Business ServicesMay 16, 2024

Virtual Twins: Pioneering Operational Resilience for Future-Ready Financial Services

Discover the regulatory landscape of financial services and how companies can use Virtual Twin to stay ahead of competition
header
Avatar Solenne LACOSTE

How do Virtual Twins drive regulatory compliance in Financial Services?

In our previous blog, “Virtual Twins: Not Just for Manufacturing Anymore”, we introduced the concept of the virtual twin of a service or a financial product, such as an insurance policy or a bank account, where data & processes, rather than physical products, are what you model. These virtual twins offer the same benefits in understanding complex operational ecosystems and their upstream and downstream dependencies as twins of physical products do.  They also enable organizations to see overlaps, vulnerabilities and to be able to drive efficiencies. In this blog, we will explore the role of virtual twins in regulatory compliance

Global regulators are converging around the need for financial service companies to go beyond “Disaster Recovery” or “Business Continuity”.  Now they are requiring firms to ensure they are operationally resilient.  Of course, the regulations vary a bit by jurisdiction, but they all require firms identify important business services (e.g. bill payments or claims processing) and critical third parties, and share regular reporting to the regulators around their resilience.    

Let’s take a closer look at the current regulatory compliance landscape:

  • In the UK and US, the regulation is called Operational Resilience

Zoom UK: What are the requirements of Operational Resilience in the United Kingdom?

The UK has set Operational Resilience requirements to encourage companies to better prepare, respond and adapt to possible disruptions. The key components and deadlines of Operational Resilience in the UK are:

  • Identify important business services. Which services, if disrupted, could cause severe damage? (Deadline March 2022)
  • Set impact tolerances for each important business service for “severe but plausible” disruptions.  (Deadline March 2022)
  • Carry out a mapping exercise that includes people, processes, technologies, facilities and third parties that are critical to each important business service.  (Deadline 2025)
  • Carry out appropriate scenario testing for each important business service to assess whether they remain within the impact tolerances set.  All tests must document lessons learned and any updates made as a result.  (Deadline 2025)
  • Complete the Operational Resilience Self-assessment documentation as required.  (Ongoing)

Zoom US : And just recently, the Office of the Comptroller of the Currency in the US,  emphasized the importance of Operational Resilience at the International Bankers Annual Washington Conference1.

  • In the EU, the regulation is called DORA (Digital Operational Resilience Act). 

What are the 5 pillars of DORA?

  • ICT (Information & Communication Technology) Risk Management & Governance
  • Incident Reporting
  • Digital Operational Resilience testing
  • ICT (Information & Communication Technology) third party risk
  • Information Sharing

Regulators in Canada, Australia and other regions are also prioritizing regulations like DORA.

By using virtual twin technologies, large, complex organizations can meet the regulatory obligations of Operational Resilience:

  1. Model the entire operational ecosystem to identify important business services and dependencies
  2. Stress test the model for severe but plausible disruptions
  3. Identify gaps and vulnerabilities before they occur in production
  4. Mitigate potential risks in production to ensure resilience

How will you meet the requirements of Operational Resilience/DORA regulations?  

Operational resilience has garnered considerable attention as of late, driven by various regulators in the finance and banking sectors. However, a 2023 survey conducted by the Business Continuity Institute (BCI )2 shows significant growth across all industry sectors. More than three-quarters (76.6%) of surveyed organizations reported that they have an operational resilience program in place or are actively building one.  Of these, only 40.6% were banking and finance organizations.

Where operational resilience programs are in process or in place in financial services, they are a top focus. The survey found that of those banking and finance organizations with operational resilience programs, over 87% cited regulatory compliance as the primary driver. Because of the regulatory focus, over 48% of firms surveyed had Operational Resilience efforts being led by senior management (22% CEO, 14% Executive Director and nearly 13% Chief Operations Officer).

Regulators are going to require firms to test and report on their resilience.  With a virtual twin of the operational ecosystem, a bank or insurer or investment management company could easily respond to regulatory queries like:    

Q1.: How do you assess and mitigate the potential for a cyberattack on one of your processes, applications or servers? 

A:  A virtual twin provides traceability across the entire ecosystem so you could see the services impacted immediately and over time. Organizations can simulate attacks to any aspect of the ecosystem within the virtual twin to predict and prevent the impacts of cyberattacks upstream and downstream.      

Q2:  What is your protocol for a failed data feed or third party process failure?  How do you assess and mitigate the impact? 

A:  Virtual twins can capture dependencies and highlight down-stream effects quickly and easily. This would enable firms to create specific mitigation plans for each scenario.  Stress tests could be conducted and over time, failure mode effect analyses could be used to predict and prevent failures in the future. Financial Service organizations could begin to ask their providers (ICT’s and others) to provide scenario tests and analytics so they might need to implement virtual twins as well. 

Q3:  How do you handle urgent upgrades or patches?  Ones that can’t wait for a weekend?

A:  Test the patch or upgrade in the virtual twin to identify any potential service interruptions before putting it into production. A comprehensive, updated virtual twin helps eliminate down time and the risks that come with it.      

Q4: How do you assess and integrate new business acquisitions or new processes while minimizing impact to the broader organization?      

A: Use the virtual twin to model the new business/process and identify dependencies, overlaps or gaps. The virtual twin can be used to identify operational efficiencies and risks using a model based systems engineering approach or MBSE. This drives a more holistic approach to the mapping processes already used in financial services such that all critical components and dependencies are captured to be able to run simulations.

Moreover, in addition to using virtual twins to meet regulatory compliance obligations, financial organizations can use virtual twins to drive operational efficiencies.  Virtual twins can be used to help eliminate down time, streamline upgrades, system integrations and patches.  Virtual twins are also a key to cyber security; enabling firms to see and test likely targets for cyber breaches to mitigate those risks.   

Virtual twins are not just for physical products.  They can be used to model any complex system and align key stakeholders.  They are powerful tools for engagement and collaboration; imagine being able to “show” your board or senior management what happens in a cyber-attack or some other “severe but plausible” disruption scenario.  A virtual twin is intuitive and accessible to any business user; no engineering degree is required.   Business owners across the organization could access the twin to trace relationships and inter-dependencies and instantly understand how their particular business works, and what it depends on and how it impacts other business silos.     

The financial company of the future is the one that understands the power of a virtual twin and leverages that power to be compliant with new regulation and stay ahead of the competition. 

Employees working on a virtual twin of a bank

Source: “Acting Comptroller Discusses Operational Resiliency” – News Release 2024-23 by Office of the Comptroller of the Currency

2 Source: “Latest BCI report shows significant growth in operational resilience uptake” by BCI


Taherah KUHL, Vice President Business Services Industry, Dassault Systèmes

Taherah has worked at Dassault Systèmes for the past 7 years. Focused on the Financial Services & Logistics industries globally, Taherah is responsible for driving the industry strategy and vision. LinkedIn profile

Stay up to date

Receive monthly updates on content you won’t want to miss

Subscribe

Register here to receive updates featuring our newest content.