Several significant drivers have led to demands from regulators for firms to build greater resilience into their delivery model. The measures firms take will evolve, but should enable continuation of important business services impacting clients and the wider market and help to effectively address the issues and challenges caused by disruptive events.
The final chapter in our series on Operational Resilience focuses on the requirements for a documented Self-Assessment, which should capture the steps taken and methodologies used, as well as the action plans to remediate any vulnerabilities.
How should firms be preparing themselves?
Firms may be at different stages of operational resilience maturity and readiness. In-scope firms need to take practical steps to demonstrate their readiness. They should have:
The purpose of the Self-Assessment is to articulate the firm’s resilience journey and how they have achieved compliance with the requirements.
It needs to show the work carried out over time to demonstrate operational resilience compliance, including the methodologies used, as well as the plans to remediate any vulnerabilities and findings.
Firms’ operational resilience frameworks are expected to grow in maturity and sophistication over time. The priority for the first Self-Assessment would be to show the firm’s steps and workings, rather than aim to provide all the answers.
The Board is accountable for, and should approve, the Self-Assessment document.
This approval should demonstrate that prioritised investment decisions are being made in respect of services which cannot be delivered within impact tolerance. The Self-Assessment is a key element for providing assurance to the Board on the firm’s resilience framework. It also allows the Senior Manager with designated responsibility for Operational Resilience to evidence the discharge of his/her responsibilities.
Self-assessment documents do not need to be submitted to regulators periodically. They only need to be provided on request or made available for inspection. Firms will first need to have fully operationalised the operational resilience requirements.
The FCA and the PRA are clear on what they expect firms to cover in their Self- Assessment document, as set out in SYSC 15A.6.1.R and SS1/21. This includes the following:
important business services
Identified by the firm and the justification for the determination made.
Impact tolerances set for each important business service and the justification for the level at which they have been set
The firm’s approach to mapping and how this has been used to:
The testing strategy and plan, and the justification for the approach adopted
Scenario testing carried out including a description and justification of the assumptions made in relation to scenario design and any identified risks to the firm’s ability to meet its impact tolerances
Any lessons learnt exercise conducted
Vulnerabilities identified including remediation actions taken or planned and justifications for their completion time
The firm’s communication strategy and how it will help reduce the anticipated harm caused by operational disruptions
The methodologies used to undertake the above activities.
Accountability and Governance
The Board is accountable for, and should approve and regularly review the important business services, impact tolerances and Self-Assessment. One Senior Manager, typically the SMF24, will have overall designated responsibility for the Operational Resilience Framework, and others may be accountable for specific important business services.
Supervision and Enforcement
The Self-Assessment is likely to be a key document as part of the regulators’ routine supervision activities. It also has the potential to expose firms to censure if not drafted with due skill and care, for instance in the event that a disruption occurs which ends up causing harm to consumers.
Firms are able to apply the operational rules proportionately in a way which best suits their business, for instance using existing committees where possible.
Regulators emphasise the importance of ensuring that firms are able to justify their determinations, notably of important business services and impact tolerances. The Self-Assessment should show the methodology and workings, not just their outcomes.
The Self-Assessment must contain adequate documented evidence to provide assurance to the Board on the firm’s Operational Resilience readiness and to allow for sign-off.
Sophistication and Maturity
Regulators recognise that it is likely that firms’ resilience arrangements, methodologies and justifications will increase in sophistication and mature over time. By 31 March 2022, the analysis needs to be undertaken thoroughly enough to arrive at a gap analysis and identification of major shortcomings requiring further work.
The Self-Assessment needs to be regularly reviewed and updated, particularly when there is a significant change to the business.
The regulators have not provided or recommended any particular format or template for the Self-Assessment document. The format is therefore left to each firm’s discretion. In our experience, many firms use a document with various supporting Appendices, whereas others prefer to use a spreadsheet with multiple tabs.
Level of Detail
The size and level of detail of the Self-Assessment document should be proportionate to the firm’s activities. The document should be detailed enough to explain and justify the firm’s resilience steps and methodologies, including the testing undertaken. It should provide all relevant outputs for the Board to be able to provide sign-off. This being said, the document should also be easy to follow and navigate, and excessive detail may make it difficult to achieve Board engagement and sign-off. There is no limit as to how much information to include, and firms may consider including additional supporting information such as independent compliance testing or audit reports.
As the Self-Assessment is likely to become a living document, it may make sense to include the parts which are most likely to change in Appendices or separate tabs.
Firms may consider including sections covering the following in their Self-Assessments
Operational Resilience and Third Party Risk Management >>
Outsourcing and Third Party Risk Management >>
Important Business Services >>
Vendor Risk Management and Due Diligence >>
Receive regular updates from our expert consultants as they provide clarification and guidance on issues impacting your organisation.Subscribe >>