Business resilience continues to be an important topic for the financial services industry, with years of foundational work on business continuity, operational risk mitigation and cybersecurity under the industry’s belt. However, with new types of incidents emerging with each passing day, resilience strategies continue to evolve.
Dan Thieke, DTCC Managing Director, Business Risk and Resilience Management, was joined by Tom Wagner, Managing Director, SIFMA; Dr. Daniela Peterhoff, Partner and Head of Market Infrastructure, Oliver Wyman; Kapil Bansal, DTCC Managing Director, Business Architecture; and Naresh Nagia, Chief Risk Officer, CLS Bank International; at the 2019 DTCC Client Risk Forum for a panel discussion on how the industry continues to build business resilience in the midst of evolving risks.
“The industry has been building upon a considerable amount of work that has already been in place for years,” Thieke said. “However, there are a number of internal and external factors, like cyber threats, that are requiring the industry to think about resilience in a new way. Therefore, quite a bit of work is still needed.”
Due to risks presented by emerging technology, more sophisticated cyber threats and regulatory concerns, there is a renewed focus on transforming the industry’s resilience strategies.
Transformation Through Collaboration
Panelists agreed that the renewed focus on resilience requires organizations to boost coordination both internally and externally.
Wagner stated that, the focus will be on those critical business services that are instrumental in ensuring that the financial services sector continues to operate effectively. It will be on the providers of those critical services to ensure that those services can be restored in the case of disruption. Further, organizations need to share information and partner with regulators in order to establish a strong framework.
He mentioned that the SIFMA Operational Resilience Steering Committee has taken a collaborative approach, bringing global financial firms and regulators together to make sure there are no unintended consequences of any new rules or regulations.
“The industry has to align on topics related to resilience continuity in order to prevent negative impacts on the economy and consumer harm,” he said. “It’s imperative that financial firms have coordinated conversations and collaborate with the regulatory community on critical business services, recovery time objectives and impact tolerances.”
Organizational Culture: Who Owns Resilience?
Organizations are rethinking their strategies surrounding business resilience, transforming at the functional level. Peterhoff mentioned that many firms that Oliver Wyman deals with are working toward better internal coordination.
She also spoke on the role of senior management in affecting cultural change to support an organization’s business resilience strategy.
“One of the things we look at is how well-received and understood these resilience strategies are at the senior management level,” she said. “Some of the journeys we’re supporting require a mindset shift across the organization from a narrower controlled system to a more broad-based system that enables the transition across business resilience, financial resilience, and operational resilience. This shift has a better chance of taking place when the message is well-communicated from senior management.”
Nagia agreed that the message needs to come from the executives and does so at his firm. “At CLS, resilience starts at the very top. It must,” he said. “It has to cascade down from the board and senior management.”
He also spoke on the holistic nature of building resilience at CLS. “We design for resilience, operate for resilience, test for resilience, plan for resilience, and then demonstrate financial resources in capital terms, liquidity terms and credit backstop terms,” he said. “That’s the way we operate, and it has evolved over the years.”
Designing for Resilience
Following Nagia’s comments on CLS’ strategy, Bansal provided some insight into DTCC’s designs for resilience. He explained that there are three specific levers of resiliency.
“Business resilience is an all-encompassing umbrella under which there are three specific levers of resiliency,” he said. “Technology resiliency, which is application and data resiliency; operational resiliency, where things like people, policies, procedures support the day-to-day operations of the platform. And last but not least, financial resiliency where the capital and liquidity come in.”
He said that operational risk can quickly manifest into liquidity and capital risk, so collaboration between all departments via organizational culture is imperative.
“At DTCC, we work closely with our technology infrastructure partners, enterprise data management teams, resiliency teams, and business continuity teams,” he said. “So, rather than resiliency being an afterthought at the end of the development lifecycle, we’re addressing the technology resiliency principles right at the onset of design.”