Resiliency by design

Head of Client Engagement for Technology, Stephane Lubenec joins Alan Cameron to discuss the why resiliency is not longer the preserve of BCP teams and how it must reach all corners of an organisation.


AC: I am Alan Cameron and this is a Thinking Aloud podcast brought to you buy BNP Paribas Securities Services. In these podcasts, we delve into the details of the post-trade world and in this edition I am lucky enough to be joined by Stephane Lubenec who is Head of Client Engagement for Technology at BNP Paribas Securities Services. Stephane is a very big rugby fan so I thought I would begin by asking him if he has recovered from Scotland’s triumph in Paris this year.

SL: No Alan, I haven’t recovered yet but the next time we play Scotland I think I will be recovering!

AC: OK, I hope you enjoyed it and you have always been very sporting about rugby, it’s not often we have a Scottish victory to celebrate like this! So, let me get into the details of this podcast and we are here to talk about resiliency. Can I begin by asking you Stephane, why do we hear so much about resiliency nowadays, why is it such an important topic?

SL: Resiliency for financial institutions has become a key topic, mainly because there are three trends out there that are pushing us in this direction. The first one is what I call our operational value chains are becoming increasingly complex. There are more actors, more fintechs, more technology and more what I would call layered outsourcing setups which makes the whole end-to-end process more difficult to maintain.

Then of course the second trend, we have the cyber threats that have never been as prevalent as they are today.

Finally, we have new digital technology which here is presenting a number of challenges, and as we will see, is also presenting some opportunities so it’s an interesting topic a clearly, the regulators have caught wind to this and are pushing financial intermediaries to strengthen their resiliency.

AC: It sounds like we are dealing with quite a complex issue here, how do we best organise ourselves to deal with technology risk?

SL: It’s a good question. So, we believe at BNP Paribas Securities Services that the foundation of what we do in terms of risk management and resiliency is our governance. Here the key principle is guaranteeing independent risk based decision making.

I am going to take an example here, our Chief Information Risk Officer, who needs to take sometimes difficult and unpopular decisions reports directly into the Group, and then he reports on a dotted line basis into the Chief Information Officer at BNP Paribas Securities Services. This guarantees that he can take unpopular decisions when those are necessary. This is absolutely key and we have done this in a number of different areas within technology and also the broader organisation at BNP Paribas Securities Services.

The other thing in terms of our organisation, in the last five or six years we have strengthened our risk management department and here, an example that is quite important given today’s trends, is we have specifically reinforced third party oversight in the technology world because there are many new technologies, many new actors, fintechs and because more and more processes are being outsourced to those partners, our third party oversight in this area is absolutely critical and will be even more so in the world to come.

So, once again, it is critical to get the basics right and the structure and the governance right and then obviously there is a lot of work to do in the resiliency space once we have done that but we believe we are on the right track here.

AC: With Covid, we have all been thinking more and perhaps differently about business continuity. What are the key topics and themes in this area and has there been any real change?

SL: Typically, BCP, so Business Continuity Planning has to cover all the different possible scenarios catastrophes you could have. Typically those are loss of IT loss of premises, loss of staff, loss of essential third party provider, and the list goes on. Those haven’t changed. I think what is key here is the overriding principle we have at BNP Paribas Securities Services is that no single activity can only be performed in a single location. We use our global footprint to ensure the redundancy of our operational and technological capabilities around the world. This has always been true but what is changing now is that technology is giving us opportunities to more things and maybe do things differently. The best example of this is the Covid situation that we have been facing over the last 18 months. The technology has allowed us to have working from home capabilities that we didn’t have four or five years ago and we believe, and we are looking into a number of areas and opportunities, this is one area that is going to be changing our BCP setup but there are other things that we are doing within technology that are going to reinforce our business continuity strategy within BNP Paribas Securities Services.

AC: Thanks Stephane, can I ask you a little bit about the impact the digital revolution is having on this. Is it making organisations more or less resilient?

SL: That’s a very interesting question and I think the response to this is both. So on the one hand obviously with the digital revolution everything is opening up, our applications, in many cases, are now available to users outside of our organisation. Sometimes our applications can be hosted in data centres that are external to BNP Paribas. Sometimes we are accessing platforms that are run by other organisations so clearly this is presenting a number of challenges, these are typically cyber security challenges, data challenges, data confidentiality challenges, so that’s one side of the coin. The flip side of the coin is that digital technologies are presenting a lot of opportunity to improve our resiliency. Here I would like to give a couple of examples, there’s a lot of work being done using artificial intelligence to detect and anticipate risks and specifically incidents and technology incidents which would help deal with those incidents so there is a lot of working going on here. Another example is BNP Paribas, the Group is using AI (artificial intelligence) to analyse and detect abnormal behaviour of system administrators when they log onto servers and data centres. This is a way of limiting the risk of malicious behaviour or disgruntled employees. These are just examples but there are many other things that we are looking at in terms of using AI to improve the services and render them more robust and more resilient.

AC: To conclude Stephane, can I ask you are there any overriding considerations? What are the big considerations that we have to think about to improve an organisation’s resiliency?

SL: I think there’s two. The first one, which is really important is that resiliency needs to be built into our solutions by design. So everything we do when we are rolling out a new application, a new solutions, a new product offer, we need to be looking at resiliency before the fact rather than after the fact. That’s the first thing. The second thing is that resiliency can’t be the sole responsibility of our BCP teams or our Chief Risk Officer, it needs to be absolutely everyone’s responsibility and to that end, BNP Paribas Securities Services is building a resiliency culture that permeates throughout the organisation.

AC: Thanks Stephane, so it sounds like we should think about resiliency early and we should think about it often. This has been an interesting topic Stephane, thank you for educating us about it. This has been a Thinking Aloud podcast brought to you by BNP Paribas Securities Services. Thank you for listening to it, there many similar podcasts about post-trade issues available on our website.