The COVID-19 pandemic has demonstrated the importance of understanding a firm’s business and operational resilience. While firms have always focused on disaster recovery, business continuity management and cybersecurity, they have done so in isolation. But as business risks have evolved, so too must the approach and actions toward resilience. Resilience initiatives must take a holistic approach to threats and aim to safeguard critical business services against a wide range of technical, physical, logical and financial disruptions.
DTCC’s Dan Thieke, Managing Director, Business Resilience, and Rachel Tyler, Executive Director, Business Resilience, discuss the changing dynamics of resilience and what the future of resilience will look like for the financial services industry.
How has resilience evolved for DTCC and the industry?
DT: Through the evolution of risk factors, DTCC’s business resilience vision has matured. What I mean by that is, our operational and business resilience has been shaped by past crises, such as 9/11, Superstorm Sandy and the global financial crisis of 2007.
Now, we are in the midst of an unprecedented global crisis that will have a profound impact on business and operational resilience going forward. There are aspects of this crisis that have identified new areas of opportunity, drawing attention to how resilience itself needs to evolve; for example, the opportunity to understand the technology needs to support large portions of the workforce operating remotely. As with past crises, we learn and adapt and continue to engage our clients, regulators and industry partners. This is central to our mission to deliver the world’s most resilient and secure post-trade infrastructure for our clients.
The Impact of Superstorm Sandy
In October 2012, Superstorm Sandy hit New York City bringing with it, unprecedented storm surges and flooding that devastated many communities throughout the five boroughs. The storm limited access to our offices and our physical securities vault and impacted our ability to process key services. We shifted processing to our Tampa office and began getting Northeast staff set up in home offices using our new Virtual Desktop Infrastructure (VDI) while determining key work arounds for business services that required some aspect of physical processing. The key work arounds we identified had a heavy influence on our current business continuity management processes.
RT: In recent years, the industry has moved the resilience conversation beyond physical events and put an increased focus on cybersecurity threats – and rightly so. We specifically highlighted the need for enhancing industry-wide resilience due to ever-increasing cybersecurity threats in a report we published jointly with Oliver Wyman in 2018, Large-Scale Cyber-Attacks on the Financial System: A Case for Better Coordinated Response and Recovery Strategies.
However, current events highlight the need to continue the resilience discussion on all fronts and we must continue to evolve our approach, enhancing resilience to develop a framework that is holistic, forward-looking and highly collaborative. Rather than narrowly focusing on systems, resilience initiatives should aim to safeguard critical business services against a wide range of technical, physical, logical or financial disruptions, regardless of their cause or origin.
1 / 8
2 / 8
3 / 8
4 / 8
5 / 8
6 / 8
7 / 8
8 / 8
How has the evolution of resilience impacted the industry?
DT: It’s forced us to re-examine processes and best practices. For example, out-of-region operational centers, once considered a best practice, may not be the fall back we once thought when you are talking about a global event. COVID-19, being a global pandemic, has shown that you can have an event that impacts all global operational centers in the same manner, and therefore limits a firm’s ability to redirect activities to other regions, as they might have done during a localized disaster.
For regional support centers, you have to re-examine the infrastructure. Some of the firms that rely on low-cost global locations to support key activities are encountering issues that are impeding that location’s operations. For example, an aged technology infrastructure may not support WIFI and internet requirements to support a large remote workforce. I think you’ll see some post-COVID movement around re-evaluating those geographical support locations not just for technical support but also for operational support.
RT: We operate in an increasingly complex and interconnected environment. To consider impacts on, and dependencies on, the broader ecosystem, resilience efforts require looking at business services from an end-to-end perspective that starts with the customer and includes service providers, regulators, third parties, industry associations, as well as any other partners and stakeholders.
Other paradigm shifts that are essential to increasing resilience include the ability to anticipate and recover from issues, as well as a willingness to prioritize resilience over efficiency in certain cases. Resilience must be established as a business-owned strategic endeavor that is supported at the highest levels of the organization.
What are the next steps for the industry post-COVID-19 crisis?
DT: No doubt resilience strategies will change as a result of this crisis, not just at DTCC but across the industry. From a regulatory perspective, I think it’s going to accelerate the discussion and engagement on forming strategies going forward. We have already seen an increase in the amount of industry coordination, despite what firms have had to plan for on individual basis, which has been a positive outcome of this current crisis.
RT: Sector coordination going forward is going to be a key point for industry discussion. As resilience-enhancing initiatives are further refined and implemented, industry collaboration will be a key component of success. Ongoing sector-wide testing will be necessary to ensure all firms understand their roles and have the appropriate level of readiness to mitigate the impact of shocks that could disrupt their business services. Thankfully, there’s a desire within the industry to keep talking about these issues and resolve them collectively. Given it’s a very connected sector, the need for constant communication about our plans for resiliency must continue.