thewealthnet

Is your business ready for the next crisis?

, 21/08/2020

Given his role as chief risk officer at BNY Mellon’s Pershing, Andy Reeves is always operating on an ‘expect the unexpected’ basis. He spoke to thewealthnet’s Alex Newlove about how the pandemic – and upcoming regulation changes – may change the way the financial services sector thinks about risk.

“Unprecedented” will surely be in the running for the most-used descriptor of 2020.

But for Andy Reeves, chief risk officer at BNY Mellon’s Pershing, contemplating seemingly out-of-the blue crises and events is all part of a day’s work – and a theme which has been picked up by UK regulators in recent years.

Mr Reeves points out that operational resilience was a subject already high on the 2020 agenda for regulators, even prepandemic, as the Bank of England, Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) consults on their ‘CP19/32: Building operational resilience’ paper – a process set to close in October.

This consultation contains draft rules for some more heavily-regulated firms, including the need to identify important business services at least annually, set “impact tolerances” and conduct scenario testing.

Andy Reeves

As Mr Reeves says, firms could never have foreseen the enormous test of their plans which awaited them in early 2020, which has further driven home the importance of future preparedness.

“The timing of the consultation perhaps is opportune in a way, as these issues will be on the forefront of people’s minds,” Mr Reeves says.

“I think from the regulators’ perspective, they would point to their own discussion and consultation papers and say, ‘we told you this was important’ and I think they would be correct in that.”

Mr Reeves says while most firms would have had some degree of pandemic planning in place, such an event would likely have been viewed as “rather fantastical”. One of the hallmarks of the Covid-19 crisis was that several operational challenges struck at once.

“Obviously, there was the huge business continuity implications – all transitioning to remote working in a short space of time– overlaid with a period of quite severe market volatility.

“This will only reinforce the regulators’ desire to make sure that businesses are prepared for a wide range of events, as well as a combination of different events.”


What does the consultation mean for my firm?

The FCA and PRA started their piece of work on ‘operational resilience’ – “essentially a combination of business continuity, disaster recovery and more”, Mr Reeves says – in 2018, when a discussion paper on the subject was published.

The resulting rule consultation, launched in late 2019, picks up on this work, and looks to shift the focus from written processes and rigid plans, towards practical outcomes during an unexpected event.

Rules apply to an array of firms including banks, PRA-designated investment businesses, and FCA-regulated firms that are classed as “enhanced” under the Senior Managers & Certification Regime (SM&CR).

The proposed rules will mean that firms must identify their services which, if disrupted, could harm their end customers or clients, and model their so-called “impact tolerances” through a range of severe but plausible events.

“Previously, if you were talking about business continuity planning, you would have a written plan which might include for example, your alternative work recovery sites, and say some people at home on laptops, and some way of enacting this. Then effectively there would be the assumption that you could meet any kind of disruption that came,” Mr Reeves says.

“However, there was no real measure of how much you could put that firm through. It was very much planning for if events happened, as opposed to when they happened, and that marks the shift in focus for the regulator.”

One of the key aspects of the new rules will be mapping dependencies on technology vendors, people, buildings, and other suppliers – to see where other issues outside a firm’s control could emerge during a crisis. Even more important will be the concept of “impact tolerances”, which asks firms to measure the point at which they would no longer be able to provide any given key service.

Mr Reeves says this again comes back to the idea of firms needing resilience against a combination of disruptive events, rather than just one in isolation.

“For example, if we had a loss of staff due to a pandemic or a weather-related event, we could still process a certain percentage of our transactions by the end of the day, even if we lost a certain proportion of our people. Then you say right, if we had a building outage, we could move to the workplace recovery site and by the end of the day could still be processing a certain percentage of the transactions.

“The regulation will go a bit further and say what if these events happened at once? You layer those up until you get to a point as a firm where you are being quite open and saying, either a combination of events or the extremity of one event, would mean not being able to provide that service.”


The less obvious challenges thrown up by Covid-19

What could have been a very theoretical exercise for firms, has suddenly become stark reality.

“This event certainly exceeded most of the business continuity planning that everyone had done – a lot of which was quite rigid,” Mr Reeves says.

“The pandemic has really highlighted the fact that the real crisis is never quite the one that you actually plan for, that's just a truism across any kind of planning I think.”

And as the initial feeling of crisis died away – other unforeseen challenges emerged, particularly from a cybersecurity perspective.

“People respond very quickly when there's a crisis – they pull the bootstraps up and get on with it and you find people are very flexible and responsive,” Mr Reeves says.

“To some degree, as the situation drags on this is potentially where the most risk is, because people have been at home for a number of months, and that is where you really need to start keeping an eye on staff make sure you are staying connected with them.”

Such risks could come in the form of malign actors inside firms, accidental breaches, or simply a drop in productivity due to a disengaged workforce.

“The longer remote working goes on for – the bigger the risk, so we have got to look at ways to mitigate that.”

This could entail managers receiving training on their “remote leadership” skills, and ensuring they were regularly connecting with their teams.

Mr Reeves: “You really do need to make much more of an effort, as a manager, and be much more conscious of making sure that you maintain those one-to-one calls with people, checking in to see how they are and trying to recreate that random interaction you get in the office.”


The Pershing response

BNY Mellon’s Pershing was well-prepared for the UK’s pandemic lockdown in that as a part of the global BNY Mellon Group, they had access to the experience gained from the early part of the pandemic in the APAC region, where the Group has offices.

“One of the really important things for us was having a well-practiced crisis management team which over the last couple of years has been running scenario training exercises to test their response to various events, for example an outage at a major site or a cyberattack.

“Because the UK lockdown all happened over the space of a couple of weeks, that was a challenge but one that we met well as we were well drilled at making decisions in a fast paced crisis.”

Mr Reeves said the pandemic had served to highlight the pinch point processes that were still reliant on paper or physical signatures – “when you’re forced to do everything remotely, it can be a great source of innovation”.

“One of the really good things that has come out of this for all firms is making sure that all your processes are as efficient and as digital as they possibly can be,” he says.

Mr Reeves also points out that the new regulations may be another reason for wealth management and advice firms to look at using specialist providers, as the rules may offer additional assurances that suppliers were battle-ready.

Pershing, for example, is deemed an ‘enhanced’ firm under SM&CR, thus will be subject to the new rules.

“From a wealth management perspective, some firms wouldn’t necessarily be held to such a high standard.

“It goes to the benefit of potentially using a provider who will have to meet those FCA requirements and will therefore end up being that much more resilient.”

Related News

05/08/2020

FSCS extends large deposit protection during pandemic

13/08/2020

Swiss regulator ordains third supervisory body under new rules

07/08/2020

The ominous path of 'Ndrangheta financial crime

Main News Headlines

26/04/2024

The week on thewealthnet - Counting down our top stories...

26/04/2024

Tumultuous year reflected in Coutts' Q1 2024 results

26/04/2024

What are family offices investing in?

26/04/2024

In the spotlight - David Smylie, group head, GSB Private

26/04/2024

The top family office services stories...

Show all

About PAM

PAM Insight is the world’s leading independent provider of essential specialist news, analysis and comparative data for the fast-evolving world of wealth management.

Read more about PAM

Subscriber services

thewealthnet is designed to meet the information needs of those involved in the creation and preservation of private wealth.