What are the regulators’ expectations?
Differing statutory objectives and impact tolerances
There are nuances the regulators’ requirements based on their specific statutory objectives.
Dual-regulated firms must also identify a separate impact tolerance for their important business service (one for each of the regulators’ objective). Regulators expect that, while firms need to set tolerances for each important business service by reference to that authority’s operational resilience rules, such firms will effectively manage the tolerances together.
Firms may set their separate impact tolerances at the same point if they deem it suitable for the purposes of each authority but will need to be able to justify this decision if challenged. Ensuring a firm can remain within the more stringent tolerance would be acceptable if they can demonstrate:
- how they have considered each of the PRA and FCA’s objectives when setting their impact tolerances;
- how their recovery and response arrangements are also appropriate for the longer impact tolerance (recovery and response arrangements must be viable for both shorter and longer time periods);
- that scenario testing has been performed with the longer impact tolerance in mind as a shorter impact tolerance might constrain the range of severe but plausible events a firm might consider.
Example of different Impact Tolerances set by a dual-regulated firm for the same important business service
The FCA advised that dual-regulated firms are allowed to set additional sub-tolerances if they find it beneficial. It also commented that it will work collaboratively with the PRA to ensure they supervise tolerances efficiently.
Smaller firms are not required to consider financial stability when setting impact tolerances.
When a firm is using a third-party service provider in the provision of important business services, it should work effectively with that provider to set and remain within impact tolerances.
The requirements to set and remain within impact tolerances remain the firm’s responsibility, regardless of whether it uses external parties for the provision of important business services
Reviewing Impact Tolerances
Regulators require firms to keep impact tolerances under review and relevant, and to consider their continued ability to comply with those if there is a relevant change to their business or to the market in which they operate.
They also require firms to prepare and regularly update a documented self-assessment of their compliance with the Operational Resilience obligations.