The discussion around resilience has been ongoing, but the time for action is now. ASIC has made it clear in their latest communication: firms are falling short on resilience, and their standards are tightening. Both ASIC and APRA are now holding firms to account for their operational and technological resilience, and the time for complacency is over.

As outlined by ASIC in their recent letter to market participants on 17th September 2024, identifying and managing critical business services is a non-negotiable priority. The review found too many firms are treating resilience like a “set-and-forget” exercise, relying on outdated frameworks or incomplete risk assessments. This approach is no longer acceptable, and ASIC is pushing for proactive management, rigorous testing, and detailed documentation of business continuity plans.

OCG has been at the forefront of this impending regulatory shift. In May 2024 at the Stockbrokers and Investment Advisers Association (“SIAA”) Conference James Dickson, Managing Director OCG, spoke to managing risk for profitable growth. Dickson emphasised that resilience transformation and business continuity planning “cannot just be a tick in the box exercise”, proposing that market participants should instead consider a holistic approach.

How does your understanding of regulation relate to your policies and then to your procedures?
How does that then relate to testing regimes for risk teams?
How is that set out in a way that is traceable, actionable and auditable?

Firms are expected to assess their critical business services and subsequent systems, determining which are critical to their operations and ensuring they’re fully prepared for potential disruptions. ASIC's latest review has revealed significant gaps in how firms identify these services, with some firms relying on inadequate contingency measures or failing to account for the impact of disruptions on clients, third parties, and the broader market.

ASIC continues to urge firms to move beyond superficial reviews and take a thorough, holistic approach—everything from trading operations to third-party dependencies must be scrutinized under ASIC Market Integrity Rules (2017).

Key Areas Where Firms Are Falling Short:

1. Improper exclusion of critical services

Some firms are excluding services simply because they aren’t core to their day-to-day operations. ASIC expects all services, especially those like real-time trade surveillance, to be included.

2. Overreliance on contingency plans

Having a backup plan doesn’t mean the service isn’t critical. ASIC has seen too many firms using this excuse, but contingency plans can fail too. Firms must build resilience from the ground up.

3. Poor documentation and oversight

Firms must be able to demonstrate how they’ve identified their critical services, and they need to have strong, centralized records. Leadership must be directly accountable for resilience.

4. Outsourcing risks

For firms outsourcing critical services, they must have clear oversight and assurances that their third-party providers have robust continuity plans in place.

The message from ASIC is clear: their expectations are grounded in the Resilience Rules (Chapter 8B of the ASIC Market Integrity Rules) and anything short of these standards is unacceptable. For any firm lagging behind, it’s time to act—and fast.

At OCG, we have the expertise to help firms meet these standards. We know what’s required, and we’re ready to assist clients in closing any gaps. The time for preparation is over—the reality of ASIC’s expectations is here.

Whether it’s conducting a full review of critical business services, ensuring compliance with ASIC’s Resilience Rules, or strengthening business continuity plans, OCG can help. OCG provides a pragmatic, functional and effective approach to transforming risk in financial services firms.

Reach out to stay compliant and resilient in today’s regulatory landscape.

Featured