Welcome to KPMG's dedicated page for regulatory updates on operational resilience in financial services.
In recent years, operational resilience has risen to the top of the regulatory agenda, and it was brought into even sharper focus by the COVID-19 pandemic. Regulators are acutely aware of the threat of disruption to financial firms, and by extension to their customers, particularly in times of stress. Technology-led business transformation, high-profile instances of outages, and recognition of the global interconnectedness of the financial system have led to increased focus on end-to-end business operations.
Underpinning the many regulatory initiatives is the common desire to create a financial services sector that is more resilient to disruption, hence reducing the potential for wider contagion, financial instability, harm to end-customers and reputational damage to firms.
Historically, the primary resilience focus for global regulators was cyber and ICT security. These remain critical, particularly with the accelerated adoption of technology and increasing sophistication of external bad actors. But firms must also consider the possibility of multiple concurrent disruptions and the emergence of new threats and vulnerabilities. Extreme events arising from climate change could impact physical operations, geopolitical events could challenge operating models, for example through the loss of operating licences in certain jurisdictions, and evolving business models due to innovation or changes in economic conditions could lead to skill shortages.
Increased reliance on third-party relationships raises concerns around the resilience of the third parties themselves, the concentration of critical service providers and data security. Similarly, central clearing has increased dependence on central counterparties (CCPs) and created a concentration of risk.
Although firms were always expected to manage their operational risk, plan for contingencies and have business continuity and disaster recovery plans, operational resilience is now much more. A broader approach — incorporating equally important components such as people, processes, technology and information — is required. Customer impact is always in mind and governance and accountability are in the spotlight.
For more on regulatory developments and expectations around operational resilience, see our insights below.