Don’t kid yourself that operational resilience can increase returns

Increasing operational resilience means investment, and every investment is a cost. Unfortunately, despite the efforts of consultants to persuade financial institutions that investing in operational resilience creates competitive advantages and generates returns, it is in the end just another cost of compliance whose returns accrue to others.

Operational resilience is not the same thing as operational risk management. Its goal is not to mitigate the cost of an operational disruption, but to ensure a firm can continue to provide an essential service even though a disruptive event has occurred. Regulators emphasise it because in the final analysis they are not much interested in the financial or reputational damage a disrupted firm might suffer. What they care about is ensuring consumers and businesses continue to receive a service even when their service provider is disrupted, because that is how they are judged and rewarded. 

Megan Butler, an executive director of supervision at the Financial Conduct Authority (FCA) put it like this in a speech in December last year:

“We will not accept operational failures that – but for a lack of sufficient contingency planning – see consumers stuck on the phone for hours trying to speak to their bank, unable to complete a house sale or purchase or facing uncertainty over whether they will be able to pay their rent on time because they cannot transfer their money … I’d also like to make it absolutely clear that identifying your firm’s maximum tolerable level of disruption to an important business service - from a public interest perspective – should produce a threshold that is quite different to your established risk appetite and risk tolerance metrics … … This is not a box ticking exercise …. This is not about what you are willing to, or think you can, ‘get away with’, because you think the worst is unlikely to happen. We need to know that you have planned for the worst and are able to continue to deliver your important business services when the worst does happen … We want customers protected by actions you can take now.” *

*Megan Butler, Executive Director of Supervision at the Financial Conduct Authority (FCA) – Investment, Wholesale and Specialists, speech to TISA Operational Resilience Forum in London, 5 December 2019.

This was uncompromising language. Although operational resilience has been a regulatory priority for many years, the idiom used by Megan Butler suggests that regulators are getting tired of regulated firms doing as little as they can get away with – a habit first evident in the FCA inquiry back in 2012-13 into the operational vulnerabilities posed by asset management outsourcing to global custodian banks.

If any senior manager at an FCA-regulated firm is still tempted to think that formal rather than substantial compliance would be adequate, Butler reminded them that they would be held personally responsible – up to and including fines and even jail terms - for operational resilience under the Senior Managers and Certification Regime (SMCR). In 2018 Barclays CEO Jes Staley was fined £642,000 by the FCA and the Prudential Regulatory Authority (PRA) under the SMCR, so the threat is material.

Which means the current consultation on operational resilience by the FCA and the PRA - both of which are seeking feedback by 1 October on consultation papers they issued on the subject on 5 December last year – need to be taken seriously. The default position of the financial services industry to any regulatory measure is to grumble about the diversion of time and money into compliance. This response is rarely sincere. The costs of compliance erect a barrier to entry which suits incumbents well. 

But investing in operational resilience might be wasteful as well as hypocritical. Not in the obvious sense that armies of consultants will be paid to draw up policies, metrics and models regulated firms can adopt to persuade the FCA and the PRA they are compliant, but in opportunity cost. After all, if operational resilience is good for business, why grumble about the cost? Perhaps operationally resilient firms will win more clients and make more money. Fortunately, the extension of the deadline to October following the Covid 19 outbreak (it was originally 3 April) provides an unexpected longueur in which to ponder this question.

Clearly, operational resilience has defensive qualities. In 2019 the TSB reported that it shed 80,000 customers and lost £105.4 million after its botched migration to a new IT platform. In 2016 Tesco Bank had to suspend all on-line transactions after a cyber-attack, in which its customers lost £2.26 million. The FCA later fined Tesco Bank £16.4 million for its cyber-security failings, a sum reduced by half in return for co-operation.

Had either bank had a better operational grip – or even just an effective customer communication plan when disaster struck - it could have avoided the direct costs of making customers whole and paying fines, and the indirect costs of losing existing customers and deterring new ones. And it is indeed tempting to argue that maintaining services and retaining the trust of customers in a competitive marketplace is the return a business gets from investing in operational resilience. But that it is to re-label non-events as events.

It is much harder to think of offensive competitive advantages and genuine investment returns that operational resilience confers on firms which take the concept seriously. This is not surprising. The FCA and the PRA are interested in protecting investors and consumers, not making them rich. They want financial institutions to map the essential services they supply to their customers against the people and the systems and the supply chains used to deliver them, and then test those components for signs of vulnerability. Their lodestar is security, not returns.

Returns, of course, are correlated with risk. Heroic attempts are sometimes made to prove that the suppression of operational risk can yield a return. It might ensure that investments are concentrated in the areas that matter. It might keep operational capabilities in line with the strategy of the business and its sources of finance, making it easier to seize new opportunities. It might be easier to complete mergers and acquisitions if people, systems and supply chains are well mapped, so a business can grow more quickly. But it is much more likely that operational risk reduction is just another compliance cost that reduces returns on investment.

Indeed, Megan Butler was quite explicit that, when it came to operational risk, the regulators would punish firms that attempted to trade operational risk for return. “You cannot ‘game the system’ by setting an excessively high impact tolerance that you know will never require you to take additional steps,” she warned. “When it comes to supervising firms, you can expect this to be an area where we will pay close attention … If risk appetite is only set in line with corporate strategic objectives, which are inevitably anchored to profitability and cost reduction, this can work against achieving the continuity of supply of an important business service.” In the end, the chief beneficiaries of increased operational resilience are not shareholders, or even customers or investors, but regulators.

Written by Dominic Hobson – Co-Founder Future of Finance