Points for Attention and Key Considerations
Accountability and Governance
The Board is accountable for, and should approve and regularly review the important business services, impact tolerances and Self-Assessment. One Senior Manager, typically the SMF24, will have overall designated responsibility for the Operational Resilience Framework, and others may be accountable for specific important business services.
Supervision and Enforcement
The Self-Assessment is likely to be a key document as part of the regulators’ routine supervision activities. It also has the potential to expose firms to censure if not drafted with due skill and care, for instance in the event that a disruption occurs which ends up causing harm to consumers.
Firms are able to apply the operational rules proportionately in a way which best suits their business, for instance using existing committees where possible.
Regulators emphasise the importance of ensuring that firms are able to justify their determinations, notably of important business services and impact tolerances. The Self-Assessment should show the methodology and workings, not just their outcomes.
The Self-Assessment must contain adequate documented evidence to provide assurance to the Board on the firm’s Operational Resilience readiness and to allow for sign-off.
Sophistication and Maturity
Regulators recognise that it is likely that firms’ resilience arrangements, methodologies and justifications will increase in sophistication and mature over time. By 31 March 2022, the analysis needs to be undertaken thoroughly enough to arrive at a gap analysis and identification of major shortcomings requiring further work.
The Self-Assessment needs to be regularly reviewed and updated, particularly when there is a significant change to the business.