Reviewing regulatory expectations and driving resilience of supply chains

Sundeep Gupta, Associate Partner, PA Consulting

Below is an insight into what can be expected from Sundeep’s session at Vendor & Third Party Risk Europe 2023.

The views and opinions expressed in this article are those of the thought leader as an individual, and are not attributed to CeFPro or any particular organization.

How can we identify important businesses and systems within the supply chain? Can you share any examples of what these could be?

In March 2021, new operational resilience policies were published by the Bank of England, the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA). These policies stress the importance of identifying and maintaining important business services that are essential to operational resilience and preventing consumer harm. Firms were required to identify important business services and impact tolerances by March 31, 2022, and must have undertaken mapping and scenario testing to the level of sophistication required to support this, while also identifying any vulnerabilities.

Similar to historic BIA’s, firms should have taken the opportunity to map the third party services for important business services.

As part of the mapping exercise categorising, assessing and tiering suppliers based on their importance would be an important step.  This could be further augmented by a range of risk and control assessments that detail any operational, financial, or reputational risks – this is often undertaken using questionnaires, audits, or site visits.

Typical examples of important businesses and systems within the supply chain of a financial services firm may include:

  • Payment processors: Payment processors provide the infrastructure necessary to process transactions and are typically given a high criticality rating.
  • IT service providers: IT service providers provide critical IT infrastructure and support, such as data centres, network connectivity, and software applications.
How can we use scenario testing to reflect emerging risks within supply chain resilience?

Supply chain resilience is the ability of a supply chain to withstand and recover from disruptions. This includes those caused by emerging risks such as pandemics, cyber-attacks, natural disasters, geopolitical tensions, and others.

Scenario testing is an effective strategy to evaluate a firm’s ability to respond and recover from disruption in their supply chains. By simulating real-world situations, recent near misses, ransomware examples, transportation delays, unexpected supplier insolvency, or cybersecurity breaches, firms can identify areas of vulnerability that require improvement.  It is not atypical to regularly observe concentration risk, poor crisis communication, unstructured collaboration with suppliers, and inefficiencies in adapting to change and responding to new threat actors.

UK Regulators have also expressed that firms are also expected to consider what happens when multiple services fail at once, as this has a compounding effect on the failure of the rest of their operations. On this topic, firms should also identify services that are shared across different geographies and functions. A successful testing regime will require firm and supplier engagement, time, and delivery resources.

Can you share some insight into the regulatory approach of operational resilience, and how this impacts supply chains?

Operational resilience is the ability of firms, financial market infrastructures, and the financial sector to prevent, adapt, respond to, recover, and learn from operational disruption. As suppliers often provide critical elements of services such as applications, infrastructure, or processing activities to financial organizations, they require to be appropriately resilient as well. Furthermore, as suppliers will have their own vendors that provide services to them (called 4th / nth parties), this responsibility of operating in a resilient manner is passed all the way down the supply chain. This is imperative as the breakdown of a 4th / nth party could stop the operations of a third party, which in turn would cause a financial organisation to struggle to operate.

The FCA’s Suman Ziaullah was clear that firms who are unable to understand the vulnerabilities across the value chains of their important business services have a “clear indicator that you may not be able to remain within your impact tolerances.” So, firms should engage with suppliers and partners beyond a rudimentary review of contractual documentation to ensure they are adequately considering dependencies.

Intragroup arrangements present a cultural and historic challenge that will require redress following years of informal arrangements. In some cases, non-UK headquartered firms have had trouble engaging with the UK requirements, resulting in delays and a lack of progress. UK leaders must receive appropriate reporting and demonstrate influence and control over intragroup arrangements, including assessing operational resilience impacts when parent bodies look to make significant changes.