Which organisations are impacted by the Operational Resilience obligations?
The following firms fall within the scope of the regulators’ policy statements on Operational Resilience:
- UK banks, building societies, and PRA-designated investment firms (“banks”) including subsidiaries
- UK Solvency II firms, the Society of Lloyd’s, and its managing agents (“insurers”)
- Recognised Investment Exchanges
- Enhanced scope senior managers and certification regime (SM&CR) firms
- Entities authorised or registered under the Payment Services Regulations or the Electronic Money Regulations
Out of Scope
Firms which are not in scope notably include SM&CR core firms. However, given recent events and the potential future regulatory focus, we would advise they would benefit from familiarising themselves with the Operational Resilience requirements.
Those who are providing services to a firm in scope may also be impacted as they will need to be able to demonstrate resilient processes to support that client.
Notwithstanding the foregoing, all firms should also continue to meet their existing obligations notably in terms of business continuity, outsourcing and information security.