Skip to navigation Skip to main content Skip to footer

16 March 2023

Navigating and planning for disruption: Thoughts from FinTech North

What is FinTech North? 

FinTech North brings together the FinTech community in regular events to share ideas, challenges and best practices.  

The Operational Resilience Forum was FinTech North’s first standalone event of the year and discussed operational resilience from several perspectives, providing guidance to financial services organisations on how to mitigate risk and the importance of having robust strategies in the event of disruption. 

The event brought together experts in the industry, including Wayne Scott, Regulatory Compliance Solutions Lead at NCC Group, who spoke about NCC Group Software Resilience and the importance of stressed exit planning. 



Why do organisations need a stressed exit plan? 

No organisation is immune from risk. That is why building resilience is the first step towards true business continuity. Protecting against supplier failure, service deterioration and concentration risk is a key aspect of what is known as stressed exit planning. It involves planning how to protect an organisation’s business critical components, ensuring it can still function despite such risks.  

What would disruption look like? 

Take the 2021 Ever Given incident at the Suez Canal. The ship ran aground and caused monumental supply chain disruption. The ripple effect of the event was costly, as £3bn of cargo passes through the canal each day. Delivery delays were estimated at £1bn, and the incident led to 285 ships being immediately delayed, with another 175 having to wait an additional three days to pass through.  

The Suez Canal incident is not the only example of supply chain failure and the detrimental effect it can have. It is an obstacle that organisations face very frequently – and not all organisations are sufficiently equipped to manage such ramifications.  

Watch Wayne's full keynote speech

What are the challenges when creating a stressed exit plan?

Despite the importance of stressed exit planning, many organisations can still struggle to create effective and resilient processes. There are a number of common challenges that we often see:

  • Some financial institutions don’t have the necessary third-party risk management skillset in-house.
  • A continued focus on cyber security, rather than non-cyber risk and operational resilience. Part of ensuring the resilience of software is making plans on how to transition to another supplier or system should a current contract come to an end or be terminated.
  • A failure to assign ownership of “supplier failure”, “service deterioration” and “concentration risk” at the highest level and outside of cyber.
  • A widespread assumption that new regulation requires a new solution. Escrow agreements have been in use for decades and offer a useful solution to stressed exit planning.

Even though this isn’t a complete list of the issues NCC Group Software Resilience has encountered, they are some of the most significant.

How do you create a stressed exit plan?

Stressed exit planning can seem challenging at first glance. That is why it is important to understand what risks your organisation faces, and what actions it needs to adopt in order to build resilience. The key component, however, is that the plan must be demonstrably successful and should stand up against scenario testing.

To build a robust plan, organisations should first establish the legal right to access and use business-critical information. Escrow agreements have been suggested by regulators, such as the Bank of England, as an option which organisations should actively consider. Software escrow agreements are a critical component of the temporary stages of every successful stressed exit plan. It creates a robust foundation of a stressed exit plan, forming a legal arrangement where a third party holds and regulates the transfer of assets or information between two parties. This ensures that all organisations are protected, and the information can be accessed in the event of a stressed exit. Escrow agreements and associated verification services are one of the only ways to always guarantee the protection of business-critical information.

The second step in creating a successful stressed exit plan is knowledge transfer. This involves ensuring that all key personnel have access to the information and resources needed to continue operations in the event of an exit. Organisations must then subject the stressed exit plan to scenario testing to ensure it is demonstrably successful and to identify any weaknesses or areas that need improvement. The process, Wayne emphasised, allows organisations to mitigate against their own failure.

What does NCC Group expect to see in the next three years?

Regulators are bringing in changes to ensure operational resilience, including the recent Financial Markets and Infrastructure supervision brought forward by the Bank of England or the Digital Operational Resilience Act. These are only a few of the worldwide movement towards greater regulations, forcing organisations to demonstrate their resilience against operational disruption.

Looking to the future, several trends are expected to shape stressed exit planning. These include the standardisation of deployment processes, an increase in investor due diligence, additional regulations being applied to cloud providers and other critical third parties and being ‘resilient by design’: the idea that resilience is embedded into systems and processes from the outset, rather than after the fact.

Stressed exit planning is critical to organisational resilience and is something that needs to be prioritised - no matter the size or sector. By establishing legal right to access and use business critical information, transferring knowledge, and testing scenarios, organisations can create effective stressed-exit plans that will help them navigate disruptions and continue operations. As the world becomes increasingly reliant on digital technology, it is more important than ever to be prepared for the unexpected.

To find out more, read about the event here.

Looking to learn more about the regulations affecting the UK's financial institutions?

Watch our on-demand webinar: PRA SS2/21: One Year On

Skip to navigation Skip to main content Skip to footer