No one wants to read in the news that the organisation they entrusted with their money and assets – a financial services firm, for example – is unable to process payments or access their systems, had their data stolen, is subject to a ransom attack, or that their main contact doesn’t even know what happened.
This is where operational resilience comes in – so that we can prevent, adapt and respond to, and recover and learn from operational disruption.
For many firms within the finance advice and wealth management sector, operational resilience will be at the forefront as we approach the FCA’s PS21/3 new operational resilience regime deadline on 31 March.
Firms have had the opportunity to improve their resilience and incorporate the regulator’s new obligations in a way that reassures clients and counterparties, potentially enhancing customer retention and satisfaction.
At a time when some firms use a vast range of systems and services – from those built before the era of flip phones to cutting-edge AI-driven solutions – strengthening operational foundations is more crucial than ever.
Firms that fail to do so will risk not only their business continuity, but also their reputation and client trust.
As the world becomes more interconnected and we rely on external parties, the ever growing and evolving risks from cyberattacks, natural disasters, and political and economic volatility, highlights vulnerabilities and makes the need for operational resilience in financial services absolutely critical.
In this environment, a firm’s ability to maintain critical operations during a crisis is just as important as its ability to make profits during calmer times.
At PIMFA, we have discussed a number of challenges for firms.
Looking at smaller firms, some might argue “why wouldn’t we strive to achieve that higher standard, even if, for the moment, smaller firms are not in scope?”
For while the aspiration may be there, the path may not always run smooth and has its fair share of difficulties.
Embedding resilience into existing operations, risk management processes and business continuity plans is not an easy task
Smaller firms, in particular, may struggle with limited budgets and resources, making it difficult to invest in the necessary technology and infrastructure to protect against disruptions.
Moreover, embedding resilience into existing operations, risk management processes and business continuity plans is not an easy task. It requires both strategic vision and significant investment.
As the end of March deadline approaches, firms must ensure they have robust and tested frameworks in place to withstand disruptions, particularly those related to third-party vendors.
However, a key challenge many firms face remains testing resilience with critical third-party vendors.
The new regulatory frameworks, as described in the FCA’s PS21/3, have made great strides in encouraging firms to embed operational resilience into their infrastructure.
These frameworks require firms to assess their resilience, identify risks, set impact tolerance levels and implement mitigation strategies.
However, true resilience requires more than just meeting regulatory standards, and this standard is not a one-off tick-box exercise.
It is about fostering a culture of preparedness, adaptability, and continuous improvement that can withstand unexpected challenges and ensure long-term success.
With regulators, particularly the FCA, increasing their focus on operational resilience and expanding their teams, firms must recognise the growing importance of meeting these standards and demonstrating their capability through ongoing reviews and testing of ‘severe but plausible’ scenarios.
While the regulatory focus is an important driver, the benefits of operational resilience go beyond compliance.
Demonstrating operational resilience builds trust with clients, counterparties and stakeholders
Firms that invest in resilience gain the ability to recover quickly from disruptions, minimising downtime and financial losses.
Furthermore, demonstrating operational resilience builds trust with clients, counterparties and stakeholders, positioning firms as reliable, future-proof entities in an increasingly uncertain world.
Prioritising resilience is about protecting the firm’s reputation, safeguarding client relationships, and ensuring long-term success, not just avoiding fines. Firms that invest in resilience demonstrate a commitment to the highest service standards, even in the face of adversity.
To build operational resilience, firms should start by aligning their resilience strategies with existing risk management and business continuity plans.
As discussed at a recent PIMFA Operational Resilience Working Group, resilience should be embedded in the firm’s culture, with regular training, scenario planning, and continuous testing of systems to ensure readiness for any potential disruption.
Challenging the status quo, using past incidences to learn from and challenging one’s own thinking to see possible disruption from a different angle.
The 31 March deadline is not the end of the operational resilience mission, it is the first important milestone on the resilience journey and demand and risk continue to evolve and grow.
Firms must take proactive steps to protect themselves from disruption, not only to comply with regulations but to secure their long-term viability in an unpredictable world.
The regulatory frameworks, such as PS21/3, provide a vital starting point, but the responsibility ultimately lies with each firm to embed resilience into its core operation.
Operational resilience is more than just meeting the regulatory standards, it is about safeguarding client trust, maintaining a firm’s reputation, and ensuring success in a volatile market.
How firms respond will determine their future.
Maria Fritzsche is a senior policy adviser at PIMFA
