LSEG Operational Resilience
As a global financial markets infrastructure and data business, operational resilience is at the heart of everything LSEG does.
We are committed to employing an effective and comprehensive operational resilience function in order to ensure we have all relevant resilience strategies, systems and processes in place to maintain our trusted reputation within global financial markets.
Our operational resilience function governs and contributes to managing operational resilience risks across our global enterprise. We recognise the importance of operational resilience. We are designed for resilience, strive to minimise impacts, and are prepared to recover our important business services (IBSs) within impact tolerances, reducing harm to our external stakeholders and maintaining the stability of the financial markets.
We have specifically established an operational resilience framework based on industry accepted standards and regulations (such as Bank of England’s Policy Statement for Central Counterparties (March 2021) and the FCA Policy: Building Operational Resilience – (PS21/3 March 2021)). We are committed to following best practices designed to position any organisation, regardless of size, industry, or nature, to implement, maintain, and continuously improve upon their operational resilience capabilities. Following these standards and best practices also offers us the ability to protect against, reduce the likelihood of, prepare for, respond to, and recover from disruptions whilst remaining within our defined impact tolerances.
Our operational resilience function oversees our preparedness efforts and governs enterprise-wide compliance with LSEG's Operational Resilience Framework and Policy. The operational resilience function provides the required management and counsel on managing operational resilience risk to all IBSs to ensure activities are implemented and monitored across all IBSs.
The outputs of the Third-Party Response Statement should be reviewed and updated at a minimum on an annual basis.
Our approach
Important business services
We have identified each IBS using a robust approach, used by the businesses to identify Business Services and prioritise those that have the greatest potential to cause harm. This process aims to increase operational resilience by enabling LSEG to consistently articulate the business services and assess the potential harm that could arise in the event of disruption to its external stakeholders and the markets operated within.
When looking at end-to-end important business services (IBS) mapping, we identify and capture all dependencies across all important business services. This includes any critical internal processes.
Additionally, we have identified a set of controls and metrics across each of the dimensions in order to ensure the operational resilience of the IBSs.
Impact tolerances
Impact tolerances are defined as ‘the point at which a disruption to an IBS would cause intolerable levels of harm to external stakeholders or risk to market integrity’. We have set impact tolerances for all of their IBSs, as required by the regulators.
The impact tolerance does include a defined level of service activity that is required within a period of time, which – if not met – would result in a level of harm to the consumers, the market integrity, or firm viability that exceeds a tolerable threshold. The impact tolerance statement is unique to the LSEG businesses, service users, third parties and markets related to that IBS.
To ensure we can recover within set impact tolerances, the business conducts severe but plausible scenario tests for each IBS on an annual basis. If required, the business is committed to making the investments necessary in order to operate consistently within the set impact tolerance.
Scenario testing
Scenario testing is performed across all IBS and all dimensions (people, data, cyber, technology, third-party, and facilities) in order to ensure we can recover our IBS within their impact tolerances, and to help identify gaps that will need to be remediated to help meet the impact tolerances. The scenarios include management of risks to the firm’s ability to meet its impact tolerances. The scenarios are subject to regulatory oversight.
The group’s severe but plausible scenario library includes a set of scenarios for each dimension. This includes, but is not limited to, geo-political issues, cyber scenarios, loss of critical suppliers, loss of infrastructure scenarios, and unavailability of colleagues for reasons such as a pandemic.
Scenario testing is undertaken at both the business level and the group level. The scope of scenario testing covers all IBSs, and across all dimension scenarios. Although known gaps will influence priorities, testing occurs across all resource dimensions to build a complete view of capabilities and to ensure testing expertise is developed in all areas. Scenarios are relevant to the business, proportionate to the size and scale of the service, and have a clear trigger and articulation of impact and scope. Additionally, scenarios are tailored to the IBS being tested.
Business continuity
At LSEG, we take a group-wide, holistic approach across all business services, reflecting the holistic nature of business continuity and operational resilience. We are committed to ensuring continuation of all IBSs, and their functions and processes, through an effective and comprehensive program of business continuity planning.
Central to our business continuity planning are requirements for each IBS to develop, maintain, and test business continuity teams and plans. Investment and remediation actions made to improve resilience for an IBS strengthen business continuity plans. The plans develop support, and demonstrate each IBS strategic and operational goals and external stakeholder requirements in order to ensure their protection during a business disruption.
Operational risk
We ensure that operational resilience risks to the delivery of IBS, and the critical processes and resources that these depend upon, are understood and can be recovered within agreed impact tolerances following an operational disruption.
Operational resilience is an outcome that results from effective management of operational risk. We have a number of capabilities to manage operational risk currently, such as, but not limited to, physical environment management, cyber management, incident management, change management and third-party management. We have an operational resilience policy that includes existing operational risk management requirements, procedures and processes.
At LSEG, the teams and individuals working within each IBS are committed to and responsible for maintaining the resilience of their services, for the purposes of being able to prevent, adapt and respond to, recover and learn from operational disruption. The operational resilience risks that have the potential to impact operations within IBSs continue to evolve, and we endeavour to stay current and in line with industry best practices, financial regulations, and the recommendations of the business communities in which we work.
DORA is the European Union’s Digital Operational Resilience Act, the final text of which was published in December 2022 by the European Parliament and the Council of the European Union.