雷切尔泰勒, 存 Executive Director of Business Resiliency, 加入行业专家小组,讨论第三方供应商对运营弹性的影响, 业务连续性计划的变化以及国际监管和司法一致性的必要性.
Attendees of the virtual conference included senior technology leaders from the areas of resilience, operational risk and cyber resilience, 等.
存管连接 sat down with Tyler to discuss key takeaways from the panel discussion.
DC: Third-party providers are an integral part of the financial services landscape. 同时, 大流行给企业提出了新的挑战,要求它们提高业务应变能力. What challenges do firms face when they use third-party providers?
RT: Third-party vendors are a critical part of the financial services value chain, 提供的服务和功能,个别公司可能无法最好地实现自己. While this relationship might be effective for many reasons, introducing these providers into the chain means their resiliency 帖子ure must be accounted for, in order to gain comfort that the entire service is resilient.
This reality presents its own unique set of challenges. First, there may be a limited number of suppliers in the space. 换句话说, in certain instances, competition is low, raising concentration risk. 金融行业已经就限制这些集中度进行了广泛的对话,同时没有透露哪些公司使用特定的供应商.
另一个挑战是通常被称为第n个提供者的存在——第三方供应商使用的承包商和分包商. 第n个供应商使问题更加复杂,因为找到这些公司的信息很复杂,而且增加了额外的风险. While firms can use contracts to manage the Nth parties, they may not be able to negotiate based on the size of the institution, value of the contract and the concentration of the providers. In many cases, these Nth providers are not directly regulated. As a result, having insight into their testing and backup capabilities is often challenging.
Third-party vendors are a critical part of the financial services value chain, 提供的服务和功能,个别公司可能无法最好地实现自己.
DC:当这些服务由相关公司提供时,第三方关系有什么不同吗?
RT: 存 and other organizations use intra-group providers, 与使用第三方供应商相比,哪些供应商提供了更高级别的保护,因为组内提供商了解他们提供服务的实体所需要的期望,并且通常与所提供的服务更一致. 集团内部的外包不会像外包给独立的供应商那样带来同样程度的风险, 通常允许受监管实体以保障实体安全和稳健的方式在全企业范围内有效地部署vns6060威尼斯城官网. 这可以通过服务级别协议和纳入风险和弹性治理结构来实现, which review and set the group’s risk tolerance. 适用于集团内部安排的严格要求与这些安排带来的相关风险不成比例,可能会使受管制的实体与不受管制的竞争者相比处于竞争劣势.
DC:对运营弹性的关注将如何改变执行业务连续性测试的方式?
RT: 一般, 业务连续性计划及其相关的测试确保业务可以在中断的情况下运行,并覆盖地理分散的需要. 换句话说, 人员和技术是否到位,以确保在客户需要时提供服务?
执行业务影响分析和测试练习是任何业务连续性计划的关键要素. 公司通常通过灾难恢复演习和员工职责轮换来测试他们的能力. 根据最近的监管指导,这种类型的测试将继续进行,甚至可能增加频率.
然而, as focus transitions to operational resiliency at a service level, 公司可能需要改进他们的测试程序,而不是专注于单点故障, evaluating multiple points of impact across the service and stress them together. 这可以通过执行测试来完成,其中某些技术或流程部分同时失败,以及许多依赖关系受到影响. 而不是, 以更细粒度的方式查看重要的业务服务将有助于确定机会领域.
Also, additional focus will be needed for further prioritization. If a service is disrupted, which services need to be resumed first? Are the firm’s recovery plans enacted in such a way that allows for a more granular recovery? Looking at these points, testing with third parties on which firms depend becomes more critical.
DC: How should firms approach changes to technological availability as part of resilience planning?
RT: How firms approach changes to technological availability is a key area of investigation. 例如, testing of the multi-data center model—under traditional disaster recovery programs, 公司需要确保他们能够从一个数据中心转移到另一个数据中心,以继续提供服务. These failover tests may also be required through regulation: in the U.S., this includes “Sound Practices to Strengthen Operational Resilience” or SEC Regulation SCI. 然而, 当公司切换到一种模式时,应用程序或完整的基础设施组件将数据中心作为标准业务流程进行操作, the concept of performing a failover or loss of region test has little value. 从技术上讲, 系统和相关的技术堆栈已经按照设计在一定频率上执行此任务. 公司和监管机构都需要评估,由于技术设计和执行方面的这些变化,服务连续性测试需要如何进行调整.
DC:为什么为了实施成功的运营弹性计划需要国际协作?”
RT: In order to implement effective operational resiliency programs, it is critical that firms understand regulatory expectations, 政策和指导方针中使用的定义为任何标准的有效应用提供了基础. For entities with an international reach, a globally consistent taxonomy set is critical for market participants and regulators alike, 有助于形成公共和私营部门之间的持续预期,并减轻市场分化和监管套利的可能性.
一个共同的框架对于支持全球不同监管机构之间的系统性风险监控也至关重要. 允许这种共识也有可能减轻市场参与者对同一信息的多个请求作出反应的负担.
在网络方面, 协调和其他减少额外负担的努力将使公司能够在危机中集中精力保护客户, while also restoring and ensuring the confidentiality, 及时支持其服务的系统的可用性和完整性,而不会向市场引入更多风险.