Recent episodes such as the CrowdStrike outage of summer 2024 highlight that financial entities need to better understand and manage their interdependencies, the author of this article argues. These commentaries are part of this news service's 12th Technology and Operations In Wealth Management Research Report.

The following article is part of the 12th WealthBriefing Technology and Operations in Wealth Management Research Report. It is written by Chris Martin (pictured below), a partner in Alpha Financial Markets Consulting’s regulatory compliance and risk practice. 

Chris Martin

For financial institutions, robust operational risk management is not merely a regulatory obligation but essential for maintaining customer trust and compliance. The results of the 12th Annual Technology and Operations Report 2024 illustrate a growing adoption of comprehensive risk management frameworks among financial firms, aimed at identifying and addressing risks including data security threats and compliance challenges.

Recent events such as the CrowdStrike incident exposed vulnerabilities in the system and have emphasised the need for financial entities to better understand, oversee and manage their supply chains and their inter-dependencies. It also emphasised the need for firms to holistically enhance the resilience of their information and communication technology (ICT) assets and vendors to address wider risks.

These risks include areas such as cyber threats, poorly managed ICT projects and change management as well as capacity and performance management issues. To protect consumers, firms and the wider market, the industry requires a moment of reflection that should be followed by a targeted effort to uplift risk and resilience activities from being mere processes to being impactful behaviours.

Understanding operational risk
Within the report, we saw that fund managers exhibited the highest confidence in operational risk management (score of 6.5), while wealth managers and asset managers reported lower scores of 5.38 and 5.14 respectively. This trend highlights significant concerns about operational risk management proficiency, particularly among asset managers. Cybersecurity approaches also showed variance, with asset managers at a score of 5.14, and single-family offices trailing at 4.5.

Alpha notes that while technology can enhance operational resilience, an over reliance on technology can itself introduce new risks, particularly related to critical systems such as order management platforms.

The European Union’s Digital Operational Resilience Act (DORA) mandates enhancing risk management frameworks to address reliance on information and communication technology (ICT) assets, further emphasising the intertwining of operational and technological risks in finance.

Exploring the landscape of outsourced services
Outsourcing has become a prevalent strategy among wealth firms for reducing costs and leveraging specialist expertise. The survey indicates a trend towards outsourcing non-core services, such as fund administration, which significantly boosts operational efficiency and productivity. However, not all outsourcing approaches are suitable; firms must carefully assess their risk tolerance and capacity for oversight concerning third-party risks.

The 12th Annual Technology and Operations Report showed that fund managers are leading in outsourcing practices, while wealth and asset managers achieved scores of 4.72 and 5, respectively, indicating widespread acceptance of outsourcing while necessitating vigilant risk management. 

Regulatory frameworks such as DORA and the Central Bank of Ireland's (CBI) regulations highlight the operational risks tied to third-party providers, particularly ICT services. The sudden unavailability of outsourced providers can disrupt critical operations, necessitating stringent contract provisions for audits, performance metrics, and monitoring of key performance indicators (KPIs) and key risk indicators (KRIs).

Conclusion
In essence, operational risk and outsourcing are fundamentally intertwined in today’s financial environment. Firms following best practice are those that adopt a proactive approach through robust, cross-border resilience programmes. Such programmes can enable the firm to strategically balance the benefits of both technology and outsourced providers against the inherent risks to the firm. Firms should ensure that they meet the relevant resilience regulatory requirements that may apply to them before embedding resilience processes and procedures more widely throughout their organisation, thus fostering a culture of resilience and retrospection.

About the author
Chris Martin, a partner in Alpha’s regulatory compliance and risk practice, has over 16 years’ experience. Prior to joining Alpha, he served in roles in consulting as a UK head of compliance and spent four years in asset and wealth management supervision at the FSA/FCA. Martin has expertise across compliance, risk and regulation and leads Alpha’s Financial Crime and Consumer Duty propositions in the UK.

To download a copy of the Tech & Ops report, click here.