For several years now, operational resilience has been at the top of the regulatory agenda for financial services. Understandably so, with regulators acutely aware of the threat of disruption to financial firms, and by extension to their customers, particularly in times of stress. They also recognise that in the digital age, the interconnectedness of the global financial system means that disruption can spread rapidly.
Underpinning the many regulatory initiatives is the common desire to create a financial services sector that is more resilient to disruption, reducing the risk of wider contagion, financial instability, harm to end-customers and reputational damage.
Firms are operating in an environment that has long been in a state of simultaneous and overlapping crises. All signs indicate that polycrisis is the new normal. The question firms need to now ask themselves is not ‘if’ but ‘when’ will the next crisis strike? And when it does, will they be positioned to remain worthy of their stakeholders’ trust?
Firms that recognise this opportunity and invest in building a strategic operational resilience capability will gain a significant competitive advantage over those who view it as just another compliance exercise.
Cyber and ICT security risks are greater than ever due to the accelerated adoption of technology and increasing sophistication of external bad actors. The regulatory response has included the Network and Information Security (NIS2) Directive and the Digital Operational Resilience Act (DORA). But developing rules and regulation is one thing – making them work is another.
So, what do we mean when we talk about successful implementation of DORA and NIS2? And where do the challenges lie for firms and regulators?
KPMG member firms are working with clients to prepare for new requirements and to help them create future-aware resilience cultures. Key to this is the conviction that it is possible to develop a single strategic resilience capability that can meet the needs of multiple regulations and jurisdictions.
The starting point is the plethora of regulation that firms must deal with, at a local, regional, and global level and across different disciplines, including many legacy regulations. We know that across this patchwork of regulation not all the requirements will be aligned, therefore it is critical that firms take a wide view and focus on the big picture.
Much is made of the complexities and nuances of different sets of requirements - these are important as they translate to real costs and implementation challenges for firms. Taxonomies vary, for example, between EU and UK definitions of ‘important’ or ‘critical’ functions. DORA and NIS2 also have a stronger focus on technology assets, that must be made more resilient to ensure continuity of service, than on other capabilities. In other areas, such as critical third parties, there is less divergence – requirements relating to lifecycle and criticality criteria are broadly similar in DORA and the equivalent UK regulatory proposals. However, there are potential complexities within the EU itself, where DORA’s focus on technology vendors may present challenges due to the necessary uplift from the EBA guidelines on outsourcing to DORA’s coverage of all third parties.
However, to focus only on where discrepancies lie risks focusing only on compliance and not on improving resilience in the system. Regulators have a role to play here in ensuring interoperability between rules and sufficient convergence so that firms can take a pragmatic approach.
There is also a continuing debate on whether prescriptive or principles-based rules are most appropriate. Again, coming from the perspective that developing enterprise-wide resilience must be the goal, prescriptive requirements run the risk of becoming very compliance driven. The proliferation of rules-based regulation in the resilience space should be considered an enemy of strategic coherence – the real prize is strategic resilience.
Elevation of the resilience agenda to board and ExCo level is a welcome and necessary development. Firms should take an enterprise-wide approach - considering technology, cyber security, data, people, third parties and facilities within their organisation and across the supply chain – to deliver real resilience.
The quest for resilience, whether from technology or business process perspectives, will fail if responses are mobilised in silos. Regulators and firms must increasingly recognise the interlinkages across the industry and into the wider economy. NIS2 brings strategic integration across sectors and industries, picking up non-regulated providers and demonstrating again the broader theme of integration and connectedness. As it becomes increasingly difficult to know what ‘financial services’ is and where it begins and ends, greater connectivity is required to provide a secure ecosystem.
Proliferation of rules-based regulation should be considered an enemy of strategic coherence.