Martin Bradbury, UK & I Regional Director, Financial Services, Dynatrace
Financial services providers play a crucial role in keeping the modern world turning, supplying the systems that are critical to the flow of business and commerce. It is therefore vital that these systems are resilient and always available, or service providers risk losing customer trust and disrupting global business continuity.
The PRA’s operational resilience policy, first introduced in March 2022, aims to address these risks. The policy makes it a regulatory requirement for financial services providers to ensure that their critical systems can resist, recover from, and adapt to any adverse occurrences that may cause harm to the business and its customers. Since its introduction, financial services providers have been working to implement the necessary measures to achieve compliance. With the final deadline on 31st March next year, they must now act quickly and make the necessary investments to finalise their compliance strategies.
One year to prepare
The PRA’s recent ‘Dear CEO’ letter published in January, highlighted that there is still a long way to go for many organisations, calling out operational resilience as a key priority for 2024. As the deadline approaches, financial leaders must act swiftly to implement these operational resilience measures. The first step is to identify any ‘important business services’ that their organisation delivers, by considering the potential impacts or implications they could have beyond their own commercial interests. For example, an outage in a core banking platform could have consequences for multiple stakeholders outside the bank, from the exchange of contracts on a house purchase being delayed and leaving the buyer at risk of legal action, to consumers being left stranded in pharmacies unable to pay for medication.
To adhere to the operational resilience policy, financial organisations must assess their capacity to prevent, recover, and learn from disruptions to these important business services. They must also define an impact tolerance for each service, by establishing the maximum level of disruption that could be absorbed before there are risks to the financial service or its customer base. For each important business service, providers must therefore test its resilience under plausible scenarios that could arise, such as cyber related disruptions or cloud platform outages. This will help to identify the measures and resources required to keep the service operating within the defined impact tolerance.
Growing complexity of financial services
However, it is becoming more difficult for financial organisations to perform these steps to map and test important business services as they continue to drive innovation. The integration of modern technologies such as conversational AI chatbots and mobile wallets, and the adoption of the cloud-native architectures that help to support these innovations, have led to an increase in complexity. Recent research found that 89% of financial services providers say the complexity of their technology stack has increased in the past 12 months, and 54% expect it will continue to increase. While cloud-native and multicloud architectures give financial providers the agility to stay ahead of the needs and expectations of their customers, they also make it increasingly difficult to monitor and manage the services they deliver.
This increase in complexity has the potential to create blind spots that lead to disruption for important business services if it goes unchecked. Without clear visibility across the entire technology stack, it becomes more likely that a software update to add a new function or fix a vulnerability in a critical banking application could impact service availability. Limited visibility also makes it difficult for developers to quickly identify the precise root cause of the issue and resolve it quickly, meaning that the resultant downtime could go beyond the impact tolerance. It is therefore essential to have a modern observability strategy, to ensure that the organisation has a clear source of insight into the performance and availability of its critical business services, and real time insight into the precise cause of any disruptions. This visibility must span the entire technology stack, from the mainframe to the mobile device, to eliminate blind spots.
A clear line of sight
Preparing to meet the requirements of the operational resilience policy ahead of the deadline will remain a clear and urgent priority for financial services providers over the coming 12 months. As they work towards this goal, it will be essential to establish robust contingency plans and a modern observability strategy, to ensure they can maintain the seamless delivery of essential services.
However, it’s also important not to overlook the rewards that could be unlocked if financial providers see these regulations as an opportunity to improve the way they deliver IT services, rather than a risk that must be managed. If they adopt this mindset, they will discover new ways of driving customer experience excellence and building a competitive advantage that puts them ahead in the market.
