The Board of the International Organization of Securities Commissions (IOSCO) today published a report that describes the impact of the COVID-19 pandemic on the operations of trading venues and market intermediaries and concludes that these regulated entities largely proved to be operationally resilient.
The report emphasizes that the regulated entities continued to serve their clients and the broader economy during the pandemic, despite unprecedented challenges, such as the restrictions on mobility and business operations and periods of extreme market volatility and record trading volumes.
The pandemic also increased cyber security risks, accelerated the use of existing, new and emerging technologies and disrupted some outsourcing arrangements.
In the report, IOSCO defines operational resilience as the ability of a regulated entity to deliver critical operations through a disruption, consistent with other international definitions. The existing IOSCO operational resilience principles, recommendations and guidance provide the core structure for regulated entities and regulators when considering operational resilience, and the findings in this report suggest this framework has worked well.
However, the pandemic has also highlighted opportunities for regulated entities to learn how to improve their operational resilience. The report therefore sets out some observations and identifies lessons learned from how regulated entities responded during the pandemic to help inform future operational resilience arrangements including:
(a) Operational resilience means more than just technological solutions; it also depends on the regulated entity’s processes, premises and personnel;
(b) Consider dependencies and interconnectivity before and after a disruption to adequately assess potential risks and changes to controls, especially for service providers and off-shore services;
(c) Review, update and test business continuity plans to ensure they reflect lessons learned from the pandemic, such as the prolonged nature of the crisis and its impact on multiple locations, as well as the implication of remote/hybrid working and the importance of communication channels between regulators, key authorities, regulated entities and third-party service providers to help understand any impacts on operational resilience;
(d) An effective governance framework facilitates and supports operational resilience during novel or unexpected situations;
(e) Compliance and supervisory processes with greater automation and less dependence on physical documents and manual processes may better accommodate a remote workforce. A review of monitoring and supervision arrangements by regulated entities for remote workforces may be appropriate to help ensure continued effectiveness in a remote or hybrid environment; and
(f) Information security risk: Decentralized and remote work may increase the importance of monitoring processes to help ensure information security and prevent cyber-attacks.
IOSCO published the consultation report on operational resilience before the conflict in Ukraine began. Recent geopolitical tensions, disruptions to supply chains and energy shortages have challenged the operational resilience of trading venues and market intermediaries. In particular, financial and commodity markets have been volatile and cyber risks have increased. The situation will likely evolve further, highlighting the ongoing importance of operational resilience and maintaining an adaptable approach to operational resilience. The observations and lessons learned in this report should also be relevant to new scenarios, particularly the importance of reviewing, updating and testing business continuity plans, information security risks and maintaining good communication channels between regulators, authorities, regulated entities and third-party service providers to help understand any impact on operational resilience.