Bank of England sounds warning to banks over operational resilience

The UK's banks have been given a three-year deadline to build up their resilience to major disruptions to their business operations, with a keen focus on technology as both an enabler and a risk factor. The deadline was imposed following a spate of IT outages across the sector over the past two years.

Duncan Mackinnon, executive director for supervisory risk at the central bank says: "Many firms have further work to do to set impact tolerances to safety and soundness and financial stability. And it is important that boards and senior management engage closely on operational resilience to ensure this work gets done."

As an example, he cites widely varying response to an initial assessment exercise set by the central bank as part of its probe into bank stability.

"Where firms have set tolerances, there has often been a wide range of tolerances across different firms providing the same service," he says. "For example, Chaps payments impact tolerances for safety and soundness varied across some firms from two days to two weeks. We expect to have challenging conversations over the coming months on these variances. Firms will have to justify how they came to the conclusions they have, and demonstrate that the tolerance they have set will protect safety and soundness and financial stability."

Other important issues that firms need to address include building additional data centres for backup and recovery, reviewing and adapting outsourcing arrangements, and re-architecting or replacing legacy systems which have remained critical to the delivery of services despite their obsolescence

"We acknowledge these things are not easy. They will take time," says Mackinnon. "Firms should use the time they have now to address vulnerabilities and build capabilities. The longer firms take to map to the required level of sophistication and to run robust scenario tests, the shorter the period they will have to address their vulnerabilities and build resilience."