Why is this important now?
There is some consensus that Operational Resilience is not just a regulatory exercise, but instead a better way to run a firm, help improve controls and deliver better outcomes for customers and the market.
The regulators’ approach to operational resilience assumes that disruptions will occur which will prevent firms from operating as usual and providing their services for a period.
Not least in the light of the pandemic which has brought resilience to the forefront of everyone’s thinking, it is imperative for firms to take a proactive approach to Operational Resilience.
Key definitions explained
Operational Resilience is the ability of firms, financial market infrastructures and the financial services sector as a whole to prevent, respond to, recover and learn from operational disruptions, as defined by the Bank of England, PRA and FCA.
A few examples of events that would cause operational disruption include market instability, cyber-attacks, geo-political events, third party provider failures, system outages and natural disasters such as pandemics, fire or floods.
The regulators’ approach for Operational Resilience recognises that you cannot have full contingencies for every vulnerability and that disruptions will occur. It does not focus on preventative measures to reduce the likelihood of disruption, but rather on recovering from a disruption which has already crystallized.
In our view, Operational Resilience is not altogether a new issue but it has traditionally been managed with a narrower recovery focus (e.g. Disaster Recovery and Business Continuity Planning) at an individual business unit or asset level.
One key point of emphasis is that Operational Resilience is end-to-end, broader than technology and also outward facing. It focuses on the regulators’ objectives, in other words the impact on clients and markets rather than on the firm’s own business objectives.
Operational Resilience is holistic and dynamic, and considers how the fundamental capabilities of people, processes, technology and third parties enable a firm to adapt and recover when things go wrong.
A business service is a service that a firm provides which delivers a specific outcome or service to an identifiable user external to the firm. It is distinguished from business lines, which are a collection of services and activities.
Important business services and impact tolerances form the cornerstones of Operational Resilience.
Important business services are those services a firm provides which, if disrupted, could:
- pose a risk to a firm’s safety and soundness or, the financial stability of the UK (PRA objective)
- potentially cause intolerable harm to the consumers of the firm’s services or risk to market integrity – i.e. soundness, stability or resilience of the UK financial system (FCA objective)
In this context, consumers are regarded as those that are the direct consumers of the firm’s services or in other ways dependent upon them. This includes both retail and wholesale market participants.
An impact tolerance is the maximum tolerable level of disruption to an important business service assuming that disruption to the supporting systems and processes will occur.