L to R: Andrew Gray, DTCC Managing Director and Group Chief Risk Officer; and Dr. Daniela Peterhoff, Oliver Wyman Global Head of Financial Market Infrastructure Practice.
Business resilience in the financial services industry – how to build it globally and ensure firms can safeguard their operations in the face of potentially disruptive events -- dominates today’s discussions around risk management.
In their keynote conversation kicking off DTCC’s 6th Annual Client Risk Forum October 3rd in New York, DTCC’s Andrew Gray, Managing Director and Group Chief Risk Officer, and Dr. Daniela Peterhoff, Global Head of Financial Market Infrastructure Practice at Oliver Wyman, explored what is driving the urgency for resilience and the challenges financial market infrastructures (FMIs) and other market participants will face in building it.
Driving the Need for Resilience
Gray and Peterhoff explored what additional factors, beyond the proliferation of cyberattacks, underlie the growing urgency to build resilience into the financial infrastructure. Firms increasingly rely on and utilize data and technology for an array of purposes – including global access, connectivity, analytics, process efficiency, regulatory compliance and solving client problems. This centrality of data and technology makes resilience essential, they agreed.
Technology-driven innovation is prompting changes in firms’ operating models, and in turn “changing the activity chains within the overall capital markets landscape,” Peterhoff observed. Technology is enabling some banks, for example, to consider outsourcing certain traditional trading and clearing activities. Others are establishing greenfield banking operations with separate technology stacks alongside their existing infrastructure.
“FMIs in particular are technology-heavy and becoming more interconnected in line with global business models,” said Peterhoff. “And the technology is becoming more complex.”
Building Blocks for Resilience
While technological complexity and reformulated activity chains create opportunities, Peterhoff said -- to develop new capabilities and diversify the services delivered to clients, for instance -- they also engender risk. Constructing robust defenses to respond to this risk requires governance policies, transparency and metrics/measurability – themes that are emphasized in “Resilience First,” the DTCC white paper released this year, Gray said.
Peterhoff said that some firms, FMIs especially, have already done a lot of work in these three areas but most organizations still need to strengthen something else that is important for resilience: linkages with peers and clients.
And, less obvious but perhaps most important, she added, firms must focus on their people by heightening cultural awareness of cyber and other risks and promoting behavioral change.
“When we saw the discussion emerge around resilience, a lot of the initial responses have focused on metrics and controls -- introducing and reinforcing them. But, from a systems theory perspective, if you have a more complex system, that can’t be enough,” she said. “The bigger, and quite crucial, shift should be towards cultural change.”
Because today’s resilience is more complicated and technology-based than the disaster recovery framework that guided business continuity planning in the past, Gray noted, “business resilience is really the responsibility of everyone in the organization.” Given this reality, he asked, how can organizations ensure cultural change happens?
“You need to educate and give behavioral guidance to watch out for certain events. Creating a new set of examples and case studies for employees can be really helpful,” Peterhoff said. “I myself had to relearn online habits when I moved to Sweden, a cashless society where you execute a lot of activities through mobile phone apps. The phishing attempts are beyond anything I had imagined.”
A Role for FMIs
In their discussion Gray and Peterhoff recognized that, even if individual firms have the right building blocks in place, business resilience also depends on collaboration among industry participants. Exchanging information on risk levels, sharing best practices and reducing regulatory fragmentation can enhance resilience across markets, Peterhoff said.
And she suggested giving industry bodies expanded roles in this effort, citing CPMI-IOSCO’s ability to formulate principles and standards and the FSB [Financial Stability Board] as an appropriate entity to devise a playbook for crisis management.
As hubs of processing activity for market participants and leaders in establishing the governance and metrics needed for resilience, FMIs like DTCC are also well positioned to push the industry ahead in achieving resilience. “To take the lead in defining disruption scenarios and promoting consistent responses would be a big step forward globally,” Peterhoff said.