A recent whitepaper from The Depository Trust & Clearing Corporation (DTCC)highlights the need for industry-wide collaboration in establishing business resilience to protect against future market disruption. This paper, entitled “Resilience First” calls for a ‘paradigm shift’ to ensure the financial markets on a global basis are better protected against a range of threats including increasing concentration risk, cyber threats and implementation of newer technologies. In a Q&A, Dan Thieke, Managing Director, Business Risk & Resilience Management at DTCC, shares his views on the what business resilience means, what the biggest threats are today and some of the core principles firms should consider adopting now.
Q. What is the driver for this white paper and sharing the views and new approach on business continuity?
A. The volume and complexity of threats faced by the financial services industry continues to grow, and as a result, financial institutions, regulators and other stakeholders are focusing on building resilience, broadly defined as the ability to prevent, withstand and quickly recover from disruptive events to continue providing critical business services. In light of this increased emphasis on resilience, DTCC is sharing our views and experiences in the hopes that it will encourage stakeholders to collaborate on enhanced global resilience practices that will help further safeguard the industry from disruptions to better protect all market participants, including the end investor.
Q. What do you view to be the biggest risks for market disruption today and why? How have these risks evolved in recent years?
A.Many factors contribute to the rising focus on resilience worldwide, but two stand out: the increasing threat of cyber-attacks and the growing interconnectedness of the global financial sector.
Cyber risk has consistently been ranked as the number one concern by respondents to DTCC’s Systemic Risk Barometer since the inception of the survey in 2013. The ever-increasing sophistication and frequency of cyber threats only intensifies growing concerns over their potential impact. While industry-wide investment in cyber defenses continues to grow and public-private partnerships support greater levels of information sharing, some existing solutions may be insufficient to address these threats and may even be counterproductive in certain cases. For example, data replication strategies designed to protect against physical disaster could end up worsening the impact of a cyber-attack by rapidly spreading malicious code or compromised data across datacenters.
In addition, the expanding interconnectedness of the financial ecosystem has increased its vulnerability to disruption and contagion. Economies of scale in the financial sector have generated tremendous efficiency gains, resulting in substantial industry-wide cost savings. However, these advances have also reduced the number of critical service providers, which essentially spreads the risk to a larger number of vendors and participants. Meanwhile, greater automation and continuous advances in IT systems have increased reliance on technology and accelerated the speed at which the impact of a disruptive event can spread. Increased interconnectedness between IT systems of financial institutions and third parties has increased the threat penetration surface and has further heightened the potential for contagion.
Q. When you say business resilience is under threat, can you clarify what you mean by business resilience? Is this about cyber hacks mostly or other threats?
A. DTCC defines business resilience as an organization’s ability to safeguard its critical business services against the threat of potentially disruptive events, regardless of their nature. These events include cyber-attacks but also may be due to issues related to technology, operational issues or financial events, and the disruptions may originate internally or externally. Business resilience is about planning and executing a company-wide strategy to reduce the probability of disruptive events, as well as their impact.
Given the high degree of automation and the associated reliance on IT systems within the industry, technology resilience is a key element of business resilience. The rapid pace of change in technological development further reinforces the need to continuously augment technology resilience capabilities to safeguard critical business services. Legacy technology, while still used by many financial firms to support some key processes, may not be optimized to perform the more advanced functionalities necessary to keep up with evolving business demands. At the same time, many resiliency plans were built to account for physical disruptions and may not fully address the risks we face today. As a result, it is important that firms view business resilience holistically across all services, evaluating risk and developing operational plans to mitigate the risk and recover quickly. Looking at your proposed holistic strategy.
Q. How is this new strategy different from disaster recovery and business continuity management? What should a new strategy look like and entail?
A. Disaster recovery is generally focused on a single, specific event, and the complex types of threats that may disrupt today’s interconnected markets demand that organizations develop a holistic approach to resilience that focuses on the continued, end-to-end provision of critical business services, rather than solely focusing on individual processes or operations on their own. Enhancing business resilience is a comprehensive undertaking that considers key dependencies and potential vulnerabilities to ensure that resilience-enhancing initiatives are based on a thorough understanding of critical business services, including an end-to-end analysis of critical business services assessing regulatory requirements, client activities, dependencies on third parties and other touchpoints with all internal and external parties that use or contribute to the service being provided. This review must also consider a wide array of operational, technical and financial risks and their impacts, in conjunction with concentration risk, and extend to all critical business services across geographies, regardless of functional and departmental boundaries.
From an organizational point of view, incorporating resilience from the ground up into every stage of the development of new products and services requires greater business ownership and accountability, as well as the development of a corporate culture and mindset that prioritizes resilience.
Q. What are the core principles and supporting guidelines that DTCC uses and you recommend for others?
A. At DTCC, we believe that the most effective implementation approach is a federated model organized around a Business Resilience Center of Excellence. The primary benefit of this model is that it facilitates pragmatic, rapid deployment that leverages existing resilience-related activities. DTCC’s Technology Modernization Initiative includes a key requirement to embed resilience from the inception phase of the new business development process.
The model also centralizes talent and expertise firm-wide to ensure that best practices are applied consistently across business lines.
[See white paper for more info on all the 6 principles are identified in the paper.]
Q. What should our readers focus on now to build their business resilience? Any calls to action or predictions for 2020?
A. In today’s threat environment, firms cannot focus exclusively on strengthening their defensive capabilities to avoid a disruption from materializing. Instead, they must complement their defense efforts by developing additional strategies to recover quickly from disruptive events and minimize their impact. Financial institutions should adopt an all-encompassing approach to resilience that addresses disruptive threats holistically, regardless of their nature or origin and may require new levels of collaboration with clients and peers. It is also essential that firms build a culture and mindset centered around resilience, by encouraging employees to challenge the status quo as a way to address weaknesses and mitigate risks.
