Learning from the World's First Dinosaur Park

One of the my favourite dinosaur stories to read about was the tale of the Crystal Palace dinosaurs, and how those silly Victorians got them all wrong. The best tidbit was how they'd stuck one of Iguanodon's thumbs on its nose like a rhino. How stupid could you get?

Years later, I got the chance to go and see the dinosaurs in person, and immediately started boring friends and family alike with how they are a great metaphor for the need to be careful with how you analyse evidence to inform policy. In fact, it was so good, I was going to use this for a presentation to show how clever I am. I just needed an opportunity.

I'd been toying with the idea of using the story as a cautionary tale for Operational Resilience, but thought that I better refresh myself first. Which is when I found a great article from the Natural History Museum titled "The world's first dinosaur park: what the Victorians got right and wrong."

It turned out that I was not so clever after all. Again. Insight by insight, Dr Susannah Maidment, (who appears to be quite busy from today's Guardian article) demolished my happy assumptions that I'd built off the myths that I'd consumed as a kid.

The real story is much, much more interesting, and probably even more applicable to where Financial Services firms and FMIs currently are as a sector for Operational Resilience in terms of maturity.

It turns out that the Victorians didn't get everything wrong, and that in fact, they'd got some things right. Dr Maidment's central point is that at the time of construction, the Crystal Palace dinosaurs were as accurate as was possible based on the scientific data available.

Knowing that they were dealing with reptiles, they looked to extrapolate from what they knew about modern crocodiles and lizards. This helped them get it right about dinosaurs have scaly skin and their depiction of a four-legged Iguanodon was ultimately right despite misplacing the spiky thumbs.

The flaws in their depiction came from the limitation of this approach as they tried to fill in the gaps, combined with their use of analogy. There are lessons here for us on the limitations of continuing to rely on our existing knowledge and data sources when dealing with the novelty created by emergence from the complex adaptive systems that make up both organisations and financial systems.

With all the hard work that has gone into identifying important business services and their associated impact tolerance over the past two years, there are a lot of things that firms have got right about their understanding of where there can be impacts.

However, as I covered in the last newsletter our existing knowledge and assumptions are holding the sector back from progressing at the pace it needs to for the March 2025 deadline for full compliance. As I reflected upon then, this is particularly the case for impacts to financial stability - the most important but also most difficult to assess and manage.

I've very deliberately used the picture illustrating the article. It shows the difference between the Crystal Palace Megalosaurus and what palaeontologists now think Megalosaurus looks like. While the Crystal Palace Megalosaurus can only be measured in Absolute Units, given a choice, you'd take your chances with it rather than the real thing.

To push the impact tolerance metaphor to breaking point, you'd be in an awful lot of trouble if you've based your survival strategy on the Crystal Palace Megalosaurus and the historical dinosaur turned up.

I previously alluded to firms that haven't differentiated their analyses by impact to consider financial stability as being at risk of operating to false horizons. Its more than false horizons, though. The entire resilience strategy for how you prevent, adapt, respond, recover, and learn from a disruption depends on getting as close to what the actual impacts are likely to be.

Getting to these actual impacts is very challenging, and it is an imperfect process - much like how palaeontologists got to the right answers. They did not arrive fully formed. It took iteration and it took time. Unfortunately, firms and FMIs do not have the same length of time to play with, and I'm not sure it will ever be possible to get all the right answers.

This is because the way that end users consume important business services can change, the resources that firms and FMIs use to deliver those important business services are always changing, and the threat environment that firms and FMIs are subject to never stops evolving. Change is constant, and it demands a dynamic response.

The cautionary tale of the Hylaeosaurus sculpture may be a bit too on the nose as an example of what won't work for firms and FMIs. In the park, Hylaeosaurus faces away from visitors. It is suggested that this is because the sculptors couldn't model the face with its mouth, nose, or eyes because of the lack of skull material. (And here, I want to accuse the Victorians of scandalously missing the opportunity to call the dinosaur "Douphinkhesaurus"). A similar approach will not hide partially informed impact tolerances from supervisors expecting growing sophistication as they increase their scrutiny.

To grow that sophistication, I think that firms and FMIs need to review and refine their understanding of the five different categories of harm and impact based on what is relevant to their end-users. To re-cap, these are:

• Consumer harm;
• Market integrity;
• Policyholder protection;
• Safety and soundness; and
• Financial stability.

Reflecting on it, I think that these actually needed to be treated as five types of ecosystem shaped by the nature of markets, the profile of end-users, and the regulatory regime (which are broader than the Operational Resilience requirements) and sometimes competing objectives of the supervisory authorities for the firms and FMIs. To add a further layer, these ecosystems can also interact.

To understand these ecosystems requires as much effort as firms and FMIs are investing in their mapping of their resources (the People, Processes, Technology, Information, and Facilities) for their important business services.

Given the external nature of it, its akin to the mapping of resources provided by third party service providers with the increasing challenges of being able to gather information the further down the chain of interconnections you go. This limitation on individual firms to their direct relationships points to sector-level initiatives to coordinate this.

This is why its great to see Sarah Breeden announce in her speech on "The building blocks of resilience" that the Bank will launch an exploratory exercise as part of the response to the LDI crisis to enhance understanding of the risks to and from non-banks, their behaviours, and how these behaviours can amplify shocks. These are the sort of initiatives that we need to drive progress.

I've been doing a lot of work to get to grips with how to assess impacts to financial stability in order to inform how to identify appropriate impact tolerances. The Market Based Finance (MBF) system has loomed large in this, and I've really benefitted from being able to draw upon the large and well-established body of analysis published by the Bank in the form of Quarterly Bulletins, Financial Stability Papers and Reports, Staff Working Papers, and speeches. If you had to start somewhere in this, I'd recommend the Financial Stability Paper on "The role of non-bank financial intermediaries in the 'dash for cash' in sterling markets."

Synthesising this body of work and using it with clients has led me to re-consider some of my previously strongly held beliefs on what it takes to impact financial stability.

Working on policy and supervision for FMIs with a very clear focus on the need for systemic risk management, I would have considered it heresy to have moved beyond the two-hour Recovery Time Objective (RTO) except in the extreme circumstances where their integrity had been compromised by a cyber attack. This is because I was concerned about a near immediate impact on financial stability from disruption to their services.

Disruption to an FMI's important business services or critical operations always carries a high risk of damage, but I'm now not sure that this level of damage translates to a near immediate impact to financial stability in normal economic conditions. (For clarity, I still think that there will be select important business services or critical operations for specific FMIs that this could be true for.)

A much better approach is emerging when we start to refine our understanding of how financial stability can be impacted in periods of volatility (highlighting the interdependent nature of financial and operational resilience). As illustrated by the LDI crisis and the analysis on the Covid "Dash for Cash," changes in market participant behaviours, amplification, and contagion all need to be considered in terms of impact. In these conditions, time to impact financial stability shrinks significantly.

Of course, this is the epitome of extreme or severe but plausible scenario planning, and there is historical information to draw upon to inform this. Discussing this with experts earlier this week, the issue they called out with this is that each systemic event is different due to the changes in variables - bringing this all back to the importance of understanding these challenges through the prism of complex adaptive systems.

You may ask "so what" about this line of thinking. Get the systemically important firm or FMI to be able to prevent, adapt and respond, recover, and learn to disruptions within the tightest timeframes available and you'll avoid impact to financial stability under all circumstances, right?

Here again, I've changed my view. I still think that the microprudential focus on the resilience of systemically important firms and FMIs is essential to make sure that their individual preparations for disruptions to financial stability are as advanced and capable as possible. The main focus here is on their management of their resources and those provided by third party service providers.

But much like I increasingly believe its not likely that a disruption from an individual systemically important firm or FMI will have a near immediate impact on financial stability in the way that I did, I also think that the evidence indicates that financial stability cannot be protected by an individual firm or FMI. It takes an ecosystem to protect financial stability.

Which brings us back to the urgent need to forge a better understanding of the financial stability ecosystem to identify the key ways in which it can be impacted and at what levels. It is that level of information that is needed to bring us to the level of shared sophistication needed to achieve this.

If this challenge of protecting financial stability as an ecosystem is of interest to you, we'll be discussing our latest thinking at a roundtable at 9.30 on 28 June at our offices in Waterloo with Operational Resilience leaders from systemically important firms and FMIs.

We're also tackling the other end of the spectrum with a roundtable the next day at the same time, same location where we will be discussing how to protect consumers from harm, and how Operational Resilience interacts with the FCA's Consumer Duty rules.

Due to popular demand for both, we've had to get bigger rooms so we do have a limited number of additional places. DM me if you'd like to join us.