The Board of the International Organization of Securities Commissions (IOSCO) is requesting feedback on the lessons learned regarding the operational resilience of trading venues and market intermediaries during the COVID-19 pandemic.
In the Consultation Report, Operational resilience of trading venues and market intermediaries during the COVID-19 pandemic, published today, IOSCO describes the impact of the pandemic on trading venues and market intermediaries (regulated entities). It concludes that these regulated entities largely proved to be operationally resilient and continued to serve their clients and the broader economy, despite unprecedented challenges, such as the restrictions on mobility and business operations and periods of extreme market volatility and record trading volumes. The pandemic also increased cyber security risks, accelerated the use of existing, new and emerging technologies and disrupted outsourcing arrangements.
The report defines operational resilience as the ability of a regulated entity to deliver critical operations through a disruption. The resilience of trading venues and intermediaries during the pandemic can in large part be attributed to work conducted in this area. The existing IOSCO operational resilience principles, recommendations and guidance provide the core structure for regulated entities and regulators when considering operational resilience, and the findings in this report suggest this framework has worked well.
However, the pandemic has highlighted opportunities to learn lessons on how to further improve regulated entities’ operational resilience. The report therefore sets out some observations and identifies lessons learned from the pandemic to help inform regulated entities’ future operational resilience arrangements:
(a) Operational resilience means more than just technological solutions; it also depends on the regulated entity’s processes, premises and personnel;
(b) Consider dependencies and interconnectivity before and after a disruption to adequately assess potential risks and changes to controls, especially for service providers and off-shore services;
(c) Review, update and test business continuity plans to ensure they reflect lessons learned from the pandemic, such as the prolonged nature of the crisis and its impact on multiple locations, as well as the implication of remote/hybrid working;
(d) An effective governance framework facilitates and supports operational resilience during novel or unexpected situations;
(e) Compliance and supervisory processes with greater automation and less dependence on physical documents and manual processes may better accommodate a remote workforce. A review of monitoring and supervision arrangements by regulated entities for remote workforces may be appropriate to help ensure continued effectiveness in a remote or hybrid environment; and
(f) Information security risk – Decentralized and remote work may increase the importance of monitoring processes to help ensure information security and prevent cyber-attacks.
The report also acknowledges that as the next phase of the pandemic evolves, new events may further inform operational resilience considerations.
IOSCO requests feedback on these observations and possible lessons learned regarding operational resilience during the pandemic. The deadline for comments is on or before 14 March 2022.