At the forefront of operational resilience
How firms can ensure the lights stay on.
EXECUTIVE SUMMARY
- Upcoming regulatory implementations globally drive financial institutions to prioritize operational resilience, with heightened awareness of third-party vendor risks.
- Regulations such as Europe’s DORA, Hong Kong’s OR-2, and Australia’s CPS 230 standardize operational resiliency, but present compliance challenges for firms with global operations.
- Firms are encouraged to transition vendor relationships towards partnerships for shared responsibility in compliance and resilience.
- Simplifying foundational processes before integrating new technologies is advised to build a solid operational resilience infrastructure.
- A holistic approach, including frequent business continuity drills and vendor partnership, aims to establish resilience by design.
Upcoming regulatory implementations require global financial institutions to look hard at their operational resilience. But what does it mean to be operationally resilient, and why is it so important?
This was the topic of discussion at Broadridge’s Hong Kong Client Forum 2024. The event featured a panel discussion with four industry experts and included breakout discussions for both sell-side and buy-side firms.
Below are the takeaways from the breakout discussions:
| Regulatory awareness: Many firms lack familiarity with upcoming regulations. |
Global partnerships: Collaborate with partners that have international experience. |
| Strategic technology investment: A targeted approach is essential for technology spending. |
Technology as a driver: Leverage technology to enhance business operations. |
| Preparedness exercises: Conduct tabletop exercises to mitigate outage impacts. |
Risk identification: Identify single points of failure to minimize reliance, robust testing, and process. |
Operational resiliency is nothing new, but it has been garnering more attention, in part due to several upcoming regulations as a call to strengthen trust and security. Firms have increased awareness of the risks of cyberattacks that are both internal and external through their third-party vendors, counterparties, and potential other disruptions. Firms are also concerned about non-malicious changes causing outages.
The global outage caused by CrowdStrike in July has made firms wake up and contend with third-party vendor risk head-on. In some cases, third-party vendor risk or unintended change may outweigh the challenge of security threats.
“With security threats, there’s a playbook, there’s a kill chain - there are products out there to help you build a layered defense. And, if you’re a financial institution, you have the best people investing in security. Third-party risks are more challenging. Since CrowdStrike, we’ve been asking if something like this could happen with our other software platforms. The answer is yes,” a panelist said.
In some cases, firms deal with hundreds of platforms. Even if there were a playbook to help deal with the risk of an outage or a similar incident, it would differ from platform to platform.
These platforms often interact with other platforms and may be beyond firms’ control or understanding.
As for cybersecurity, it’s pertinent to protect against both malicious intent and accidental incidents. Panelists agreed that cybersecurity incidents are not a question of ‘if it happens’, but a matter of when.
Data points from next-gen study:
“I think every month there is something different that we don’t know about, so it’s very difficult to cover and support. The financial world has been deconsolidated, so firms use a lot of vendors now, and those vendors are probably not under the same regulatory scrutiny as we are, but the regulation for that is coming,” a second panelist said.
Regulatory scrutiny
“What we’ve seen globally with these regulations is that what ends up happening is the bar is raised.”
One regulation that is fast approaching is the Digital Operational Resilience Act (DORA) in Europe. The compliance deadline of January 17, 2025, has some financial institutions scrambling in an attempt to get their houses in order, for example, by identifying their technology vendors for critical parts of their business.
In Hong Kong, the HKMA issued OR-2, which mandates scenario testing for plausible severe events. Financial institutions have until May 2026 to demonstrate resiliency to the regulator. In June this year, the Hong Kong Government also proposed a new cybersecurity law, titled the “Protection of Critical Infrastructure (Computer System) Bill”, which it plans to introduce to the Legislative Council by the end of 2024 and implement in stages by 2026. The new bill aims to strengthen the security of computer systems of critical infrastructure, covering banks and financial institutions, to minimize the chances of disruptions due to cyberattacks.
Australia, too, has its own operational resilience framework. The Australian Prudential Regulation Authority (APRA) released CPS 230 – Operational Risk Management, and just like Europe’s DORA, has more oversight of financial institutions’ partners and critical services providers as far as fifth parties. The new standard is effective from July 1, 2025.
Other jurisdictions have similar regulations, albeit with their own flavor and spin on operational resilience.
One of the big challenges for firms, especially those operating globally, is to comply with all the relevant regulations within the correct timeline. “At the end of the day, they are all looking for the same thing; some more, some a bit less, but the idea is more or less the same,” the second panelist said.
A third panelist observed that regulations like Europe’s DORA, Hong Kong’s OR-2, or APRA’s CPS 230 raise the bar for how financial institutions ensure operational resiliency.
“What we’ve seen globally with these regulations is that what ends up happening is the bar is raised, especially for global organizations that are doing business globally. It ends up inevitably raising the bar for operations everywhere as your business needs to be compliant to the highest standard,” the third panelist said.
Although these regulations mainly target critical infrastructure, which extends to financial institutions’ information and communications technology systems and services, panelists expect the scope to expand in time.
In the same boat
To help deal with compliance and to future-proof the resiliency of firms’ operations, they should look for service providers that are well-established and in a position to step in and help should an incident occur.
In the past, firms might have contracted their responsibilities to their vendors using the service level agreement (SLA) as protection. Panelists said this practice can no longer happen. As these regulations are implemented, both the firm and the vendor are now in the same boat.
“We are jointly responsible for the outcomes that the vendor-customer relationship produces,” a fourth panelist said.
As a result of these regulations, panelists are hoping for the vendor-customer relationship to become more of a partner-customer relationship. That relationship is critical to staying compliant with regulations.
“I would anchor back on that vendor-to-partner change in relationship, instead of having transactional interactions with your vendors, perhaps bring them into the tent a little bit more about where you see your business going and how you want to get there, so that those vendors become partners and are looking out for you out of the RFP (request for proposal) cycle. They can be thinking of you in the future,” the fourth panelist said.
Vendors, or rather partners, and their clients should communicate beyond the SLA in place. This should be from the get-go, from the point of implementation or consumption of the service.
Resilient by design
This partnership relationship should be utilized to deliver the service together, ensuring it is resilient by design.
To understand where a firm’s operational resiliency stands, it will need to clearly understand its vendor inventory, contracts and clauses. “It seems like a small thing, but it’s not. You need to put your house in order to know where to start,” the second panelist said.
That will make it easier for firms to be resilient by design, meaning that every time it wants to do something new, it needs to have resiliency built in.
By extension, this also means that business continuity planning, or disaster recovery planning has to change too.
“If you think about the way we used to do business continuity planning (BCP)—we have a checklist, maybe in a Word document, and we just tick the boxes. And this is done once a year, maybe it takes three days to roll back and forth from the backup to production. We can’t do this anymore,” they added.
Firms should conduct “fire drills” more often to ensure their BCP and DR processes are up to date with the current operational and technology needs.
“If you think about the way we used to do business continuity planning... We can’t do this anymore.”
Back to basics—it’s about simplification
As for the use of new technologies to enhance the client experience and, in some cases, support resilience efforts, panelists believed that artificial intelligence, for example, still has some way to go. They reiterated that AI should not be seen as a panacea.
Instead, firms should try and simplify the underlying problems first, before layering technology on top.
“So many times we see new technologies laid on top of broken systems and broken processes that haven’t had the investment warranted for them to have a solid foundation to build for the future. I would much rather people take the time and not invest in the new technology and fix the process and infrastructure so that when they do invest, it pays off in dividends,” the third panelist said.
Whether or not financial institutions use emerging technologies or go back to basics to help deal with operational resiliency risks, as highlighted by the panelists, they should work closely with their partners and build resilience into their processes. A coordinated approach will help ensure a good operational resilience bill of health.
