Resilience, the ability of a firm to rapidly restore its business operations from material operational incidents, is at the front of financial authorities’ agendas. As firms continue to develop and implement their resilience strategies, organizations gain a greater understanding of the potential impacts created by operational incidents and the potential options to deliver sufficient capabilities until the incident is successfully resolved. To learn more about what firms identify as the top risks to resilience today, we recently conducted a LinkedIn poll to gather insights, asking respondents to select what they believed was the top threat to firms’ resilience: 1) the interconnectedness of the financial services ecosystem, 2) third-party provider risks, 3) the adoption of new technology and 4) internal risk.

It is critical that financial institutions employ risk and resilience controls that are, at a minimum, equal to current risk management capabilities.

Largest Risk to Firms

The results indicated that the Adoption of New Technology was the largest risk to firms’ resilience, with 35% of respondents selecting it as the top risk. Firms continue to adopt new technologies to deliver financial products and services that improve efficiency, optimize growth, and reduce financial costs. While the benefits of implementing new technologies can positively transform the way the financial services sector operates, it is imperative that the technological and operational risks inherent with these changes are understood, that current frameworks and controls to manage these risks are leveraged, and that standards and guidance are developed to address new risks. It is critical that financial institutions employ risk and resilience controls that are, at a minimum, equal to current risk management capabilities. This may include the use of advanced intrusion detection systems and threat hunting.

Third-Party Provider Risks

The second-ranked risk was Third-Party Provider risks at 26%. As firms continue to move their digital transformations forward, third parties and other supply chain partners are increasingly being leveraged as part of the solution. However, commonly used third-party providers within the financial services sector may create concentration risk, where incidents can impact several firms simultaneously or increase the surface area where an individual firm can have its operations impacted. Firms and financial authorities continue to review current rules and guidance governing third-party risks to identify where enhancements may be needed. As an example, the FSB is currently developing a toolkit for firms and authorities to enhance their approach to third-party risk management. In general, firms must ensure they are conducting due diligence and oversight of all critical third-party providers.

Interconnectedness

Interconnectedness risk was the third-ranked risk at 21%. Interconnectedness represents one of the opaque risks faced by firms because there is no true facility to understand the pervasiveness of this risk. While a firm can understand its connective tissue to its own clients and third parties, it likely has limited visibility into the extended supply chain, for example, 4th and 5th parties, and no visibility into whether another firm may be using that same provider.  Also, while financial authorities may have visibility into the third parties used by its covered entities, this only represents a subset of firms. At the same time, defining when a concentration is severe and how it should be addressed is yet another challenge. Third-party registers, such as those outlined by the European Banking Authority Outsourcing Guidelines and European Union Digital Operational Resilience Act, may provide greater insights into potential interconnected risks as well as serve as a basis for how this risk is best addressed.

Internal Risks

Internal risks finished last in the poll at 15%. Internal risks may occur from the failure of employees to adhere to policies and procedures, lack of training and awareness of certain firm controls, or from a malicious insider.  To address this risk, it is important that firms enhance security and resilience so that employees are provided the training necessary to complete their roles.  Further, firms must review their internal policies and standards to ensure they evolve to meet business and employee needs. Insider Risk Programs are an emerging risk management practice and one that should be considered by all firms.  While much attention is rightfully placed on external threat actors, it is important to consider those threats that may already have access to information systems.

Ultimately, resilience is a journey, not a destination. Firms must consistently, plan, build and test their approach.

As the industry moves forward and increases its focus on bolstering and enhancing resilience, firms must thoroughly understand how business operations are evolving and how these evolutions impact resilience strategies. This includes but is not limited to, evaluating how organizations adopt and integrate new technology, reviewing partnerships with third parties and clients, assessing potential concentrations with critical third parties, determining how to operate if there is a loss of a third-party service, and ensuring internal risk is effectively managed through training programs, monitoring and controls.  Ultimately, resilience is a journey, not a destination. Firms must consistently, plan, build and test their approach. Doing so will protect firms, their clients, and the broader financial services ecosystem.