Elisabeth Stheeman's recent speech at the London School of Economics provided some "behind the curtain" insights for operational resilience scenario testing.
Elisabeth presented findings from the FPC’s 2022 cyber thematic, which involved both small and large financial services firms.
When we consider the speech, along with our experience of PRA feedback on operational resilience programmes, and the scenario tests we have been running, we can conclude some key lessons.
- A cyber-attack is a severe but plausible scenario that must be tested, no matter the size and scale of your firm. This was made clear as far back as mid-2022 but again reiterated here.
- Scenario testing to exercise recovery capability alone, misses the point. Yes, it’s a key aspect of the test but is your last line of defence. Your scenario testing should focus first on identifying contingencies or workarounds (e.g. manual processing), and mitigants (e.g. extending overdraft facilities to help customers meet a payment) that extend the impact tolerance window and reduce the likelihood of intolerable harm occuring.
- Testing in organisational silos will not realise maximum benefit. Only through enterprise-wide scenario testing which involves accountable IBS, pillar and resource owners will you achieve the "co-ordinated decision making" necessary to break down silos and identify meaningful collaborative contingencies and mitigants.
- Another big-ticket item to consider is operational contagion. The speech refers to sector-wide contagion, however, especially in relation to a cyber scenario, we think it highlights a need to test against the potential for widespread contagion to other services and resources. This is where quality process, resource and third-party mapping becomes a vital tool in your testing preparation.
- For firms planning for multi-layered scenario testing, the speech gives a pointer on some things you might wish to include, namely, data corruption due to the cyber-attack or the loss of a critical third-party as a result of a cyber-attack. These scenarios could be engineered from both an internal or a supplier perspective, e.g., there is a cyber-attack on a critical third-party which takes them offline, or, you experience a cyber-attack which corrupts data, leaving the third-party unable to deliver their service to your customers.
- A nice reminder to our own testing approach is that we are often missing out the importance of including comms capability. We rarely involve a comms stakeholder in testing unless it's a crisis exercise. We should all remember that a robust internal and external comms plan forms part of the regulatory requirement.
Other important takeaways from the speech include:
- another indication that direct regulation of third parties is an inevitability with the regulator again pointing out the danger of concentration risk in a small pool of critical third parties,
- if, as with most firms, you have included Payments Out as an Important Business Service then the speech provides clear guidance on the PRA's expectation of where your Impact Tolerance should sit.
How FourthLine can help
If you'd like to understand how our enablement and full delivery approaches may benefit your firm's operational resilience programme, enquire here or book a time with one of our consultants here now
