On 13 January 2022, the International Organization of Securities Commissions (IOSCO) issued a consultation report seeking feedback on the lessons learned regarding the operational resilience of trading venues and market intermediaries during the COVID-19 pandemic.

The consultation report concludes that these regulated entities largely proved to be operationally resilient and continued to serve their clients and the broader economy, despite unprecedented challenges, such as the restrictions on mobility and business operations and periods of extreme market volatility and record trading volumes. But the report also notes that the pandemic has highlighted opportunities to learn lessons on how to further improve regulated entities’ operational resilience.

The report sets out certain observations and identifies lessons learned from the pandemic to help inform regulated entities’ future operational resilience arrangements:

• Operational resilience means more than just technological solutions; it also depends on the regulated entity’s processes, premises and personnel.
• Consider dependencies and interconnectivity before and after a disruption to adequately assess potential risks and changes to controls, especially for service providers and off-shore services.
• Review, update and test business continuity plans to ensure they reflect lessons learned from the pandemic, such as the prolonged nature of the crisis and its impact on multiple locations, as well as the implication of remote/hybrid working.
• An effective governance framework facilitates and supports operational resilience during novel or unexpected situations.
• Compliance and supervisory processes with greater automation and less dependence on physical documents and manual processes may better accommodate a remote workforce. A review of monitoring and supervision arrangements by regulated entities for remote workforces may be appropriate to help ensure continued effectiveness in a remote or hybrid environment.
• Information security risk – Decentralized and remote work may increase the importance of monitoring processes to help ensure information security and prevent cyber-attacks.

The deadline for comments on the consultation report is 14 March 2022.