On March 31, 2022, banking authorities in the United Kingdom began enforcing new regulations on operational resiliency that require senior management of banks and insurers to demonstrate their ability to provide important business services and functions in the event of an incident. The goals are to protect consumers and markets from disruption and better prepare financial firms to prevent, adapt, respond to, and recover from it.
Firms are now in a transitional period until March 31, 2025. During this time, they must self-assess and document their ability to consistently operate within “impact tolerances;” defined as “the point at which disruption would cause intolerable harm to consumers or risk to market integrity.”
This self-assessment is no small task. Firms are required to document the people, processes, technology, facilities, and information that support their important business services, including interdependencies on, or work outsourced to, third parties, such as cloud service providers. Firms must also test and document their ability to provide services for a range of scenarios. And to hold firms accountable, the regulation makes board members and senior management directly responsible for mapping and scenario testing, as well as overall compliance.
U.K. banks are not the only firms subject to this new regulatory burden. Financial sector firms in the European Union and United States have similar resiliency regulations. The E.U.’s Digital Operational Resilience Act (DORA), in effect since January 17, 2023, includes detailed and comprehensive rules on risk management, systems testing, management of third-party service providers, and incident reporting. Firms must demonstrate compliance by January 2025.
In the U.S., the Federal Reserve Board and other banking regulators issued guidance on Sound Practices to Strengthen Operational Resilience, which address operational risk management, business continuity management, third-party risk management, cybersecurity risk management, and recovery and resolution planning. Similar to the U.K. rule, U.S. firms must define their “tolerance for disruption,” align to standards for cybersecurity risk, and notify regulators when an incident may disrupt or degrade a firm’s ability to carry out operations.
But process complexity and a lack of visibility across business services are making operational resiliency and compliance with new resiliency regulations difficult
The reality is, banks are no longer modest depositories, and operations are anything but simple. Today’s banks provide a wide range of products and services that extend across departments, institutions, and geographies, and are powered by any combination of bespoke applications, commercial off-the-shelf software, aging legacy systems, software-as-a-service, third-party data and services, and human task work. The integrations and interdependencies within these complex operations are not always apparent, which makes mapping them from end to end incredibly difficult.
Banking leaders that cannot map their important business processes will be unable to accurately identify and test for vulnerabilities to those processes. They risk being incapable of anticipating, preventing, or correcting for them in the event of a disruption. In other words, they risk noncompliance and potential fines, censure, and suspension as a result. That’s why a 360-degree view into your business systems is critical, as is the ability to understand the context of each business process in relation to your other important business functions and how it all affects your operational resilience.
Smart firms are taking advantage of process orchestration to improve compliance and operational resilience
“Don’t just look at regulatory compliance as an imperative – look at it as a strategic opportunity to differentiate your firm; to invest in serving customers, stakeholders, and markets better and more efficiently.”Daniel Meyer, Camunda CTO
Banking leaders need to remember that at the heart of these new regulations is the ability for firms to maintain consistent services and operations, even during major and minor disruptions. “That’s what process orchestration helps you do,” explains Camunda’s Chief Technology Officer, Daniel Meyer. “It allows you to automate your workflows across people, systems, and devices – even for complex operational processes or processes that trigger in response to events.”
Process orchestration can help firms improve workflows and the resiliency of those workflows across their organization. It also helps align business and IT teams on the people, processes, and systems required to maintain operational resilience.
Banking leaders recognize process orchestration as an important component to building operational resilience and are strategically applying it in the following ways:
- Improving 360-degree visibility and mapping of important business services
- Process standardization and documentation: Taking advantage of BPMN modeling tools to standardize and document important business processes and interdependencies, so business and IT teams have a holistic view into all stages of work and the context of that work in relation to other important business processes. This approach helps ensure that operations are consistent and efficient, reducing the risk of errors and disruptions.
- Testing impact tolerance for a range of scenarios
- Building test scenarios to identify risks: Building, testing, and documenting scenarios for existing or planned processes to identify the risks and “intolerable levels of harm” unique to each firm.
- Building test scenarios to illustrate impact tolerance: Building, testing, and documenting scenarios that illustrate the impact tolerance unique to each firm.
- Improving processes and re-testing: Using agile tools to collaboratively and iteratively test and address vulnerabilities identified in test scenarios, modify existing processes, design new processes, and re-test scenarios.
- Applying real-time alerts
- Identifying incidents or potential incidents: Customizing processes to alert senior management of a potential or actual disruption.
- Reminders for reporting: Customizing processes to remind senior management to update mapping and testing annually or when processes and interdependencies change.
- Efficiently controlling complex work from end to end
- Orchestrating and executing work: Logically orchestrating and executing multiple process endpoints from end-to-end, including work that involves both human and automated tasks.
- Scaling work: Coordinating and scaling tasks, systems, and important business services for high-volume transactions, transaction spikes, and redundant operations.
- Continually monitoring and improving work: Using granular reporting to review disparate process automation activities in one, centralized place, and identify opportunities for improvement.
Camunda helps banks simplify compliance and be more operationally resilient
Under these new regulations, banks need to identify and respond quickly to incidents. Camunda helps banking leaders improve operational resiliency with capabilities that include:
- A 360-degree view to identify important business services, understand the context in which they operate, and monitor their health in real time
- Heat maps to visualize and evaluate process performance
- Developer-friendly open architecture that makes it easy to build, implement, and modify testing scenarios and processes, so you can develop the solutions you need faster
- Support of BPMN and DMN modeling standards to help business and IT teams collaborate more effectively
- Process orchestration that can automate complex workflows from event streams, legacy systems, third-party integrations, and human tasks
- Cloud-native workflow engine that can handle concurrent, high-volume, business-critical work
Ultimately, the new regulations can be viewed as a mandated cost, or they can become the driving force to accelerate and modernize how you do business. “Don’t just look at regulatory compliance as an imperative,” advises Daniel; “… look at it as a strategic opportunity to differentiate your firm; to invest in serving customers, stakeholders, and markets better and more efficiently.”
Learn how Camunda can help your business
Clients are integrating Camunda with legacy systems to help prioritize areas for modernization and iteratively update processes that may jeopardize resiliency. They are also using Camunda’s process orchestration capabilities on a wider scale across the enterprise to reduce risk, improve accuracy of work, provide seamless customer experiences, and streamline product development – boosting their cost-effectiveness and speeding time to market.
Visit our financial services page to learn how Camunda’s process orchestration capabilities can help you be more resilient, and learn more about why process orchestration plays a key role in implementing complex compliance initiatives such as T+1 migration.