Operational Resilience: Important Business Services

PART 3

In previous editions of this series we provided an overview of Operational Resilience and Outsourcing and Third Party Risk Management requirements.

This week our Senior Director and Regulatory Compliance Lead, Lindsey Domingo addresses further questions. The focus of this chapter will provide clarification and guidance on how firms impacted by the Operational Resilience obligations can identify their important business services. We examine possible approaches.

PART 4 | VENDOR RISK MANAGEMENT AND DUE DILIGENCE >>

What are important business services?

In Policy Statements PS21/3 and PS6/21, the FCA and PRA outline what constitutes an “important business service”, with some nuances in their respective definitions.

Important business services are those services a firm provides which, if disrupted, could:

pose a risk to a firm’s safety and soundness or, the financial stability of the UK (PRA objectives)
potentially cause intolerable harm* to the consumers of the firm’s services or risk to market integrity – i.e. soundness, stability or resilience of the UK financial system (FCA objectives)

The nuances in the definitions are primarily driven by the regulators’ respective statutory objectives and regulatory frameworks. As part of the Bank of England, the PRA also contributes to the delivery of the Bank’s wider financial stability and monetary policy objectives.

Important business services

*Intolerable harm has to be much more severe than harm or inconvenience. The FCA views intolerable harm as an outcome which end users cannot easily recover from, for instance where, post disruption, a firm is unable to put a client back into a correct financial position, or where there have been serious non-financial impacts that cannot be effectively remedied.

Who needs to identify important business services?

The requirement to identify important business services applies to firms within the scope of the Operational Resilience obligations. As outlined in previous editions, In-Scope firms include both dual-and solo-regulated firms:

Important business services

Why is this relevant and important?

Operational resilience is a necessary framework and has become fundamental in a backdrop of ever-increasing market uncertainty. Firms that have recognised its importance will be in a stronger position to respond and adapt in the face of disruption and minimise the risk of detriment.

Building and maintaining a resilience organisation is a journey and an iterative learning process. It is not to be underestimated and firms must build in sufficient time. By 31 March 2022 regulators expect firms to have carried out a thorough analysis and assessment to identify major shortcomings and where more work is required.

Important business services are at the core of Operational Resilience. Their identification is one of the critical first steps in a firm’s Operational Resilience journey.

Operational Resilience Requirements

How can firms go about identifying important business services?

Applying the definitions

To date the approach to identifying important business services has generally been led by common sense and business knowledge rather than a pre-defined methodology. This includes

Leveraging pre-existing process/service catalogues.
Workshops with business owners where business services are identified from experience and business understanding

The regulators’ definitions of important business services refer to an intolerable level of harm* for consumers, risks to the Firm’s safety and soundness and to UK financial stability. In this context, consumers are regarded as those end-users that are the direct consumers of the firm’s services or in other ways dependent upon them. This includes both retail and wholesale market participants.

The threshold to be met is set quite high. Firms should start by identifying all their business services and then shortlist the ones with a severe impact based on these definitions.

Business services are those which deliver a specific outcome or service to an identifiable user who is external to the firm, and are therefore external-facing. Internally focused services, such as those provided by Human Resources and Finance, would typically not be listed as important business services despite playing a key role in supporting a firm’s activities.

Operational Resilience Requirements

In the above example, this External-Facing Service delivers a specific Outcome to an End User.

Firms may be able to leverage a range of existing internal documentation and frameworks when identifying business services including business impact analyses, process maps, product or service taxonomies and other enterprise risk management framework deliverables.

Key considerations to be taken into account

The number of important business services firms should identify will differ. No two firms are expected to have exactly the same list of important business services. However, they will need to document their rationale and be prepared to justify it.

Firms should identify all important business services using the appropriate criteria. Firms may have multiple important business services. A list of six to ten important business services is not uncommon, depending on the firm’s business model.

Based on the FCA and PRA guidance, a firm should consider a range of factors when identifying its important business services including the following:

Operational Resilience Requirements

Firms may rate each business service against each of these factors in order to determine which of their business services would be deemed important.

The PRA’s requirements in PS6/21 excludes small and medium firms from having to assess their potential impact on financial stability when identifying their important business services. This requirement only applies to larger and systemic firms identified as other systemically important institutions and insurers with gross written premiums exceeding £15 billion or technical provisions exceeding £75 billion.

Examples of Important Business Services

The following table provides an indicative and non-exhaustive list of examples of potential important business services for different types of firm.

Operational Resilience Requirements

*Intolerable harm has to be much more severe than harm or inconvenience. The FCA views intolerable harm as an outcome which end users cannot easily recover from, for instance where, post disruption, a firm is unable to put a client back into a correct financial position, or where there have been serious non-financial impacts that cannot be effectively remedied.

When does this need to be done by?

As outlined in our initial piece on Operational Resilience, the deadline for firms to meet the requirements is 31 March 2022. By that date, firms must not only have identified important business services, but also determined impact tolerances, conducted scenario-testing and documented their self-assessment. This means that they should aim to have identified their business services much earlier, in order to allow time to meet these other obligations.

With effect from 31 March 2022, both the FCA and PRA will require firms to review important business services, at the minimum, once a year (or whenever there is a material change to their business or the market in which they operate). This is required to ensure any emerging vulnerabilities are not overlooked. Firms only need to review their existing identification against changes to their business or operating model over the year (and the process is expected to be straightforward where there have been no material changes).

Operational Resilience Requirements