Ciaran Flynn

Hello, my name is Ciaran Flynn, and I’m Head of Governance and Consulting Services here at Arthur Cox. Welcome to our new series of videos, which will cover the more nuanced and complex aspects of resilience. Over the course of the series, we will take a closer look at how firms can build resilience frameworks that are not only compliant with relevant regulations, but are also fit for purpose in today’s fast-moving environment. We’ll also look at how firms should prepare for something going wrong and how they should stress-test those resilience processes.

Resilience is becoming a strategic priority and increasingly the key differentiator between firms. With operating models growing ever more interconnected and disruptions from the likes of cyber threats and climate risks becoming ever more frequent and impactful, firms really need to be prepared to respond, recover, and adapt. In this series, we’ll explore the evolving regulatory landscape, including the growing influence of DORA and the Central Bank of Ireland’s revised cross-industry guidance on operational resilience. This revised guidance incorporates changes which have been informed by recent developments and ongoing industry insight, but are primarily focused on alignment and consistency with those DORA requirements. To support the series, we’ve developed the concise Resilience Playbook.

It summarises the key takeaways and offers practical tips to help you assess and enhance your resilience strategy. For more information, please visit arthurcox.com/resilience. Thank you.

Siobhán McBean

Hello, everyone, and welcome to the first video in our series exploring some of the more nuanced and complex aspects of resilience. My name is Siobhán McBean. I’m a partner in the Asset Management and Investment Funds Group here at Arthur Cox. To start off, I’m joined by my colleague Ciaran Flynn, who heads up our Governance and Consulting Services Group. So, Ciaran, plenty has happened since our last webinar in the area of resilience. Could you provide us with a quick update?

Ciaran Flynn

Absolutely, Siobhán. Thank you for having me here. Since we spoke in June, the Central Bank has somewhat unexpectedly published a revised version of the cross-industry guidance on Operational Resilience to incorporate changes which, in their own words, have been informed by recent developments and valuable ongoing industry engagement. Fundamentally, it is about bringing alignment and consistency with what DORA has introduced to the industry.

We’ve compared the new version with the previously existing cross-industry guidance, and there are three main points to highlight:

1. Separate frameworks – The CBI now expects firms to document both an operational resilience framework and an operational risk framework separately. While they emphasise that these documents should be aligned, they must remain distinct. Previously, a combined version would have been acceptable.
2. Different perspectives – The CBI defines a business service as external-facing with an identifiable external end user from an operational resilience perspective. Under DORA, however, firms must focus on all services supporting critical business functions, whether internal or external.
3. Proportional adoption of DORA – The CBI encourages all regulated entities to adopt DORA requirements proportionately, even if not formally in scope. In short, the CBI views DORA as best practice for ICT risk management and digital resilience, and expects firms to keep this in mind when addressing organisational risks.

Siobhán McBean

It sounds like the Central Bank is really trying to get firms to think about how they approach the various components of their wider resilience framework, and to ensure that their documentation is consistent and coherent across the board.

Ciaran Flynn

When approaching resilience holistically, we suggest clients consider five core pillars:

• Operational risk and business continuity
• Operational resilience
• Digital resilience (ICT risk management frameworks)
• Financial resilience
• Third-party risk management

Today, we’ll focus on the first three.

Operational risk and business continuity looks at an organisation’s authorisation and legislation. Operational risk is an all-encompassing term covering the impact when a process or system fails, whether due to manual error or system malfunction. Firms are asked to consider single points of failure while assuming everything else operates normally. For example, a business continuity plan might cover what happens if a key system goes down or a critical individual cannot perform their role.

It’s important to note that third-party risks, such as outsourcing or delegation, are considered key subcomponents of operational risk.

Operational resilience, by contrast, focuses on external-facing critical business services provided to identifiable end users, such as clients or investors. This lens does not assume a single point of failure but instead considers end-to-end delivery, only where failure could cause intolerable harm outside the organisation.

Digital resilience, under DORA, looks at end-to-end delivery of critical business functions, both internal and external. However, DORA is only concerned with ICT systems and applications supporting critical functions, or ICT third-party providers delivering those functions.

So, while these lenses overlap, each is distinct and can add to the compliance challenge for firms.

Siobhán McBean

A key gap in current regulations is the end-to-end delivery of non-ICT dependent, internal-facing services. Examples include oversight and governance activities such as compliance, risk management, and monitoring service providers. These are core functions for Irish regulated firms, yet they are not considered critical under operational resilience guidelines, nor ICT-dependent under DORA.

Firms must recognise that, even if legislation excludes these in-house services, they remain vital and should be planned for within a resilience framework. So, Ciaran, if we take a step back, what else should firms be thinking about when reviewing their broader resilience framework? How can they ensure they’re taking a holistic view?

Ciaran Flynn

Thanks, Siobhán. Firms that have already complied with the regulations and guidance we’ve discussed have most of the necessary work documented. What may be missing are plans for non-ICT dependent, internal-facing services.

For example, imagine a system outage at a service provider impacting a core business line. The provider should trigger its business continuity plan, implement workarounds, and restore functionality quickly. At the same time, the firm’s relationship manager should oversee how the incident is handled, ensuring alignment with the firm’s third-party management or outsourcing framework.

The question is whether both activities, the performance of the service and the oversight of the service, are being treated equally within resilience planning.

Based on my experience, most firms would probably say no. The disrupted core business line is likely categorised as a critical or important business service, with a tight recovery time objective (perhaps 4–24 hours) and high business impact. Oversight activities, however, are rarely treated with the same urgency, even though they are equally time-critical.

I would encourage firms to consider their governance and oversight activities, and how they would be performed if the network went down and access to email or video calls was lost.

Siobhán McBean

I think that’s a great point. For a firm to be truly resilient, it needs to identify all the functions, services, and activities it performs, regardless of whether they are ICT-dependent or not, or internal versus external-facing. Firms must ensure they have plans in place should something go wrong.

For example, we’re seeing more clients now building resilience requirements into senior leadership role descriptions, appointment letters, and management responsibility maps. Resilience can no longer be considered in a silo; instead, it must be integrated into how boards manage and govern their organisations more broadly.

In our next video in this resilience series, we’ll provide further practical guidance and advice on where to start when identifying business services and functions, and on the importance of mapping critical interdependencies and connectivities.

To accompany this series, we’ve created a concise Resilience Playbook which summarises what we’ve covered and shares additional practical tips and insights to support your resilience journey.

As ever, please feel free to get in touch with your usual Arthur Cox contact, or email us at [email protected] on any issues or topics we’ve discussed today. For more information, you can also visit our website at arthurcox.com/resilience.

Denise Murray

Hello, everybody, and welcome back to the resilience video series here at Arthur Cox. Today, we’re going to explore some of the more nuanced and complex aspects of resilience. For those of you who don’t know me, my name is Denise Murray, and I’m the Head of Financial Services Compliance and Regulatory Relations here at Arthur Cox and I’m joined today by Ciaran Flynn, who’s Head of our Governance and Consulting Services. What we’re going to do today is share with you some insights and thoughts on how firms might approach mapping the interdependencies and interconnectedness that support an organisation’s business services and their resilience position.

Ciaran Flynn

Great. Thanks very much, Denise. It’s a delight to be here. For a firm to be resilient, it must ensure the end-to-end delivery of all activities it supports, its internal and external-facing business services, and regardless of ICT dependencies, thinking about the interdependencies and interconnectedness between all of those things. This might seem like a daunting challenge.

Denise Murray

Thanks, Ciaran. I think it’s fair to say that resilience can feel overwhelming at times, particularly as new regulations continue to make reference and cross-reference back to resilience requirements but when we’re talking to firms and when I’m engaging with firms, we always talk about going back to basics. There’s no single prescribed requirement or starting point in terms of how you’re going to examine your regulations and your requirements in relation to resilience but what we do know is that the regulator, particularly the Central Bank of Ireland, takes an outcome-based approach. So that means firms have the flexibility to choose the identification method and methodology that suits their organisation as long as they can demonstrate that they’ve looked at, assessed, and managed the impacts of a disruption.

So maybe let’s take a moment to reflect on the Central Bank of Ireland’s actual expectations. Firstly, firms are required to have a level of detail that enables the identification of the resources and contributes to the delivery of each stage of the service and their importance. Secondly, the approach and level of granularity of mapping should be sufficient for a firm to identify vulnerabilities and key dependencies, to support testing of its ability to stay within the assigned impact tolerances for each critical and important business service.

Bit of a mouthful, but they’re our two guiding principles in the context of resilience. When we’re talking with clients, as you know, we usually suggest starting with two things: your authorisation legislation, what you’re licenced to do and your business continuity plans. That’s where you’ve already documented your department’s positions around issues that might impact your continuity. This gives a top-down and a bottom-up view of your operations, and that really positions you well then to start thinking about resilience.

If we take the top-down view first, every regulated firm has a list of services that they’re authorised to provide, essentially the reason why you exist. If we take a fund administrator, for example, the provision of fund administration services is a critical activity. But within that, you’ll find the nuances of the production of the NAV and also interfacing dependencies, such as the stock and cash reconciliations that support that. While the licenced activity gives you the starting point—the service—you really do have to drill in beyond that to understand the specific requirements that are involved in the end-to-end delivery of that service.

So when you’re doing that, you need to think about: what are your clients relying on? What are you relying on? What systems support your services? And what would cause those systems or processes to fail or indeed to harm you, your firm, or the clients that you service?

Then if we take the bottom-up approach, the business continuity plan really is a gold mine. Most firms have had these in place for a number of years. They’ve required their organisations’ departments to document how they keep things going if a system doesn’t work, if the office is closed and they can’t gain access, or if a key person is unavailable. Not everything that you will have included in your business continuity plan is going to be a critical service or a critical activity, but they give you a comprehensive view of what’s happening across your organisation, which ultimately speaks to resilience and bringing all that back into the regulations, then that’s going to allow you to think about the people, the processes, and the technology that supports your resilience position. If I link it back again to those very wordy regulations that we talked about a moment ago and the requirement for granularity, it’s really not about a box-ticking exercise. If you get into that granular level of detail and understanding in relation to the services and the components of those services, it enables you to pinpoint where you may have vulnerabilities, where your processes or your systems may not be as robust as you would need them to be, what controls you may need to put in place, and ultimately it will help you then determine what tolerances you have in the context of things going wrong with those services or processes.

Maybe just a couple of further thoughts. When we’re focused on resilience, we often think of those people-process-technology requirements, and we sometimes overlook the governance and oversight. That’s really where we’re back into the regulation again. That’s important for firms operating, particularly under a delegated model or with lots of outsourcing relationships, third-party providers, the activities that take up a significant part of your day relate to the oversight of those activities, and they’re essential to your overall delivery and to your control environment. So when mapping services, it’s so important to include your oversight functions. They may not be time-critical in the same way as client-facing issues might be, but they are absolutely central to your resilience posture.

Ciaran Flynn

Thanks, Denise. I couldn’t agree more on that front and I think what firms should be striving towards is finding that sweet spot between identifying a service at too high a level, where every system, third party, process, and person in the organisation is mapped to it, or going too granular and identifying each step in each process as its own activity. It is really about finding that Goldilocks zone in the middle that’s just right for your firm, and that’s going to vary from firm to firm.

So once firms have identified their business services and functions using that top-down and bottom-up approach you outlined, Denise, they will have a complete list of services that they perform in-house as well as what services are performed by external third parties, subject to the firm’s ongoing oversight and monitoring, as you touched on. The next step will be for firms to identify, classify, and tag each of those services and functions as being critical or important business services subject to cross-industry guidance, and which are critical or important business functions, subject to DORA. We’ve outlined some of the key criteria which firms consider when it comes to criticality in our playbook but for the purpose of this video, we’re going to move on to the third stage of this process, which is mapping critical or important services and functions. When we’re talking about mapping, what we’re really talking about is identifying the relevant people, processes, information, technologies, facilities, and third parties which are required to deliver those critical services and functions, and how those dependencies might interact with each other.

This mapping process can take time, but it should be carried out by the employees who perform or support the relevant activity on a daily basis. There is no point in delegating this work. Similar to the identification process, you’re looking to strike that balance between it being too high level and too granular. I think CrowdStrike remained that perfect example of an unknown vulnerability in this supply chain, which meant that firms were unprepared when something went wrong.

What that example highlighted, however, is that firms are reliant on their primary service providers to share details of their further dependencies on their fourth and fifth parties and that interconnectivity, as well as how they’re working towards resolving the vulnerabilities. I’m sure Microsoft had a large number of queries, shall we say, about their supply chain and vendor management when that particular incident occurred.

Denise Murray

For sure and maybe we’ll stay with that point for a moment because I think it’s quite important. When it comes to resilience, it’s often the most challenging area for firms—identifying and managing those third-party dependencies, particularly where the services are delivered, as you’ve just quite rightly called out there, through layers of subcontractors.

So really getting down into an understanding of how that’s being supported or how the service is being supported becomes even more complex for a firm that’s relatively a small client of a large service provider. In those cases, the risk isn’t just about the service being restored in the event of an issue. It’s about whether the service is restored in a fair way and within the time frames that you’ve planned for in your own analysis.

So as part of the identification, classification, and mapping process that we’ve just discussed, Ciaran, firms should be assessing the business impact of the service and setting clear recovery points and recovery times and objectives in that regard but if a critical service is outsourced, the firm is ultimately reliant on the provider to meet those objectives and to do so in a way that doesn’t prioritise larger clients at the expense of the smaller ones.

And that’s why the issue needs to be front and centre, not just during a crisis, but right from the start of the relationship. It should be considered during onboarding, built into due diligence, and reflected in the firm’s outsourcing strategy. The more dependent a firm is on external providers and the smaller its footprint in that provider’s ecosystem, the more it is exposed, and there may be some more issues if things go wrong further down the supply chain. And that exposure can have a direct impact on the firm’s ability to recover and maintain trust with its stakeholders.

Ciaran Flynn

Thanks, Denise. With that, we come to the end of this video on interconnectivity and interdependence of critical and important business functions and services. Our Resilience Playbook is a great source of information on this and further resilience topics. Join us next time for a video where we’ll deal with what happens when a real-life resilience event occurs and how you can deal with it. For more about all things resilience, please visit arthurcox.com/resilience

Denise Murray

Hello everyone, and welcome back to the Arthur Cox Resilience Video Series. My name is Denise Murray. I’m the Head of Financial Services, Compliance, and Regulatory Relations here at Arthur Cox. In our last video, we explored how you can document and map the interconnectedness and interdependencies that underpin your critical services. Today, we’re going to go a little bit further and we’re going to explore what happens when things go wrong. The shift to digital service delivery has fundamentally changed how firms build and manage their resilience frameworks, but it’s also changed the nature of the dependencies that firms face. In this session, I’m joined by my colleague, Ian Duffy, partner in our Technology and Innovation Group, and together we’re going to walk through how a firm might identify, respond to, and learn from an ICT-related incident. So, Ian, to get us started, could you walk us through some of the most common ways that firms typically identify or become aware of an ICT incident?

Ian Duffy

Yeah, thanks, Denise. Yeah, sure. Look, there are multiple different ways in which clients can identify incidents or become aware of them. And how that happens will, to a certain extent, depend on the nature of the incident. And to be honest, the structure of the client to a certain extent as well. For example, some incidents may originate as a result of a compromise in your supply chain. In that type of scenario, it’s pretty common for clients to become aware of it because they get notified by the relevant service provider. Conversely, it may be that an incident arises as a result of some human error. You could have a staff member clicking on a phishing email, for example. In that type of scenario, you may become aware of it because it’s self-reported. The relevant staff member will let you know, or it may be through your own monitoring of your systems, you actually see that that type of incident occurred. Another scenario, and perhaps the most dreaded of them all is a cyber-attack. That’s where a hacker effectively unlawfully accesses your ICT systems. They encrypt your data, and they issue a ransom demand for the decryption key.

It’s common in those types of scenarios for clients really only to become aware of the incident once they actually receive the ransom demand from the hacker. There’s a few different scenarios in terms of how an incident can occur, how a client can become aware of it, and the type of incident that can actually affect clients as well. There is a fair bit of variety there in terms of the nature of the incident. I guess in that vein, it’s also worth mentioning under legislation like DORA, the concept of an ICT-related incident is actually defined pretty broadly. Under DORA, it’s any incident that compromises the security of ICT systems and adversely impacts the integrity, the confidentiality, the security of services or data. From a client’s perspective, it’s important to ensure that your staff do actually have an understanding as to what actually constitutes an ICT-related incident, because doing so will help them not only from the perspective of being able to effectively identify these incidents and to mitigate their impact and effectively respond, but also in terms of actually being able to prevent certain types of incidents actually occurring in the first place.

Denise Murray

So knowing how the incident might come to light when we have had an incident, it’s been identified, what should we be thinking about or what should firms be thinking about in those first few moments, especially in terms of activating their response plans and engaging with the right people because we know it’s not just about assessing the damage.

Ian Duffy

Yeah, absolutely. Look, when a large-scale ICT incident does happen, I think in the first instance, it’s very much the case that clients should actually see at that point in time the value of the time and effort that they’ve invested into developing their structures, their controls around operational resilience, the ability to effectively respond to incidents, and really that effective response to a large-scale disruptive event is to a large degree focused on the effective deployment of a number of key policies and procedures. That’ll be things like your incident response plan, your crisis communication plan, your business continuity plan. Once you’ve actually deployed those different policies and procedures, it’s really important that key staff members understand what their role is in respect to them. Because to be candid, it’s not really enough just to write certain roles into a policy and assume that people will know what to do when the big incident does actually occur in practice. Really, what you want to do is ensure that those policies and procedures are battle-tested. That can be through things like tabletop exercises, other types of review and training, so that when the big ICT incident does actually happen, people understand this is what’s expected of me, this is my role, this is how as an organisation, we’re going to effectively respond and deal with this incident.

Another significant consideration when it comes to responding to ICT-related incidents is obviously regulatory reporting. From a DORA perspective, this will be focused on trying to establish really whether the incident satisfies the criteria and the thresholds to constitute a major ICT-related incident under DORA, which is reportable to the Central Bank. In simple terms, an ICT-related incident will be a major incident under DORA where it affects your critical services and it constitutes a successful malicious attack on your ICT systems that creates a risk of data loss, or it satisfies two of the other materiality thresholds prescribed by DORA. They relate to things like the number of clients affected, the number of transactions affected, duration of the incident, geographic spread, publicity, etc. If those materiality thresholds are satisfied, you will have to report the incident to the Central Bank on a staggered basis. The first phase of that will be an initial report, which needs to be made within 24 hours or within 4 hours of the incident actually being identified or within 4 hours of it being classified as major, if that doesn’t happen within the first 24 hours. After that, you’ll then have to submit an intermediate report.

The idea there is to provide a bit more information in relation to the incident to the Central Bank, and that has to happen within 72 hours of the initial report. Then thirdly, there’s a final report. That has to issue within one month of the incident, and that will include more substantive detail on the incident. It will be things like information on the cause analysis that’s being conducted, details of the costs associated with the incident, ultimately how the incident was resolved as well. In addition to those DORA regulatory reporting considerations, it’ll also be necessary to think about, well, do we actually need to report this incident under any other regimes? An obvious question to ask there is, is this incident a personal data breach that needs to be reported to the DPC pursuant to the GDPR? One helpful other point just to note when it comes to incident reporting is that if you are dealing with an ICT-related incident that affects payment-related data or payment-related services of, for example, a bank or any money institution, and you determine that it’s a major ICT-related incident that needs to be reported under DORA, hopefully that incident doesn’t also need to be reported under PSD2.

That’s good because there aren’t duplicative reporting obligations in that scenario.

Denise Murray

Lots of reporting, regulatory reporting, lots of consideration of the regulations, but there’s other practicalities as well, right. So maybe could you talk to us briefly about what they might look like?

Ian Duffy

Yeah, look, that’s absolutely the case, Denise. Look, after you’ve deployed the policies and procedures like we discussed, and you’ve thought about those regulatory considerations. There are multiple other practical steps that you need to think about when you’re dealing with a large-scale ICT-related incident. So for example, you’ll need to centralise your facts and then come up with a single version of the truth. You can use those facts and that information to then notify the board in relation to the incident and provide them with regular updates in relation to it as well. Also really key to reach out to your key external service providers at an early stage. So think about your provider of cyber insurance, also IT forensics, external counsel. In addition, if the incident occurred or originated in your supply chain, as a result of an act or something affecting one of your key ICT service providers, it’s really important to establish a clear line of communication with them at the earliest stage possible. So you get the information you need from them, you get relevant updates and regular updates, so as to help you effectively respond to the incident. Look, I think it’s probably implicit in all of what I’ve said there that really a key aspect of that effective response in taking those practical steps is ensuring that there are those clear lines of communication, both internally amongst key relevant staff and then upwards towards management and the board, but also outside the organisation to those key service providers.

Having that effective and clear line of communication to relevant parties will help in terms of your effective response, dealing with relevant regulatory reporting requirements and other relevant regulatory considerations.

Denise Murray

So we’ve had our incident. It’s clear that things are moving fast. We’re communicating and reporting really well. There’s a surge of activity. So teams are mobilised, systems are being assessed, there’s a response team put in place. I think probably, though, helpful just to reflect that it’s not just about that reactive response when we’re in that environment. I think what comes to mind for me in particular, Ian, is that you have to capture what you’re doing as you’re moving along. So that requirement to document what happened before, during, and after your disruption is just as important as those communication channels. It’s important maybe to spotlight that for a moment and maybe just pause on this particular point because it can be really, really difficult after the event to go back and document and remember what you knew at points in time that informed your decisions, that drove you through the process in what typically is quite a fast-moving, pacey environment. But nonetheless, the expectation is there that you will document and that you will have a good record, not just of your communications, but of how you managed during the process day to day.

And look, we always hope for a quick fix for issues, but unfortunately, that’s not often the reality. From experience, the scale of the effort that goes into managing the aftermath can be a little bit underestimated, whether that’s restoring the service or addressing the vulnerabilities and improving and enhancing arrangements and adopting or adapting to a new norm. What often sets firms apart, and you’ve mentioned this already, is that communication through the process, transparency being key, making sure stakeholders are managed and informed within the business through the board, because it’s not just about technical recovery. From my experience, it’s really about information, reassurance, and engagement with your key stakeholders. You’ve mentioned that, Ian, and that might be your board, it could be your regulators, external parties, but they need to know that you’re in control and that you’re aware of their concerns, that they’re being addressed, and particularly, I think, in financial services context. But interestingly, I think one of the really good examples we have recently is Marks & Spencer. The CEO, in that instance, used social media, which, let’s be frank, is probably their effective communication channel in good times, but they used that to keep their stakeholders up to date during their disruption.

Maybe a really good example to reflect on in terms of proactive engagement and evidencing that leadership to build trust and retain confidence.

Ian Duffy

Yeah, no, absolutely. Look, when you do get to the end of an incident and you’re getting back towards BAU and the incident is resolved. Obviously, there’s going to be a sigh of relief from all involved because these things are pretty intense. But to pick up on a thread you mentioned there, Denise, that’s not really the end of the road from a regulatory compliance perspective. There are multiple things that the affected firm needs to think about to ensure that they do see the journey through from a regulatory compliance perspective. One of those will be that final report to the CBI that we talked about in relation to the incident from a DORA perspective. So providing that information around the root cause analysis, providing information on how the incident was resolved, etc. There’s also requirements we need to be alive to under the CBI Operational Resilience Guidance as well. There is that expectation once you get to the end of the incident and it’s resolved and you’re looking back that you carry out a lessons learned session to figure out effectively what happened and how can we perhaps adapt in ways that help us to ensure that this doesn’t happen again, or if it does happen again, that we can respond more effectively.

As part of that, you should develop a set of predetermined questions that you ask yourself in that type of scenario. That will be things like, how did this incident actually occur? What vulnerabilities did it expose? How did it impact our critical services? How quickly and effectively did we respond and recover from this incident? Once you’ve done those final few steps, I guess the final thing you want to think about is any remedial actions you’re going to take off the back of that, right? Any remedial actions you are due to take, ultimately, you’ll want to make sure that they’re logged and that they’re monitored by senior management and the board so that there is that continuous improvement of your operational resilience profile. I guess if the incident did originate in your supply chain, which is a concept we’ve touched on a couple of times, you may need to think about, well, look, do we need to revisit our contract with the service provider? Do we need additional protections, controls, processes to try and help ensure that this doesn’t happen again through our supply chain, or that if it does, we’re better able and better prepared to respond to it?

Of course, look, when you get to the end of an incident, you also have to think about, well, how effective were all of our policies and procedures that we used in response to them? We have them on the shelf, they’re written down, they look great, but now they’ve actually been used in the real world and properly road-tested and were they effective or do they need to be adjusted and slightly adapted? So if something like this does happen again in the future, we have an even more effective process that we can roll out to help us respond to it.

Denise Murray

And that neatly takes us back to the starting line with policies and procedures that have been battle-tested and that are ready to be deployed the next time an incident occurs. And with that, we’ve come to the end of this video series today. And we’ve really explored what you do when you identify an incident, how you respond, and most importantly, how you learn from it. Our Resilience Playbook can provide you with some more information and it’s a useful resource as you are exploring your resilience frameworks and your resilience response. If you have any questions, please do reach out to us, to your usual Arthur Cox contact. Alternatively, you can send us an email at [email protected], or you can find more information on our website at arthurcox.com/resilience. Thank you very much, and see you next time.

Ciaran Flynn
Hello, and welcome to our latest instalment on our deep dive on all things resilience. My name is Ciaran Flynn, and I’m Head of Governance and Consulting Services here at Arthur Cox. Today, I’m delighted to be joined by my colleague, Partner, Sarah Thompson, from our Financial Regulation Group, who is here to talk about financial resilience. So turning to you Sarah, we have seen increased focus from the Central Bank and indeed from the European regulators on stress testing, liquidity buffers, and capital planning for resilience. How is this impacting Irish market participants?

Sarah Thompson
Ciaran, thank you so much. You’re absolutely right. I think we are seeing this impact market behaviours in the Irish market, and I think it’s helpful to pause briefly on the points you’ve just mentioned that we’re seeing from the ECB and from the CBI. We are seeing more granular, more frequent reporting, and hand-in-hand with heightened regulatory scrutiny, so not only are firms and institutions submitting their reporting, you also have regulators that are poring over it in greater detail. Then tied to that, you have increased capital reserving, especially around liquidity buffers, so things like high-quality liquid assets, the liquidity coverage ratio, and net stable funding ratio thresholds. I think that has been particularly challenging for smaller institutions, not just in Ireland, but Europe-wide. Holding excess liquidity, if we can put it that way, can compress margins and just make innovation in your business that bit more difficult.

Sarah Thompson
Then again, as you say, this challenge around balance sheet monitoring, and ensuring that you have appropriate capital adequacy planning. Regulators are demanding more and more forward-looking plans that incorporate stress scenarios over multi-year horizons. With those three things in mind that you were picking up on, I think we’re seeing a few things in the Irish market.

Sarah Thompson
We’re seeing a reduced risk appetite. Firms are tightening their credit standards, and they’re perhaps slowing some of their growth strategies in order to preserve capital. I think as well, again, I was talking about smaller firms earlier. They are facing a proportionally higher compliance cost, not just in the figures of the liquidity margins that they’re required to set aside, but also in their compliance costs, so in their calculations, in their accountants. It’s not just that final bit that you’re setting aside, it’s also the work you have to do to calculate that and decide what you’re going to set aside. Then finally, anecdotally, you might see some liquidity hoarding. Banks and financial institutions and investment firms holding on to more cash, and I think that then tightens some of the liquidity that’s available in the Irish market more generally for the real economy. So I do think we are seeing those impacts having a real-world impact in the Irish market.

Ciaran Flynn
Thanks, Sarah. That gives us a great overall picture. I suppose thinking about the capital requirements rules, be they coming out of CRD IV, Solvency II, or IFR, ultimately, they’re designed to make sure that firms have an adequate capital buffer when things go wrong from a liquidity perspective. So, can you tell me more about how and when firms can access that buffer, and what management should be doing if they find themselves in that unfortunate situation?

Sarah Thompson
As you say, they’re there for those stress scenarios, so it’s one of those things where firms hope they’re never going to need to use these things. In that, I think there’s three main points to bear in mind. I think detection, communication, and remembering to think locally. If we go to detection first of all, I think it’s really important that firms have robust risk management systems in place, and also risk appetite monitoring, so that they identify early bumps in the road for liquidity and capital adequacy. The earlier you identify that, the more time you give your firm to course correct, so that’s detection. Communication is also key, and that’s communication on multiple levels. It’s communications within the firm, so if you have your financial officer, and your finance team and your accounting team looking at that, there should be a virtuous feedback loop going to executives, going to the board, to make sure that everyone is aware of the firm’s liquidity situation at any given time, but especially in times of stress. That’s communication within the firm. For a number of firms in the Irish market who are operating in a global context, it’s also making sure you’re communicating with your brother and sister institutions across the Atlantic or in Europe, to make sure that any group requirements are being picked up, and so the group is aware early of anything that’s going on in the local entity.

Sarah Thompson
Thirdly, your regulator. So making sure that you are communicating with your regulator promptly. Especially if we have had that early detection coming to fruition, it’s making sure you’re not slow about updating the regulator. As well, again talking about those firms who are operating in a global context, perhaps as part of a larger global group, it’s really for the managers of the Irish firm to remember the specific needs of the Irish firm, especially in a world where you’re thinking about the Individual Accountability Framework. I think it’s well understood by the market and by the regulator that we don’t operate in isolation, and a number of Irish firms don’t operate in isolation, but it’s really remembering that the firm has to sit within that global context and that you have responsibilities to your Irish regulator, if you like. In a way, capital buffers are there to be used. You hope never to have to use them, but if you are going to be looking to use them, I think the absolute mission critical thing is to be communicating early and clearly with your regulator.

Ciaran Flynn
Thanks, Sarah. It’s interesting that you frame this in the context of risk management, more broadly in risk appetite. It reminds me of what the CBI published in December in terms of their thematic assessment of operational resilience for MiFID firms, and really one of the themes that came strongly out of that was that lack of integration between resilience planning and broader risk management. I think that’s probably something that the firms in the market need to work on more broadly. Stepping back, and given recent examples, whether that be the ongoing sanctions with the Russian regime, or everything else that’s happening in the world at the moment which can cause challenges, there is a potential for reduced liquidity of certain assets and portfolios. Given that context, how can firms protect themselves to make sure that they can meet the financial obligations as they fall due, but also not fall foul of their regulatory requirements?

Sarah Thompson
I think you’re absolutely right to highlight the current geopolitical situation. I think a number of these rules, or at least the current iteration of these rules, have their origin story in the financial crisis, which is a very particular sort of stress that really did bring into sharp focus the capital and liquidity of financial institutions in particular. In the current scenario, I think we’re more focused on sort of those geopolitical questions, but they are no less impactful on financial institutions. For firms looking for tools to manage their capital and liquidity in this world that we’re living in, I think there’s a few things you can do. Perhaps continuing to focus and in some cases, bring more focus onto liquidity management, so more frequent monitoring, more frequent reporting to the executive, so it very much becomes a business as usual topic of conversation. It’s not something that comes up less regularly, it’s coming up more regularly. Then I think applying, I suppose, plausible but potentially extreme stress scenarios, and then applying lessons learned, and I think a key place that can be done is in the ICAAP process. Indeed, I think that’s something that’s mandated in your ICAAP process to look at stress testing scenarios.

Sarah Thompson
I think that is your opportunity in your regular work in this area, to bring a little bit more of the geopolitical situation to bear in your planning. I think as well, looking at diversification of both exposures and liquidity sources. I think it’s perhaps just giving some thought to, are there other opportunities here to do more from different sources. As I say, that’s on both sides, it’s also on your exposure side and on your liquidity side. For investment firms, too, I think there’s an opportunity to look at redemption gates. In the situation we find ourselves, I don’t think investors would be surprised if investment firms were looking at their redemption gates and looking to make tweaks to that. That might present an opportunity for managing your liquidity in the investment firm scenario. I think as well, looking at all of those tools is making sure your communication strategy is fit for purpose. It’s perhaps looking internally, is there a good flow of information from your finance team to your executives, to your senior management team, to your board?, looking at your group communication strategy. If you’re operating in that group context, is there a good flow of information from the Irish entity to the mothership and making sure that that communication is there, but also critically to your regulator.

Sarah Thompson
We talked right at the top of the session about increased regulatory scrutiny, enhanced reporting, more granular reporting, that’s the regulator being interested in this. I think communicating with your regulator through that reporting, and I suppose entering into it in the spirit where it is a dialogue can be helpful. I think those are the key things to bear in mind.

Ciaran Flynn
Great. Thinking about the ICAAP, I suppose given the amount of effort that goes into the ICAAP, and indeed the ILAAP for those entities that have to prepare one, how can those documents be levered in the event of a financial resilience event?

Sarah Thompson
I think the ICAAP and the ILAAP make you think about these extreme but plausible scenarios. It’s an opportunity to deal with the real-world risks that we’re already thinking about, but I think there has been a tendency in some firms to think of it as a one and done type exercise. It’s something we do on a periodic basis, it goes on the shelf and we forget about it until the next time it’s due. I think we are seeing firms increasingly thinking about it more dynamically and more as a tool that can be used to bring feedback to your planning. Again, it’s those extreme but plausible scenarios. It’s looking at your business as usual risk management framework and seeing if any of those stress tests are revealing tweaks that should be done in that business as usual environment, as well as in your recovery and resolution planning. The two should be integrated. You shouldn’t be thinking about your business as usual risk management framework on the one hand, and your recovery and resolution plan on the other. The two should sit nicely together so that we have an integrated approach to that financial resilience. I think also the ICAAP and the ILAP process, back to communication again, it’s a great opportunity to bring internal stakeholders up to date on what the firm is doing, what the firm is planning, and what tools the firm has at its disposal if things should get difficult.

Sarah Thompson
Running those stress tests frequently helps different areas of the business prepare for what may happen in a stress scenario. What that does, I think if the stress scenario does come into being in a real-world scenario, it means folks across the firm have a level of confidence that they know what tools are available, they know how those tools work, and they have some idea of how to deploy them. It can never be perfect. An exercise is always an exercise, but having gone through that exercise when you’re met with that real-world scenario, you have that little bit more confidence going into that real-world scenario that, we’ve done this before, I know how this works. So I think that can really be brought to bear in your planning for your financial resilience.

Ciaran Flynn
As ever, it seems to be all about communications and forward planning.

Sarah Thompson
Yeah, absolutely.

Ciaran Flynn
Very good. I suppose, in conclusion, financial resilience and that downside risk may not be something that people want to think about, but it’s clear that this is a key part of the broader resilience posture and something that’s not going away.

Sarah Thompson
Absolutely. Thanks Ciaran.

Ciaran Flynn
For more on all things resilience, please visit arthurcox.com/resilience. Thank you very much.

Ian Duffy

Hello everyone and welcome back to our resilience series for regulated firms. My name is Ian Duffy and I’m a partner in the Technology and Innovation Group at Arthur Cox, and in today’s video we’ll talk about how third-party service providers in your supply chain can potentially have a significant impact on the resilience profile of regulated firms, and as part of this we’ll look to talk about how you can identify, manage, and mitigate some of that resilience risk in a way that aligns with regulatory expectations, and that’s consistent with good industry practice. And I’m delighted to be joined by my colleague, Denise Murray, who is our Head of Financial Services, Compliance and Regulatory Relations, to discuss this topic and to share some insights with all of you today. So welcome Denise, and thank you very much for joining me. Denise, I might start off with a reasonably broad question, and perhaps you can give us a sense of why it is that third-party service providers can potentially have quite a significant impact on regulated firms’ resilience profile.

Denise Murray

We might need to take a step back in before we crack that question directly. The financial services industry is really a highly globalised, interconnected ecosystem, and it’s an ecosystem in which outsourcing is already highly embedded, but that brings a vulnerability, the vulnerability that a disruption can have an impact that can very quickly ripple across borders, across providers, and across markets. That level of outsourcing that we see is evident in firms that continue to provide certain services internally within their own operations but also, rely on third-party providers or group entities to support the delivery of their regulated services on an ongoing basis. I guess more broadly in the financial services sector, we’re familiar with supervision in the context of outsourcing and third-party relations, because we see regulators engaged at the point of authorisation and on an ongoing basis for supervisory purposes, to understand how services are delivered and particularly how outsourced services are delivered. And in recent times, we’ve seen a really increased focus on resilience and outsourcing as part of the regulatory footprint and because of those more recent changes, we’ve become more familiar with concepts like ‘critical’ and ‘important’, and I’m sure many people listening today will have been involved in some of those criticality assessments under outsourcing or DORA or resilience requirements most recently.

So maybe back to your question, how can that third-party vendor have an impact on your resilience? And it’s really straightforward, whether it’s a critical or non-critical service, if your vendor can’t supply that service and if that service impacts on your delivery, then your resilience is compromised and understanding that is really what’s core to resilient organisations and arrangements, and it’s not only the long-standing outsourcing arrangements that need to be considered, it’s much more broad and it’s important that when you’re looking at those relationships with the vendors that you’re engaging with, that you consider things like the chain outsourcing and maybe any lack of visibility that you might have through the chain. So we’re very comfortable with third parties, but what about the fourth, the fifth, the sixth party that’s involved in delivering the service for you? What happens if something goes wrong there? And very often, through that chain of sub-outsourcing, you may not even be aware of that provider until it’s too late. I think it’s important also to consider things like the potential for reputational damage and negative associations, though, not withstanding the fact that you may have done all that you can in the context of your oversight of your outsourcing arrangement.

Nevertheless, if there’s a disruption and there’s an outage of service or there’s an impact on your operations, you can erode the trust and confidence of your clients and that can happen quite quickly and have quite long lasting effects and we’ve seen that and discussed that in our other video series. And I think moreover, I think particularly in the context of resilience and developments over the last number of years, we’re becoming more conscious of concentration risk and what that might mean for our financial services providers, so we know that there’s a number of industries that are quite concentrated, particularly around technology and cloud services. It’s not practical for firms to have multiple providers offering those services to their operations but it is important that we think about what happens if there is a significant operational issue with a provider that is in a concentrated area. How do you mitigate for that? How do you prepare for those kind of impacts as they may arise? They’re really important considerations when you’re considering the risk assessment phase of the work that we all have to undertake when we’re thinking about a third-party relationship. And really Ian, I think this goes to the importance of that risk assessment, and the due diligence at the outset, that a regulated firm is looking to complete but also that there’s kind of an enduring and an effective due diligence on an ongoing basis, because realistically, what is of benefit to firms is if we have a no surprise basis in terms of our outsourcing arrangements.

Ian Duffy

Yeah, I think that’s absolutely right Denise. I think, you know, even before you start focusing in on the specific service provider from a diligence perspective, it’s important to take the steps to understand the nature of the services that you’re looking to procure and how that interacts with your operations more generally. I think when you’re talking about the nature of the services that you’re looking to procure, a key factor or a key consideration there is well is the service that you’re looking to procure a critical or important service? And that will be an important factor when it comes to trying to think about what are your regulatory obligations that will be applicable to those services, so will things like DORA be relevant? Will things like the CBI operational resilience guidance be relevant? Will potentially the CBI outsourcing guidance be relevant? And once we understand that, we have a good baseline then to figure out well what are the rules and requirements we need to think about here from a resilience perspective and more broadly, when we’re procuring these types of services and from there, once you’ve done that, you can start to turn your attention a bit more towards the service provider itself and start to think about how you go about diligencing them to get the assurances you need that they can deliver those services in a way that’s operationally efficient and appropriate, and that’s also resilient and secure as well.

And when you think about the specifics of the nature of that diligence you’re trying to conduct, a lot of it really is, just trying to get the assurance around their track record, around their ability to deliver the services. So does the provider have the expertise, the experience, the resources to deliver those services. Also, as I touched on already, you want to ensure that they can give you assurances in relation to their ability to deliver them in a way that’s operationally resilient and that’s secure and that regard, you might want to look for confirmation, for example, that the provider is certified ISO 27001 or perhaps other NIS standards, and to the extent that you can get any assurances around their track record of minimising operational disruption for their clients and their ability to effectively respond to that as well, that will be helpful too. And once you’ve conducted all of that diligence, you’ve got comfortable with the supplier, you also need to make sure you’re comfortable with their service delivery model, and you understand how that’s going to be deployed and how that interacts with other functions that you’ll continue to provide in-house yourself, and with other services that you receive from other providers as well, so that you can start to map how those services will work and for example, you can figure out some of the interdependencies between those services and functions you retain in-house or services you receive from other providers. And of course, you know, all of that stuff that I’ve just discussed there Denise, ultimately has to be translated into a formalised regulatory and compliance framework. So could you give us a sense of some of the key aspects that we need to think about in this context?

Denise Murray

Absolutely, and I think with that regulatory compliance lens, there’s maybe three main considerations that are front of mind for me. So first is the risk management framework, the second being your vendor’s resilience and business recovery arrangements and the third piece really being the agreement, the underlying agreement that supports the outsourced activity. So if we take a look at the risk management framework, there’s a couple of aspects there. The first is whether you as the regulated entity, have developed the tools and the assessment capability to evaluate the third party in the context of the regulations that you just described or the guidance that we know is there and the evolving best practices, but also that it relates and that assessment, that it can relate to your business model, so it’s relevant to you, not just to the regulations. And then when we turn to the vendor, your assessment process has to be able to consider the information that the vendor has provided in relation to their resourcing, their risk teams, for example, but also their risk methodologies and their monitoring and measurement criteria. Ideally you want a vendor who has a similar risk outlook to the one that you have, where you can have trust and be confident that they’ll make risk-based decisions and take actions that won’t impact on how you deliver your service. That’s the risk framework considerations.

If we then look at the vendor’s own resilience arrangements and frameworks, there’s some important requirements in the context of the regulations themselves. Really what we want to make sure is that the vendor is undertaking its own resilience testing and exercises. That it has had a recent business recovery testing process in place, that it has documented procedures and processes to support that or certainly you want confirmation that those are in place. And then some practical things, so is there a secondary site in the event that there’s an issue with the primary site where services are delivered from? How is data maintained? Are there backups being taken? And again, is there a regular testing plan for those fundamental, particularly data-driven services? And I think we also need to reflect on the Central Bank’s regulatory expectation that for bigger and more substantive vendors, you should be engaged in their disaster recovery plans, you should be a party to that or be involved in that, and that you certainly have the right to do so in the context of your agreement and where you deem it necessary, particularly for critical services and the delivery of those.

And then, as I said, to that third point around the assessment process, there’s a lot to be gained from the engagement that you have in the first instance with the vendor in negotiating the terms of the relationship that you’re going to have for the ongoing provision of services. So whether there’s opportunities to engage in the context of the reporting that you’re going to receive, the key performance indicators, the notification process and escalation processes. They’re really good indicators because you want that to support your own firm’s responsibilities around RTO and an RPO and impact tolerance objectives and we know that, for some of the more dominant service providers and some of those industries we mentioned already, it can be very difficult to get anything other than the templated contracts and SLAs and in that instance, really, it’s got to be about the firm making a determination as to whether they’re comfortable with the assurance that they’re going to receive in relation to those standard agreements or whether they need to look at alternative providers.

Ian Duffy

Yeah, absolutely Denise and I think that last point feeds nicely into you know something we’ve kind of skirted around a bit but maybe haven’t talked about as much thus far is the contract, right? So once you’ve actually done that piece around the type of diligence you need to carry out, you’ve put in place your oversight and monitoring framework so you’re comfortable that you have what you need there to effectively oversee the vendor, you still need to fundamentally ensure that you have a contract in place that gives you the assurances you need from a regulatory compliance perspective and also, you know, from an operational and commercial perspective too. When it comes to, you know, first steps in that regard, I think one of the really important things that needs to be done there is to actually classify these services, so what are they from a regulatory perspective? Are we talking about critical ICT services under DORA? Are we talking about non-critical ICT service providers or services under DORA? Are perhaps we talking about critical outsource services? Because I think fundamentally understanding that will help us figure out, well what is it that we need to put in our contract for regulatory compliance?

And of course, it’s also possible that none of these are relevant and the classification is that none of the foregoing will apply but fundamentally, figuring that out will give us our baseline in terms of what are the types of provisions we need to include here so we comply with relevant regulatory requirements in this space and of course, as we’ve already touched on, there’s then lots of operational and commercial aspects to the contract that will need to be addressed too. But once you have that contract in place, and like you’ve touched on already Denise, there is that ongoing monitoring and the oversight piece, and that is really, really fundamental and important and like you’ve touched on, having that sort of regular cadence of governance meetings and ensuring that you’re getting the reporting and the information you need from your key service providers will be really important in terms of having visibility, that the services are being delivered as they should be, that they’re stable, that there’s no obvious operational issues and ultimately that feeds into you having assurance as to the resilience profile of the service providers that are important to your business as well, but look, we all know even with the best and most robust contract in place and with having a thorough and effective oversight and monitoring regime that is applied in practice, things still go wrong.

Problems arise. There can be operational disruptions and we need to be aware of that and we need to be prepared for that, as well, because there is an air of inevitability to that. So, I guess in that sort of scenario, when something bad does happen, there is a significant operational disruption. In the first instance, you’ll want your third party service provider to tell you about it, right? And you’ll want to make sure that they’re providing you with the sort of assistance and information that you require and you’d reasonably respect and ultimately, all of that should be baked into your contract. They should have that obligation to notify you and to assist you, but, as you know well Denise, it’s not as simple, you know, as you get your notification and that’s it, and you get a bit of information and you’re all done. There are other factors we need to think about when operational disruption does actually happen, both before and after the event and maybe you could talk to us a bit about that?

Denise Murray

Yeah, you’re absolutely right and communication is core and critical but it doesn’t end there and I think it’s reasonable to expect your third-party vendor, your third-party outsource provider to have medium and long-term plans and they may evolve evolve as the crisis evolves because often you kind of have to respond as the issue develops but they should have those plans in place if possible but, very evolved as the issue continues on, particularly if the resolution of the issue is going to take a little bit longer than expected, or indeed, it’s a more severe event that might require some reformatting or reorganisation of the way the services are being delivered. I think we’ll all expect tactical workarounds when an issue arises and communication around that, clearly important, and that’s okay in the short term but I think as we move on beyond the short term, tactical solutions won’t work on a longer term basis so I think the third parties then, again need to demonstrate that they’re assessing the situation to determine the next best thing to be done, or the next plan and the appropriate steps to be put in place, and that might mean even considering their own subcontracting, so if there’s a fifth or a sixth subcontractor, it may be important to exit some of those relationships and re-establish them.

So again, ensuring that’s a consideration becomes really important in those scenarios, and then I think we really do need to think about the types of resilience events, and that, you know,  we should be expecting our third parties to conduct those really detailed “lessons learned” exercises after there has been an event. Often we get to the finish line and think it’s done. There’s a huge amount to be gathered from those exercises post-event and ensuring them that appropriate steps are taken. Maybe new KPIs are put in place or new controls are established, and again, that demonstrates the ongoing due diligence and oversight process as well that when an event has happened, your next due diligence will incorporate some consideration around that, and I think after all, we have to remember that this cycle of outsourcing is an ongoing and evolving process, because not only will the vendors will change and issues arise, but also the entity outsourcing will perhaps change during its lifetime, so t’s important that at onboarding but really particularly on an ongoing basis, that there’s a real kind of considered view given up to the relationship and the requirements of that relationship to ensure that it remains fit for purpose.

Ian Duffy

Yeah. Yeah absolutely Denise. And I think, look, when we talk about third-party service providers, and resilience, I think it would be remiss of us not to talk about intragroup services agreements as well, because the Central Bank has been very clear that, you know, that level of robust oversight and monitoring in relation to third-party service providers and third-party services agreements equally applies in the intragroup context as well. So the same high standards will apply but nonetheless, there are additional considerations that are worth bearing in mind and taking into account when you’re thinking about intragroup services agreements in a resilient in this context. So can you perhaps speak to some of them, please?

Denise Murray

Yeah, absolutely. I’m going to give you four kind of areas that I think of when I think about that kind of intragroup relationship. The first is around local oversight and ownership of an intragroup arrangement, which may sound odd because typically we think of our groups as being one family but in the regulations, I think we need to ensure that where there are established centres of excellence, and we see that particularly around HR, finance, technology sometimes. Those arrangements need to be treated in the same way. We know that from the regulations. So at a fundamental level, there needs to be an agreement, there needs to be an SLA that needs to be documented and there needs to be reporting, so even though it’s within group, there needs to be reporting coming across into the local entity, and that there is some form of formal oversight discharge so again, the ongoing due diligence is performed, and that there isn’t a lesser standard to the point that you’ve just made for an intragroup arrangement. And again, we know the regulations are ever-evolving and there may be some forbearance coming in the context of what those intergroup arrangements look like or what the oversight of them looks like in particular but we’re not there yet so we have to operate within the context of the regulations as they are today. Secondary is around conflict of interest and we know within group structures that we have the local chains of command, but we often have matrix reporting as well for individuals. Our organisations are good at documenting where there could be potential for conflicts and looking to mitigate those but I think it’s important to give consideration to under stressed circumstances, how some of those arrangements may manifest themselves and whether a conflict could actually be heightened in the context of a resilience event where perhaps an individual may be maybe torn in different directions in the context of that matrix reporting so, an area to demonstrate our evolving thinking around our outsourcing arrangements. I think it goes without saying that autonomy is probably the third item that I’d raise because all regulators in each jurisdiction will want to see that their local entities can demonstrate their autonomy in the selection, the appointment, the review, and the oversight of vendors, and in the decision making around that so we can’t ignore that step of selection process evaluation and then appointment of a vendor. And then finally, I guess it’s exit planning, which again can be quite tricky in the context of a group arrangement but nevertheless it’s important that it is considered, it’s documented, and that there is some meaningful evaluation of how or when, there may be a decision taken to exit a group relationship and often, I think we need to think practically because sometimes it’s the bigger arrangements that we think of first but actually it might be smaller arrangements that you may have had with group and have moved since or moved from an external to a group and that might give you just some useful areas to examine in terms of answering that particular question. Just a final point though before leaving that, I said four but I’m going to give five. I think it’s important that we talk about the principle of proportionality, and that it really is not a defence in the context of your third party arrangements and particularly when you’re on an intragroup basis so, the proportionality of you within the local environment or within your group won’t offset that you’ve complied with the obligations more fullsomely.

Ian Duffy

Okay, that’s great. Denise, thank you very much., and thank you to all of our listeners online for listening in today. Separately, we’ve developed a resilience playbook that’s available on our website, that sets out some more information on some of the topics we’ve discussed today, and provides some further practical insights and information in relation to resilience for regulated firms, so please do feel free to check that out on our website, and please also feel free to contact myself, Denise or your usual Arthur Cox contact for more information on any of the topics we’ve discussed today. And thank you again for listening.