Hot on the heels of the FCA’s consultation proposals for improving larger firm’s operational resilience, CP 19/32, the FCA has published an assessment of how asset managers use risk modelling and portfolio management tools. The 10 firms visited varied in terms of size, scale, operating models and asset classes.
Linked to its work on technology and cyber resilience, the FCA wanted to assess how asset managers select, use and oversee the tools and models they use, how firms identify and manage relevant risks and their capability to respond to system failures or service interruptions. Amongst good practice, the FCA identified problems in processes and controls, particularly in risk model oversight and contingency planning.
The FCA is concerned that a significant technological failure could cause serious consumer harm and, if it impacted a large enough group of asset managers, this could also damage market integrity. It’s a reminder that operational resilience is a matter not just for the large firms and, remember, there are no detail rules in this space – it’s about standards and outcomes.
What does the FCA think matters?
Strategy – whether adopting single provider, multiple or in-house systems development, firms should consider strategy and the resulting trade-offs for functionality, maintenance, competitiveness and resilience. Many firms told the FCA of their belief that investment consultants and other intermediaries expected them to be using these tools, a signal the FCA took to suggest firms were not always fully committed to them.
Resilience and Recovery – Firms had not given enough consideration to different lengths of outages and the critical role of Portfolio Management tools and associated services. Maintaining the necessary fall-back was considered “prohibitively expensive” or practically challenging due to weaknesses in the frequency, timing, synchronisation and storage of data back-ups.
Upgrades and patches – FCA identified a tension between the need to quickly implement necessary change with the desire to test fully and that firms were not always confident when they could pass financial liability on to their provider. Some relied on the testing by the vendor without a clear understanding how these tests matched up with the way they used the software.
Vendor Management – end user involvement helps assess the impact of service quality issues and improve risk categorisation of the provider, oversight priorities and resilience planning.
Model Governance – Model governance can be challenging due to the difficulty in building and retaining technical expertise. Sampling models development and use may be too limited to provide robust assurance. Triggers or circumstances which might allow portfolio managers to amend or overrule model outputs were not always well-defined or clearly documented.
Replacing systems – The length of some vendor relationships was less a positive endorsement of the provider than the delays, cost overruns, data migration issues and testing challenges associated with change. Business analysis, detailed gap analysis, bringing change programme contractors in-house and parallel running were observed as mitigating such risks.
Where from here?
FCA plans to continue to look at the operational resilience arrangements at other asset managers. Their suggestion that the first line is more involved in the development and the subsequent review and testing of resilience arrangements and the position they take on user involvement in vendor management relationships, suggests the FCA saw a disconnect between the operational resilience planning and the continuity of front-line service delivery. It’s somewhat surprising the FCA chose not to play the senior manager responsibility card, but still it would appear that senior managers of asset managers should be considering the stability, the security, the suitability and the controls around the portfolio and risk management tools they use.
For further information or assistance with understanding and benchmarking to the FCA’s expectations, contact us.