On 11 July 2022, the International Organization of Securities Commissions (IOSCO) published a final report on the operational resilience of trading venues and market intermediaries during the COVID-19 pandemic & lessons for future disruptions.
In the report IOSCO summarizes some of the existing operational resilience work by IOSCO and other international organizations and outlines how the pandemic impacted regulated entities. IOSCO also examines key operational risks and challenges that regulated entities faced during the pandemic and provides additional observations and lessons learned from the pandemic.
In summary, IOSCO sets out the following lessons learned on operational resilience during the pandemic:
- Operational resilience means more than just technological solutions – the operational resilience of a regulated entity depends as much on the regulated entity’s processes, premises and personnel as its technology when faced with a significant disruption.
- Consider dependencies and interconnectivity – full business processes and all dependencies and interconnections are important to consider before and after a disruption to adequately assess potential risks and changes to controls. Critical to this is consideration of the role of service providers and off-shore services, whether intra-group or third parties.
- Review, update and test business continuity plans (BCP) – BCP (including scenario planning) are important to review and consider whether updates are appropriate to reflect lessons learned from the pandemic. For example, pre-pandemic operations may not be restored for a prolonged period, a disruption may impact all or multiple locations at the same time and a broad range of scenarios (even those that are unlikely) may be appropriate to be tested. The pandemic highlighted the importance of communication channels between regulators, key authorities, regulated entities, and third-party service providers to help understand any impacts on operational resilience.
- Effective governance frameworks – the pandemic highlighted the importance of an entity’s effective governance framework to facilitate and support operational resilience due to potentially novel and fast-paced situations or changes that might arise. Decisions made under pressure may need to be revisited and tested if they impact the business beyond the period of disruption.
- Compliance and supervisory processes – greater automation and less dependence on physical documents and manual processes by regulated entities may better accommodate a remote workforce. A review of monitoring and supervision arrangements by regulated entities for remote workforces may be appropriate to help ensure continued effectiveness in a remote or hybrid environment.
- Information security risk – decentralized and remote work may increase the importance of monitoring processes to help ensure information security, and in particular, to prevent cyber-attacks.