Regulatory update – operational resilience consultation and actions
- The Bank of England (the Bank), Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) published a discussion paper (DP) on operational resilience in July 2018.
- The regulators then published a Consultation Paper (CP19/32) on 5 December 2019. In that CP, the regulators consulted on new requirements on the firms they supervise to help strengthen operational resilience.
- Operational resilience is described as an outcome: the ability of firms and the financial sector as a whole to prevent, adapt, respond to, recover and learn from operational disruptions.
- In March 2020, the regulators extended the FCA consultation until 1 October 2020.
- While operational resilience remains a top priority for the FCA, PRA and the Bank, the later publication date and implementation timetable are intended to alleviate the overall burden on firms and financial market infrastructures (FMIs) in the wake of the Covid-19 outbreak.
The regulators have proposed that firms:
- identify their important business services that if disrupted could cause harm to their consumers (retail and wholesale) or market integrity
- set impact tolerances for each important business service (i.e. thresholds for maximum tolerable disruption to help achieve consumer protection and market integrity)
- identify and document the people, processes, technology, facilities and information that support their important business services (mapping)
- test their ability to remain within their impact tolerances through a range of severe but plausible disruption scenarios
- conduct lessons learnt exercises to identify, prioritise, and invest in their ability to respond and recover from disruptions as effectively as possible
- develop internal and external communications plans for when important business services are disrupted
Delivering operational resilience requires firms to take decisive and effective actions, for example by replacing outdated or weak infrastructure, increasing systems’ capacity or addressing key person dependencies.
Timeline with relevant dates to be logged on regulatory calendar
- All firms must continue to develop operational resilience capabilities while awaiting published regulatory requirements by 31 December 2021
It is planned that firms will not need to meet requirements resulting from the consultations before the end of 2021. Firms need to remain aware of all developments.