelines

In force - June

FCA Sector View

Outages, security

& data quality risks

flagged

EIOPA Cloud

Outsourcing

Guidelines

Published

EIOPA Cloud

Outsourcing

Guidelines

In force (Jan)

PRA / BofE / FCA

consultations

Published

PRA / BofE / FCA final

statements / rules

Expected

EBA Guidelines

on outsourcing

Transition ends

(Dec)

CYBER & TECH RESILIENCE

Some factors that affect tech resilience

• Outsourcing

• M&A

• System complexity

• Projects

• Incremental change

• Quality management

• Lack of support

• Lack of proactive

maintenance

• Data quality

• Human error

• Controls

• Testing

• Single points of failure

• Infrastructure

• Governance & oversight

• Culture

• Skills

• Security

• Supplier management

FCA’s outage analysis

Root cause:

Oct 2017 - Sept 2018 (incidents where root cause analysis completed)

• Moving between providers & technology

• Compound effect of “change” on internal team + clients

• Greater training and resource contingency next time

Change risk – case study

Change risk – common contract gaps

• Commercials v. risk / controls – different motivations

• Technology and business projects – clear “Go/No Go” – readiness, risk, and

customer, success criteria

• Don’t just rely upon the supplier:

– Understand the resource profile and contingency

– Manage around operational constraints (e.g. tax year end) – delay and

cost can multiply

– Manage transformation and BAU change closely

• Using your contract and Senior Management oversight

OUTSOURCING CONTRACTS

“Impact tolerance” = tech contract req’ts

• FCA / PRA draft: “[firms must]…remain within impact

tolerance for important business services, irrespective of

whether …[they] use third parties”

• Example: Annuity payments

– “Impact tolerance”: 36 hours (>2 days’ has significant

impact on vulnerable customers)

– Outsourced:

• Do the people, processes and systems support this?

• Supplier continuity and disaster recovery measures?

• Supplier part of firms’ regular scenario testing?

Headline: ContractsEBA

Outsourcing

EIOPA Cloud PRA draft SS

General (scope, description,

duration, commercials, law etc)

√ √ √

Sub-outsourcing & locations √ √ √

Access and audit rights √ √ √

Data and systems security √ √ √

Termination √ √ √

Continuity & Exit √ √ √

Monitoring & reporting √ √ √

Non-critical arrangements √ X √

Headline: Broader implications

EBA

Outsourcing

EIOPA Cloud PRA draft SS

Intra-group considerations √ √ √

Outsourcing / critical/non-critical

assessments

√ √ √

Governance √ √ √

Record keeping / register √ √ √

Risk assessments √ √ √

Due diligence √ √ √

Remediation activity

Common EBA remediation debates

• Scope

– We are not an outsourcing services provider

– These are only guidelines they are not binding

• Practicalities

– Audit rights and sub-outsourcing controls not agreed

– Confusion on “data” provisions applying to all customer

data, not just personal data

• Commercial

– New termination rights

– Cost of complying (e.g. supporting your BC tests)

M&A ANGLE

M&A angle

• High levels of M&A, esp. in tech and payments

• Controlled separation and transitional measures key – increasing focus for

deal value and compliance

• TSA is typical – often for critical or important functions

• New regulatory standards are a high bar:

– Service quality commitments – measurable?

– Resilience through separation states

– Recourse for quality failings and tested BC / DR?

CONCLUDING MESSAGES

Concluding messages

1. Ensure that you can meet the required standard of operational resilience

across:

o in-house functions,

o outsourced functions (intra-group and 3rd party), and

o other suppliers

2. Remain within impact tolerance for important business services, irrespective

of the use of suppliers

3. Sourcing practices need to improve to address this –focus on business

outcomes / impact tolerance and joining up tech, business, procurement,

and risk under senior management

Contact details

Angus McFadyen

Partner, Technology & Sourcing

T: +44 20 7490 6964

M: +44 7585 996 071

E: Angus.McFadyen@pinsentmasons.com

Pinsent Masons LLP is a limited liability partnership, registered in England and Wales (registered number: OC333653) authorised and regulated by the Solicitors Regulation Authority and the appropriate jurisdictions in which it operates.

Reference to "Pinsent Masons" is to Pinsent Masons LLP and/or one or more of the affiliated entities that practise under the name "Pinsent Masons" as the context requires. The word "partner", used in relation to the LLP, refers to a member or

an employee or consultant of the LLP or any affiliated firm, with equivalent standing. A list of members of Pinsent Masons, those non-members who are designated as partners, and non-member partners in affiliated entities, is available for

inspection at our offices or at www.pinsentmasons.com. © Pinsent Masons.

For a full list of the jurisdictions where we operate, see www.pinsentmasons.com

THANK YOUPlease join us for after event networking

drinks

Kindly hosted by