Several significant drivers have led to demands from regulators for firms to build greater resilience into their delivery model. The measures firms take will evolve, but should enable continuation of important business services impacting clients and the wider market and help to effectively address the issues and challenges caused by disruptive events.
The final chapter in our series on Operational Resilience focuses on the requirements for a documented Self-Assessment, which should capture the steps taken and methodologies used, as well as the action plans to remediate any vulnerabilities.
How should firms be preparing themselves?
Firms may be at different stages of operational resilience maturity and readiness. In-scope firms need to take practical steps to demonstrate their readiness. They should have:
The purpose of the Self-Assessment is to articulate the firm’s resilience journey and how they have achieved compliance with the requirements.
It needs to show the work carried out over time to demonstrate operational resilience compliance, including the methodologies used, as well as the plans to remediate any vulnerabilities and findings.
Firms’ operational resilience frameworks are expected to grow in maturity and sophistication over time. The priority for the first Self-Assessment would be to show the firm’s steps and workings, rather than aim to provide all the answers.
The Board is accountable for, and should approve, the Self-Assessment document.
This approval should demonstrate that prioritised investment decisions are being made in respect of services which cannot be delivered within impact tolerance. The Self-Assessment is a key element for providing assurance to the Board on the firm’s resilience framework. It also allows the Senior Manager with designated responsibility for Operational Resilience to evidence the discharge of his/her responsibilities.
Self-assessment documents do not need to be submitted to regulators periodically. They only need to be provided on request or made available for inspection. Firms will first need to have fully operationalised the operational resilience requirements.