How should firms be preparing themselves?
Operational Resilience has been highlighted as a key issue by the FCA and the PRA since the discussion and consultation papers in 2018 and 2019. The new rules will be effective from 31 March 2022 for all in-scope firms.
Regulatory priorities and expectations are clear, but plans have been met with several challenges for many institutions.
This edition focuses on the requirements for scenario testing. With two weeks to go, the first operational resilience deadline is upon us.
Organisations need to take practical steps to demonstrate their readiness including:
The purpose of Scenario Testing is to test the Firm’s ability to remain within impact tolerances in a range of severe but plausible disruption scenarios, focusing on recovery and response arrangements (rather than preventative measures). This should enable them to obtain assurance on the resilience of their important business services and identify where they might need to act to increase their operational resilience.
It is not necessarily the objective of scenario testing to try and prove that, regardless of the scenario, an important business service can always be maintained within tolerance; but rather to understand under which scenarios a firm would not be able to deliver its important business services.
These are the scenarios which would particularly need to be discussed with the Board and Senior Managers to determine whether it would be acceptable or not, in their view, not to be able to recover within Impact Tolerances. Where this is deemed unacceptable, the Board must determine prioritised investment decisions to allow recovery within tolerance to be achieved.
A range of testing approaches are being used by firms and the choice is being informed by the degree of maturity of each firm’s operational resilience programme.