Why are financial services regulators so interested in resilience?
In an earlier blog I took a look at the emergence of hyperautomation (aka intelligent automation), and how resilient applications are the lynchpin to unlocking the efficiency, agility and productivity benefits it promises. In this blog, I’m going to zoom out and take a look at the systemic risk posed by the increasing complexity and interdependence of systems in the banking and finance industry and the drive towards regulating resilience.
IT resilience to avoid systemic crisis
It’s important to consider the problem of resilience on an intra-organisational level - business processes are not restricted to individual organisations. The recent Suez Canal crisis is a very visceral example of the wide-ranging impacts of unanticipated failure and untested recovery processes; to apply this example to the Banking and Finance sector, one bank’s trading floor does not operate independently of the others. The inability to trade due to a broken link in the chain has the potential to impact not just the whole industry, but whole economies.
Think then of the time taken to resolve the issue. In the seven days that the Ever Given was blocking the canal, hundreds of ships, each carrying thousands of containers worth of goods and materials, backed up in the Red Sea and the Mediterranean. Simply freeing the boat did not clear this backlog, that too will take time and onward supply chains will continue to be affected for weeks. Digital resilience in a complex organisation is much the same - the longer it takes to identify and resolve the issue, the more complicated and expensive it is to return to full operations.
This is, in part, the impetus behind the EU’s Digital Operational Resilience Act. The Act is designed to “consolidate and upgrade ICT risk requirements” across the financial entities to ensure all firms are “subject to a common set of standards to mitigate ICT risks.” Similar regulations are being discussed by the Financial Conduct Authority (FCA) in the UK and the Securities and Exchanges Commission (SEC) in the USA. The aim of these common standards is to guard against a systemic crisis which threatens financial stability.
Common standards of demonstrable digital resilience
These moves towards regulating resilience acknowledge that failures are inevitable - what is important is the ability to quickly bounce back from those failures, diagnose the cause and implement learnings to avoid it in the future.
However DORA, to which the FCA and SEC are likely to align, doesn’t just require organisations to be resilient but to be able to demonstrate how they are resilient. As such, it presents a great opportunity to actively review your systems and processes and to consider fresh approaches.
Application management tools play a key role in a mature approach to resilience. By modelling and automatically deploying recovery policies at the application level, you can ensure the links in the chain are available when you need them to be.
Deploying Cloudsoft AMP doesn’t just enable resilience by increasing the meantime between failures and decreasing the time to repair. Cloudsoft AMP can be used to demonstrate the steps you have taken to guarantee your digital operational resilience. For example:
DORA Requirements |
Cloudsoft AMP capabilities |
ICT (protocols, applications etc) to be resilient under stressed market conditions. |
AMP makes disaster recovery testable. You can define your recovery policies, inject failure modes and verify that AMP will maintain availability for the application under stressed conditions. Running simulations of disaster recovery events also enables you to stress-test your processes, including scale & back-ups. |
Maintain mechanisms to promptly detect anomalies. |
Sensors are AMP's way of obtaining real time, continuous, information about the system. From this users can infer system health and performance/availability. |
State your recovery methods. |
AMP’s component models enable you to codify this, allowing consistent application of recovery methods wherever those components are deployed. |
Carry out post disruption reviews, identify causes and improvements. |
"Improvements" can be incorporated as changes to blueprints, all version controlled and reviewable. |
Find out more about application resilience in our eBook, or book a conversation with one our Solution Architects to find out more.
Sources
CSO Online: EU's DORA regulation explained: New risk management requirements for financial firms, Dan Swinhoe