Latest news with #operationalresilience
Yahoo
a day ago
- Business
- Yahoo
PS21/3: Are UK firms really ready?
The Financial Conduct Authority's (FCA) operational resilience rules were introduced three years ago with a clear message: financial firms must be able to withstand disruptions and keep essential services running no matter what happens. On paper, the industry has had plenty of time to prepare. In reality, some firms are still racing against the clock, realising too late that compliance is about more than just paperwork. With only days left, the question remains: who's truly ready, and who's cutting it fine? Operational resilience isn't a new concept, but it has taken on greater urgency in recent years. From cyberattacks and IT failures to third-party outages, financial institutions face increasing risks that can bring services to a halt. Customers expect 24/7 access to their money; businesses need smooth payment flows; and regulators are watching closely. PS21/3 was introduced to make sure firms aren't just reacting to disruptions, they're prepared in advance. Yet, as the deadline looms, gaps in resilience planning are becoming more apparent. Some firms have treated compliance as a tick-box exercise, failing to integrate resilience into their broader strategy. Others have struggled with the sheer complexity of mapping critical business services and setting realistic impact tolerances. The FCA has been clear: firms need to justify their decisions with evidence, not assumptions. Simply hoping a competitor can pick up the slack during a disruption isn't enough. Every firm must know exactly how long it can sustain an outage before harm is caused and prove that they can recover within that timeframe. One of the biggest challenges for firms has been managing third-party dependencies. Today's financial ecosystem is deeply interconnected, with banks, payment providers and fintech firms all relying on external vendors for core services. What happens when those vendors fail? The CrowdStrike outage in 2024 was a stark reminder of how dependent financial firms are on third-party providers. Some businesses had contingency plans in place; others found themselves blindsided, unable to function until their suppliers restored service. The FCA has made it clear that firms cannot outsource responsibility for resilience. Even if a third party is delivering a key service, the regulated firm is still accountable for ensuring its stability. For payment providers and e-commerce businesses, this challenge is even greater. Many operate across multiple jurisdictions, juggling various payment rails, processors and alternative payment methods. Ensuring that these providers meet resilience standards and can keep transactions flowing even in times of disruption, is essential. Beyond financial institutions themselves, merchants also have a stake in operational resilience. If a payment provider or acquiring bank fails to meet FCA standards, businesses relying on them could face service outages, lost revenue and customer frustration. Merchants must be proactive in selecting financial partners that take resilience seriously. This means working with payment providers that have robust contingency plans, failover mechanisms and diverse payment routing capabilities. A provider with a single point of failure is a business risk; one that many merchants cannot afford to take. As resilience becomes a key factor in financial partnerships, businesses need to demand transparency from their providers. How do they handle service disruptions? How quickly can they switch to backup systems? What safeguards are in place to keep payments running? These are the questions that should be asked before an outage occurs, not after. With the deadline fast approaching, firms that are still scrambling must prioritise key actions in the coming days. While long-term resilience requires a continuous effort, there are still urgent steps that can be taken to ensure compliance by 31 March: Verify that all important business services have been identified, and impact tolerances are clear. Every service should have a defined maximum tolerable outage time, backed by data. Run final scenario tests. Stress-testing resilience plans under 'severe but plausible' conditions can expose vulnerabilities that need last-minute fixes. Strengthen third-party oversight. Ensure that suppliers have their own resilience frameworks in place, and that they align with FCA expectations. Review and update recovery strategies. Response teams should know exactly what to do when disruptions occur, minimising downtime and customer impact. For firms that planned ahead, this period is about fine-tuning and reinforcing resilience strategies. For those that delayed preparations, it's a race to prove that they can meet regulatory standards, before the FCA starts asking tough questions. While 31 March marks the official compliance deadline, operational resilience isn't a one-time task, it's an ongoing expectation. The FCA has made it clear that financial firms must continue refining their resilience strategies, conducting regular reviews, and adapting to new risks. Beyond regulatory pressure, firms that invest in resilience stand to gain a competitive advantage. Customers trust institutions that can deliver seamless services, even during crises. Payment providers that can guarantee uptime will attract more business. Merchants will prioritise financial partners that won't leave them stranded when disruptions strike. Those who see resilience as more than just a compliance burden, but rather as a core pillar of their operations, will be the ones that emerge stronger in the long run. For financial services, resilience isn't just about surviving disruptions, it's about thriving despite them. Azimkhon Askarov is Co-CEO & Partner at "PS21/3: Are UK firms really ready?" was originally created and published by Electronic Payments International, a GlobalData owned brand. The information on this site has been included in good faith for general informational purposes only. It is not intended to amount to advice on which you should rely, and we give no representation, warranty or guarantee, whether express or implied as to its accuracy or completeness. You must obtain professional or specialist advice before taking, or refraining from, any action on the basis of the content on our site.
Finextra
11-06-2025
- Business
- Finextra
Ensuring operational resilience in 2025 – why the status quo no longer works
0 This content has been created by the Finextra editorial team with inputs from subject matter experts at the funding sponsor. Operational resilience is on all UK payments leaders' minds. In 2024, 95% of business leaders stated that they're aware of operational weaknesses which leave them vulnerable, yet 48% said their organisations aren't doing enough to improve resilience. The European Union (EU)'s Digital Operational Resilience Act (DORA) – having come into effect on 17 January 2025 – is the regulators' push towards improved operational risk incident management across the industry, but how have financial organisations fared when it comes to readiness? What else needs to be done from an infrastructure perspective to achieve greater resilience? Finextra spoke with Rob Reid, technical evangelist at Cockroach Labs, about the company's research on the state of resilience across financial services; how to effectively achieve operational resilience; and what needs to be done to reap benefits that extend beyond mere compliance. How outages turned into the new normal While outages have become common in organisations – Cockroach Labs found organisations experience on average 86 a year – it's major infrastructure blackouts that grabbed the headlines in 2024. The Bank of England reported seven outages to the UK's RTGS (Real-Time Gross Settlement) and Clearing House Automated Payment System (CHAPS) in 2024. Most notably, in July 2024, CHAPS failed and delayed large, time-sensitive payments, which had a substantial impact. With CHAPS usually enabling 200,000 payments a day – with an average daily value of £345 billion – a system shutdown of this scale (245 minutes in fact) resulted in considerable losses. That very same month, the CrowdStrike outage caused global chaos, affecting over 8 million Windows devices. The fallout was immense, with GPs unable to treat patients; hundreds of businesses reporting revenue losses; and planes being grounded globally, leaving travellers stranded in airports. 'Once you've hit rock bottom, the only way is up. And I think we're going to need to see changes,' said Reid, when speaking on the state of operational resilience in financial services. 'The technologies and practices used across the industry aren't keeping up with the needs of modern resilience requirements. Fundamentally, if what we had was working, we wouldn't have DORA.' The state of resilience in light of DORA The EU's DORA officially took effect on 17 January 2025, providing a universal framework designed to enhance information and communication technology (ICT) risk management. 'I am a software engineer with an almost comically low-risk appetite. So, as you can imagine, I've been bemoaning lacklustre operational resilience for many years,' commented Reid. 'DORA is a much-needed wake up call for the industry. I wish we would have had it years ago, because as a software engineer at the coalface, I would have had something to wield.' In order to understand the state of resilience going into 2025, Cockroach Labs surveyed 1,000 senior cloud and technology executives. Alarmingly, the data showed that while 94% of technical executives stated that the CrowdStrike outage encouraged their organisations to reassess their risk management, the operational resilience reality still looks bleak: 93% of leaders are concerned about the financial and organisational impacts of outages; 95% are aware of operational weaknesses that leave them vulnerable; 53% of banking and financial services companies report experiencing service disruptions at least weekly; 20% of respondents describe their organisation as fully prepared for outages; 33% have an organised response approach, and less than a third conduct regular failover testing. Speaking on the results, Reid emphasised: 'Every single person we spoke to reported revenue loss as a result of downtime in the last 12 months. On average, businesses are seeing 86 outages per year, with the average downtime lasting more than three hours. In terms of approaches, this hints at an industry-wide tendency of being reactive to downtime, and I would question whether teams are being given the time, space, and resources required to make meaningful, positive changes in preventing it.' Considering the research was conducted at the end of last year, it is surprising to see how little progress organisations have made toward operational resilience – especially given the DORA deadline. However, considering how much information geared toward DORA readiness has been available, these results show that it might be an issue of agility rather than an issue of understanding. 'Consider DORA from the perspective of a company with aging technology and infrastructure,' commented Reid. 'This all serves to reduce their ability to innovate. They're having to manage all of this potentially archaic infrastructure, let alone react with agility. And it's not only DORA, there is GDPR [General Data Protection Regulation], there is CCPA [California Consumer Privacy Act], and a host of other regulations. Add to that a disaster recovery mindset, necessitated by the presence of primary/secondary architecture, and you've got a perpetuation.' So how can organisations go beyond the minimum requirements of DORA to develop holistic operational resilience strategies? Developing modern resilience strategies For organisations running primary/secondary architecture, failovers and failbacks are key concepts of resilience and disaster recovery. A failover is the process of switching to a backup, secondary system or site when the primary architecture fails – ensuring business continuity – while failback refers to the process of returning to the primary system once the issue is resolved. Reid explained that many organisations are running primary/secondary architectures 'with the hope that things don't go wrong. Because if something goes wrong, they need to fail over, and that is risky. Some businesses never fail back because of the risk associated in failing back to the primary architecture. However, hope is not a strategy. Modern and capable technology must be considered if we are to move beyond the traditional primary/secondary failover mindset, and businesses should be considering technologies that minimise RTO and RPO.' RTO (recovery time objective) is the amount of time that an organisation will be down following an outage, which, according to Reid, should be measured in seconds, not minutes or hours. RPO (recovery point objective) is the amount of data that an organisation loses in an outage. 'And that should be zero,' he argued. 'Let's assume you have a traditional database that you are backing up every hour. That's up to one hour of data that you're going to permanently lose in the event of an outage, simply because you didn't back up more regularly within that time window.' Thinking beyond the primary/secondary architecture approach, self-healing technology is the more modern approach in achieving effective operational resilience. Referring to applications that are capable of detecting, diagnosing, and repairing their own issues without human intervention, self-healing technology – made even more powerful through machine learning and artificial intelligence (AI) – enables organisations to better manage their systems' availability. Crucially, self-healing technology can work both reactively as well as preventatively which, according to Reid, is not just important for systems, but for employees as well. In order to achieve reliable availability, the mindset within organisation needs to start rewarding prevention more than finding solutions to existing issues: 'Do employees get more recognition for putting out fires, or do they get more recognition for preventing fires in the first place? Preventing fires will inevitably be a lot less visible if the reward culture celebrates firefighting,' emphasised Reid. 'Businesses can and should be adopting self-healing and distributed technologies. This places the burden of operational resilience on software instead of people, and that frees people up to innovate.' Operational resilience in 2025 and beyond In 2025, downtime is no longer tenable. Resilience, in its many forms, must be made a priority. A failure to comprehensively overhaul and modernise systems and processes will inevitably incur disruptions. 'DORA is the recognition that the status quo isn't doing enough to keep businesses online, and it should be seen as an opportunity,' finalised Reid. 'DORA will shore up trust in the industry as a whole, and each of those businesses that work within it are going to contribute to that. I have watched organisations reap the benefits of self-healing applications. Modern technology has the potential to completely revolutionise the way we approach operational resilience.' It is now imperative for financial institutions – both banks and regulated, non-bank financial institutions – to ensure business continuity meets organisational needs in an increasingly volatile global environment.
Finextra
10-06-2025
- Business
- Finextra
Compliance, IT resilience, productivity: the case for Digital Employee Experience in finance: By Dominic Mensah
In 2025, the UK Treasury Committee revealed that leading banks and building societies experienced more than a month's worth of IT outages in just two years. These weren't caused by cyber attacks but by internal system failures, exposing a broader weakness in how the IT organization boosts operational resilience. Despite an abundance of performance data, many firms still lack visibility into what really matters: how systems function at the point of use. Without insight into the end-user experience, problems often go undetected until they escalate into serious disruption. Digital Employee Experience (DEX) platforms help close this gap by providing real-time, experience-level data that enables earlier detection, faster resolution, and stronger operational resilience. Traditional endpoint monitoring focuses on metrics such as device availability, and infrastructure health, but these don't tell the full story. Friction at the user level, such as sluggish applications, login failures, or system crashes, often slips under the radar until productivity takes a hit. For traders on the floor, a momentary delay can mean missed market opportunities. But the impact extends across the organization: financial advisers, compliance teams, operations staff, and contact centre agents all rely on fast, stable systems to serve clients, and meet regulatory requirements. When digital devices underperform, the consequences are immediate and widespread. DEX introduces a new layer of observability– illuminating how the health of the endpoint, where employees actually interact with them. This visibility allows IT teams to move from reactive troubleshooting to proactive service delivery. Real use cases for DEX in financial institutions This section explores how DEX is being used to address key operational challenges, from supporting significant digital transformation projects, reducing IT support tickets, and streamlining service desk functions to optimising the digital estate: Enhancing digital transformation projects : DEX platforms are essential for facilitating key digital transformation initiatives, including operating system migrations such as Windows 11, VDI adoptions, and cloud transitions. By harnessing data-driven insights gathered from thousands of endpoints every few seconds, these platforms inform decisions, mitigate risks, and boost efficiency. Their deployment also hastens the realisation of strategic project value. For example, through the optimisation of endpoint management, one financial institution discovered £3.4 million in unused software licences, uncovering a savings opportunity that would allow them to redirect these resources towards high-impact digital transformation investments. : DEX platforms are essential for facilitating key digital transformation initiatives, including operating system migrations such as Windows 11, VDI adoptions, and cloud transitions. By harnessing data-driven insights gathered from thousands of endpoints every few seconds, these platforms inform decisions, mitigate risks, and boost efficiency. Their deployment also hastens the realisation of strategic project value. For example, through the optimisation of endpoint management, one financial institution discovered £3.4 million in unused software licences, uncovering a savings opportunity that would allow them to redirect these resources towards high-impact digital transformation investments. Ticket deflection and service desk efficiency : DEX technologies equipped with self-healing capabilities and AI-assisted tools have significantly enhanced IT service desk operations by automating the resolution of many issues that previously required human intervention. This shift towards automation has led to substantial decreases in ticket volumes across the financial service sector. As a result, IT staff can now allocate more time to strategic tasks, streamlining overall service desk efficiency. For example, one bank with previously high service desk call rates has reported saving approximately £232,000 per year by detecting and resolving technology issues before they impact key personnel. : DEX technologies equipped with self-healing capabilities and AI-assisted tools have significantly enhanced IT service desk operations by automating the resolution of many issues that previously required human intervention. This shift towards automation has led to substantial decreases in ticket volumes across the financial service sector. As a result, IT staff can now allocate more time to strategic tasks, streamlining overall service desk efficiency. For example, one bank with previously high service desk call rates has reported saving approximately £232,000 per year by detecting and resolving technology issues before they impact key personnel. Cost reduction through IT asset optimisation: DEX data supports software licence rationalisation and hardware life extension. This strategic use of endpoint data has led to significant cost savings. For instance, a New York City-based financial institution avoided approximately £7.5 million in unnecessary laptop refreshes by leveraging DEX insights to assess real usage, realising that 91% of its laptops planned for annual refresh did not need replacement based on performance indicators. Endpoint data in transformation and compliance As we have already established, in financial institutions, endpoint data from DEX platforms is pivotal for both transformation projects and compliance. This data offers detailed insights into system performance and user interactions, crucial for orchestrating major initiatives such as operating system upgrades and cloud transitions. It also aids in assessing employee readiness and identifying system-level risks, ensuring smooth implementation and minimal disruption. Further, endpoint data enhances compliance with frameworks such as the Digital Operational Resilience Act (DORA) and the Financial Conduct Authority's (FCA) guidelines, which require a deep analysis of how disruptions impact critical business services. Traditional monitoring systems often fall short in providing the necessary visibility into endpoint-level interactions, a gap filled by DEX platforms. For instance, during a critical system outage, the swift analysis of real-time endpoint data can lead to immediate problem identification and resolution, significantly reducing downtime and the overall impact on operations. By integrating endpoint data into their strategies, financial institutions not only comply with stringent regulatory demands but also strengthen their overall resilience. This capability enables them to manage risks effectively and ensure continuous service delivery, even amid potential disruptions. DEX drives employee productivity and satisfaction DEX data provides strategic advantages for financial institutions by optimising IT asset management and reducing costs through the alignment of device usage with specific job roles. For example, by creating differentiated services and role-based environments for traders, bankers, and agents, an investment management firm used DEX data to prevent potential revenue loss from failed financial trades. Additionally, it significantly enhances employee productivity. According to Deloitte's Human Global Capital 2024 report satisfied employees are approximately twice as productive as their unhappy counterparts. By linking digital experience metrics to productivity and compliance outcomes, DEX insights enable more informed decision-making. With more than 80% of surveyed workers indicating that an enhanced work experience would improve their productivity, the role of DEX in boosting operational efficiency and resilience is undeniable. In summary, experience-level data has evolved from a luxury to a critical necessity for operational resilience and regulatory compliance in financial services. The 2025 findings from the UK Treasury Committee underscore the urgent need for enhanced visibility into how digital services impact user experiences and business outcomes. Financial services leaders must now ensure they have precise insights into user interactions to proactively address digital friction and device degradation that can compromise operations. Endpoint device intelligence represents more than just an enhancement of IT management; it signifies the end of IT as we know it in data-driven operations at financial services firms. This paradigm shift towards proactive service delivery and strategic decision-making is redefining competitive financial operations. As the sector continues to evolve, embracing this data-driven approach will be essential for maintaining compliance and spurring innovation, positioning financial institutions to not only respond to but also anticipate the demands of a rapidly changing market.
