Note: Cognitive GRC provides services mainly to regulated firms in Hong Kong that provide services to institutional and professional investors only. We work with international service providers to deliver a global service for firms located in Hong Kong. The following topics are raised as part of regular updates we provide to our clients during the year to assist with business planning and should not be considered legal advice. We work with leading service providers to deliver holistic solutions in areas where we have developed unique symbiotic relationships but please note that some of the content below links to other websites and we are not responsible for the content or security of those external sites. Please contact your adviser in relation to any matters raised in this discussion and obtain legal advice where necessary.
Operational Resilience SFC Firms
With legacy COVID management issues in Asia continuing to impact business, inflation acceleration, heightened political risks, and ongoing operational challenges, it is not surprising that the global regulatory collective is focusing hard on operational resilience. In Hong Kong, as with other jurisdictions, we have been recently peppered with updates on expectations about operational robustness, emphasised by locational and travel concerns.
While looking at the usual micro-continuity issues on resilience (Environment, Data, Cyber, and Vendor) it is also worth checking in on some of the macro strategy issues that are being discussed on the global stage (See “Davos - what just happened - 9 things to know” Source World Economic Forum, May 2022) that have relevance to continuity.
Following up on our update on Operational Resilience (Part 1) in January, where we went through the immediate concerns, we have produced a follow up discussion paper to help address the broader set of concerns that firms should consider. We thought that focusing on disasters that have just happened is only half the discussion.
Across the board owners and senior management are making sure they are prepared for a broader range of circumstances that may occur given the changes in the landscape.
While there are lots of potential icebergs, being prepared for the worst case and maintaining an understanding of wind down scenarios/processes, will help avoid the majority potential conclusions that could come to pass by being properly prepared for them.
Maintaining appropriate resources to ensure an orderly business exit, has always been part of the obligations that senior management share with the owners of regulated business. While COVID seems to have revealed an absence of preparation for some (we are assuming that this was why the SFC issued its reminder on funding and exit plans in March 2022), IOSCO (International Organisation of Securities Commissions) and indeed the majority of their members have been refocusing attention on these pre-existing existential requirements for some time. It is worth taking a look.
Over the last couple of years, various international regulators (e.g. MAS, FCA, EU, SEC) have engaged in operational resilience initiatives. The FCA has been speaking about living wills and risk tolerances for a couple of years now, but have always had exit plan awareness requirement under capital adequacy (at least since capital adequacy in Europe was thing) to ensure firms maintained resources and plans to cover orderly wind downs. If you are not too big to fail, the regulator tolerates your existence, as long as you can wind your business down in an orderly manner. As such wind down plan testing is probably one of the most important desk based tests that firms can do given it is the ultimate conclusion to a lot of the potential scenarios that firms might ultimately consider as being of potential concern.
Our standard documentation, policy and procedures have always been skewed towards managing the broader resiliency risks as they arise (or at least more than just the bare minimum) but there has been tremendous development in the continuity industry, indeed, we have witnessed the multiple bifurcations of the industry into distinct sub-categories associated with distinctive risks that they represent (Data, Cyber, Security, Fraud). We wanted to kick the tires on the standard policies to see if we could help our clients calibrate them to the new perspective which looks at the vectors at which those risks can approach.
COVID and political dynamics have heightened attention to resilience and redundancy, which have amplified cybercrime and data loss risks. The risks associated with these sub-categories of continuity scenarios are exacerbated with the coming of age of fully outsourced business models and as such the responses need to be adjusted.
Cloud and Software as Service models have created a renewed perspective to the traditional continuity landscape and require a recognition and urgency in adapting to manage existing but slightly different existential threat profiles. While IOSCO believes markets have done well to weather the pandemic, there are new risks vectors to consider as a result (risk vectors; i.e., the same risk but coming from a different angle, see IOSCO paper on operational resilience, January 2022)
While we don't like to consider ourselves as an outsourced solution, in this case, we have tried to outsource our clients thinking by producing a thorough consideration of the universe of threats and how they may interact with each other in order to consider if we were collectively missing out on anything that firms should be taking into account and planning for.
It is designed to keep clients ahead of their peers while also closing off any long standing items that may not of been given the attention they deserve due to limited and stretched resources by reconsolidating the control processes that have recently diverged due to the expansion of focus on those respective areas (i.e., Data Security, Cybersecurity, Business Continuity, Fraud Risk, etc)
Clients may refer to their Datasite account for our White Paper on Operational Resilience Parts 1 and 2, and an updated suite of policy documents and regulatory worksheets. You may not even need to update your policies if they cover all the relevant issues to your satisfaction but we hope that you will compare your workings with ours and be able to confirm that you have, thereby, completing an in depth review of these issues to the extent expected by recent reminders. In our first paper we covered the basic expectations. We have now collated a universe of potential threats, and the various circulars and guides that have been issued over the last few years on this area for your consideration and review.
Our updated Business Continuity and Resiliency Plans, incorporate a consolidated approach to existential, data, cyber and vendor crisis responses. We will also be working on getting feedback from key vendors on our refreshed approach to ensure it resonates with theirs.
Whether you have separate vendors supporting you on these different sub-categories of risk or not (Threat intelligence, Data, Infrastructure, Security), we hope to facilitate an integrated governance led solution that will ensure efficient consideration of the topics that regulators are asking (or will be asking) firms to address while providing a one stop (and therefore manageable) solution to help firms deal with whatever may occur.
Some may argue that it is better to keep the different processes separate and for sophisticated technology led solutions, this is probably true, but there is still value in taking a step back to look at the overall resiliency plan to ensure that it is fit for purposes and covering the key risk for you.
We are acutely aware that the operational risk bandwidth of our clients has been heavily absorbed in 2020-22 by COVID and its implications but as requested by the SFC of our clients, we have sought to find enhancements to the resiliency platforms using a broader brush. Simply focusing updates on COVID felt too much like busy work and after the fact. If there is one singular project to spend a little time on, other than Climate/ESG, then this would be one we would recommend as it covers a multitude of (potential sins) items that might otherwise take a long time to close out and it will capture a major part of the recent updates coming from multiple regulators (many, many, many birds - multiverse of stones).
The core solution is simple, in that in order to manage these diverse topics effectively the various processes need to be simple enough to follow should an event occur and while we can't prepare for every instance we need to have an adaptable plan that works for most.
Clients can access resources on our data repository on datasite. Designed for boutique firms, but applicable for firms of all shapes, sizes and geographic location, you can benchmark your overall continuity processes with our updated resources.
Alternatively, please reach out to request access our resources here.