Overview of the requirements
Firms are expected to perform the steps outlined below. Each of these requirements will be covered in more detail in the coming weeks.
- Identify their important business services
The regulators’ definitions of important business services refer to an intolerable level of harm for consumers, risks to the Firm’s safety and soundness and to UK financial stability.
The standard to be met is set quite high. Firms should identify all business services and shortlist the ones with a severe impact based on the definitions.
- Set impact tolerances for each important business service
Impact tolerances are expressed by reference to specific outcomes and metrics, which should always include the maximum tolerable duration (time-based metric). Firms could also include other considerations such as volume of disruption (e.g. the number and types of consumers affected) or a measure of data integrity. Dual-regulated firms are expected to set up two impact tolerances for each important business service in line with each regulator’s statutory objectives.
- Identify and map the resources supporting the important business services
The end-to-end mapping of resources and capabilities for each important business service is a critical foundation for scenario testing and is likely to be the most resource-intensive part of the exercise in a large complex organisation. This mapping should allow a firm to ascertain whether supporting resources (i.e. people, processes, technology, facilities and information, including third party providers) are fit for purpose; to identify vulnerabilities; and to consider what would happen if resources were to become unavailable.
- Conduct scenario testing to assess the ability to remain within impact tolerances
Scenario testing is about testing the firm’s ability to remain within impact tolerances in severe but plausible disruption scenarios, focusing on recovery and response arrangements (as opposed to preventative measures). Third parties are part of a firm’s end-to-end process and need to be prepared, for instance, to support operational resilience testing.
- Develop internal and external communications plans
In the event of an operational disruption, firms must pay due regard to the information needs of their clients. They need to be able to provide clear, timely and relevant communications which are fair, clear and not misleading to stakeholders, including regulators, should an operational disruption occur.
- Maintain a self-assessment document detailing the firm’s Operational Resilience journey
The purpose of the self-assessment is to articulate the firm’s resilience journey and work carried out over time, to demonstrate its Operational Resilience and plans to remediate any vulnerabilities and findings. The Board is accountable for approving the self-assessment and demonstrating that prioritised investment decisions are being made in respect of services which cannot be delivered within impact tolerances.
- Make Operational Resilience a priority at Board and Executive levels, with a clear Governance framework
Boards are specifically required to approve the important business services identified for their firm and the impact tolerances that have been set for each of these, as well as the documented self-assessment. Firms are required establish clear accountability and responsibility for the oversight and management of operational resilience.