The Board of the International Organization of Securities Commissions (IOSCO) has published a report that describes the impact of the COVID-19 pandemic on the operations of trading venues and market intermediaries and concludes that these regulated entities largely proved to be operationally resilient.
Definition of operational resilience
In the report, IOSCO defines operational resilience as the ability of a regulated entity to deliver critical operations through a disruption, which it says is consistent with other international definitions. The existing IOSCO operational resilience principles, recommendations and guidance provide the core structure for regulated entities and regulators when considering operational resilience, and the findings in this report suggest this framework has worked well.
Opportunities for operational resilience improvement
However, the pandemic has also highlighted opportunities for regulated entities to learn how to improve their operational resilience. The report therefore sets out some observations and identifies lessons learned from how regulated entities responded during the pandemic to help inform future operational resilience arrangements including:
- Operational resilience means more than just technological solutions; it also depends on the regulated entity’s processes, premises and personnel;
- Consider dependencies and interconnectivity before and after a disruption to adequately assess potential risks and changes to controls, especially for service providers and off-shore services;
- Review, update and test business continuity plans to ensure they reflect lessons learned from the pandemic, such as the prolonged nature of the crisis and its impact on multiple locations, as well as the implication of remote/hybrid working and the importance of communication channels between regulators, key authorities, regulated entities and third-party service providers to help understand any impacts on operational resilience;
- An effective governance framework facilitates and supports operational resilience during novel or unexpected situations;
- Compliance and supervisory processes with greater automation and less dependence on physical documents and manual processes may better accommodate a remote workforce. A review of monitoring and supervision arrangements by regulated entities for remote workforces may be appropriate to help ensure continued effectiveness in a remote or hybrid environment; and
- Information security risks: decentralized and remote work may increase the importance of monitoring processes to help ensure information security and prevent cyber attacks.