Impact of the CBI’s Operational Resilience Guidance on the Manco Market

Daniel Crean (PwC) discusses the impact of the CBI's Cross Industry Guidance on Operational Resilience on the Irish Manco market, addressing proportionality, outsourced service providers and what firms should do now.

Resilience is one of the most widely used words in the past two years. It encapsulates the feeling and response of people, countries and organisations. We’ve seen displays of resilience and leadership resilience that will forever alter our perception of what is possible and how we respond and bounce forward from disruptive events.

Operational Resilience is not a new concept by any means. Many of its components have been at the forefront of regulators' agendas for many years. Now regulators are aligning their view of Operational Resilience and defining their expectations for firms in the Financial Services industry.

The CBI published their cross industry guidance on Operational Resilience in December 2021. The guidance formalised their expectations of regulated entities and set a standard that mirrored what regulators in other jurisdictions aim to achieve. The goal is to ensure ongoing stability in our financial ecosystem and protect consumers. Regulators want firms to change their mindset and see resilience not as an activity or program. It’s a continuous state and a strategic way of thinking for a business. This is a massive change from the traditional view of Resilience, where firms focused on restoring individual systems and business functions reacted to IT events. The focus has shifted to view Resilience from the outside in. Firms now need to understand the critical or important business services they deliver to external clients, and what the dependencies and vulnerabilities are in delivering those services. 

Who is impacted?

If you are a regulated financial services provider in Ireland, then the Operational Resilience Guidelines apply to you. Some global financial services firms have undertaken work and are at the start of their resilience journey. They’ve likely initiated Operational Resilience work to satisfy regulatory requirements in other justifications. For example the FCA rules and guidance on Operational Resilience come into force on 31 March 2022. An Enterprise approach should satisfy regulatory expectations globally. Operational Resilience is geographically agnostic. Your strategy should be at an Enterprise level, you just need to tailor your regulatory responses and submissions per locality.

For “smaller” regulated entities, do they need to consider the CBI guidelines? In short, yes. Every firm regardless of size or activity will need to meet the CBI expectations. Proportionality is a key factor, but every firm will have at least one critical or important business service. You need to complete the dependency mapping and impact tolerance exercise for that one service. However, it is likely when an assessment is completed several critical or important business services will be identified.

We are often asked about proportionality and what are the minimum thresholds of the CBI guidelines. The CBI and other regulators are very clear in their message that these guidelines are relevant to all regulated entities, regardless of size and scale. There is no minimum AUM, no minimum size of workforce and no minimum number of services. Also, there is no definitive answer on the number of critical or important business services you should have and the guidance from the CBI is intentionally not prescriptive, reflecting the heterogeneity in the firm's business models. 

Mancos

What about the firms that rely on an Outsourced Service Provider business model? This is particularly relevant in Ireland for the Manco sector. Will they need to adhere to the same standards and complete the same assessment? Yes, again.

All regulated entities need to adhere to the CBI Guidance. Whether you perform a function or process internally or outsource to an external provider, if that process or function is relied upon to deliver a critical or important business service, you have responsibility for its Operational Resilience standards in the eyes of the CBI. This will be a big challenge for a lot of Mancos. It’s a major discovery exercise but also an opportunity to understand your services from front to back and everything relied upon to deliver that service. Any dependencies on outsourced service providers to deliver a critical or important business service needs to be considered to determine if you can meet your impact tolerances.

It will be difficult for firms to press their resilience standards upon outsourced providers. Not everyone will have the same impact tolerances for the processes and technology they rely on. There needs to be an understanding on both sides of the dependency and agreement of when those dependencies can be recovered or substituted.

The CBI, in common with other regulators, consider the effective management of Outsourcing as a critical element in becoming Operationally Resilient. This is evidenced by the guidelines for Outsourcing and Operational Resilience being released closely together and that they should be read in conjunction with each other.

What should I do now?

This depends where you are on your resilience journey. If you are at the early stages, you should complete an Operational Resilience maturity assessment to understand your current capabilities. Then you should identify what are your critical or important business services. Be careful to distinguish between internal and external business services. Also, do not use this as an exercise to go down through your org chart and tick off what is important or critical in your opinion. Think about the services you deliver to your end user, your client.

For Mancos, I would not start by looking just at your outsourced service providers. They will be an important dependency within one of your critical or important business services and will be identified and tracked within the dependency mapping exercise. Unfortunately, there is no prescriptive method or list that you can start from and pull-out certain business services. For example these services could be NAV production, Securities Lending or Collateral Management. You can use taxonomies to help with this assessment but do not solely rely on them. Use metrics and well thought out methodology to set the criteria to determine what are critical or important business services. Some firms are even including consumer research in their criteria.

Then you will need to complete a dependency mapping exercise. Identify what is involved in delivering your services end to end? What technology, processes, facilities, locations, outsourced service providers, vendor dependencies or financial market infrastructure dependencies do you have? This is a large piece of work, but it gives you an insightful view of your organisation. It will shift your perception of your business and view it from the eyes of your clients. It will likely dictate IT strategy and business decisions going forward.

One very important thing to consider early on is the engagement and buy-in from the board. Ultimate responsibility for Operational Resilience at an organisation sits with the board. They need to be engaged from the beginning to lead and shape Operational Resilience at an organisation. 

Daniel Crean - Director PwC's Financial Services Consulting team

Contributor Profile

Daniel Crean is a Director in PwC's Financial Services Consulting team and a member of the Irish Funds Derivatives and Middle Office Working Group. He has 15 years professional experience working across the Asset and Wealth Management industry. Daniel worked on a Technology and Operational Resilience programme for 2 years supporting key clients.