The disruption experienced across many business sectors over the last 18 months has been met with various operational challenges. While many firms have taken steps to minimise significant lasting impact, measures taken do not go far enough.
Over the next few weeks, our Senior Director and Regulatory Compliance Lead, Lindsey Domingo at Xcina Consulting, addresses key questions Boards and Senior Managers should be asking following the proposals and expectations set out by the FCA, PRA and Bank of England.
Background and Context
A key priority for supervisory authorities is to put in place a stronger regulatory framework to promote the operational resilience of firms and financial market infrastructures.
The PRA, FCA and Bank of England have adopted a joint approach on Operational Resilience. They published a discussion paper in 2018 followed by a consultation paper in December 2019.
A joint covering document with their respective policy statements (discussed later) was released on 29 March 2021. The PRA’s new policy statement on Outsourcing and Third Party Risk Management was issued at the same time.
From the regulators’ perspective, the objective of Operational Resilience is to improve the market as a whole:
The publication of these policy statements is in line with parallel developments and convergence happening at international level, notably:
Operational Resilience is an overarching framework which brings together and complements a number of existing regulatory policies and requirements including:
The following firms fall within the scope of the regulators’ policy statements on Operational Resilience:
Out of Scope
Firms which are not in scope notably include SM&CR core firms. However, given recent events and the potential future regulatory focus, we would advise they would benefit from familiarising themselves with the Operational Resilience requirements.
Those who are providing services to a firm in scope may also be impacted as they will need to be able to demonstrate resilient processes to support that client.
Notwithstanding the foregoing, all firms should also continue to meet their existing obligations notably in terms of business continuity, outsourcing and information security.
There is some consensus that Operational Resilience is not just a regulatory exercise, but instead a better way to run a firm, help improve controls and deliver better outcomes for customers and the market.
The regulators’ approach to operational resilience assumes that disruptions will occur which will prevent firms from operating as usual and providing their services for a period.
Not least in the light of the pandemic which has brought resilience to the forefront of everyone’s thinking, it is imperative for firms to take a proactive approach to Operational Resilience.
Key definitions explained
Operational Resilience is the ability of firms, financial market infrastructures and the financial services sector as a whole to prevent, respond to, recover and learn from operational disruptions, as defined by the Bank of England, PRA and FCA.
A few examples of events that would cause operational disruption include market instability, cyber-attacks, geo-political events, third party provider failures, system outages and natural disasters such as pandemics, fire or floods.
The regulators’ approach for Operational Resilience recognises that you cannot have full contingencies for every vulnerability and that disruptions will occur. It does not focus on preventative measures to reduce the likelihood of disruption, but rather on recovering from a disruption which has already crystallized.
In our view, Operational Resilience is not altogether a new issue but it has traditionally been managed with a narrower recovery focus (e.g. Disaster Recovery and Business Continuity Planning) at an individual business unit or asset level.
One key point of emphasis is that Operational Resilience is end-to-end, broader than technology and also outward facing. It focuses on the regulators’ objectives, in other words the impact on clients and markets rather than on the firm’s own business objectives.
Operational Resilience is holistic and dynamic, and considers how the fundamental capabilities of people, processes, technology and third parties enable a firm to adapt and recover when things go wrong.
A business service is a service that a firm provides which delivers a specific outcome or service to an identifiable user external to the firm. It is distinguished from business lines, which are a collection of services and activities.
Important business services and impact tolerances form the cornerstones of Operational Resilience.
Important business services are those services a firm provides which, if disrupted, could:
In this context, consumers are regarded as those that are the direct consumers of the firm’s services or in other ways dependent upon them. This includes both retail and wholesale market participants.
An impact tolerance is the maximum tolerable level of disruption to an important business service assuming that disruption to the supporting systems and processes will occur.
Overview of the requirements
Firms are expected to perform the steps outlined below. Each of these requirements will be covered in more detail in the coming weeks.
The regulators’ definitions of important business services refer to an intolerable level of harm for consumers, risks to the Firm’s safety and soundness and to UK financial stability.
The standard to be met is set quite high. Firms should identify all business services and shortlist the ones with a severe impact based on the definitions.
Impact tolerances are expressed by reference to specific outcomes and metrics, which should always include the maximum tolerable duration (time-based metric). Firms could also include other considerations such as volume of disruption (e.g. the number and types of consumers affected) or a measure of data integrity. Dual-regulated firms are expected to set up two impact tolerances for each important business service in line with each regulator’s statutory objectives.
The end-to-end mapping of resources and capabilities for each important business service is a critical foundation for scenario testing and is likely to be the most resource-intensive part of the exercise in a large complex organisation. This mapping should allow a firm to ascertain whether supporting resources (i.e. people, processes, technology, facilities and information, including third party providers) are fit for purpose; to identify vulnerabilities; and to consider what would happen if resources were to become unavailable.
Scenario testing is about testing the firm’s ability to remain within impact tolerances in severe but plausible disruption scenarios, focusing on recovery and response arrangements (as opposed to preventative measures). Third parties are part of a firm’s end-to-end process and need to be prepared, for instance, to support operational resilience testing.
In the event of an operational disruption, firms must pay due regard to the information needs of their clients. They need to be able to provide clear, timely and relevant communications which are fair, clear and not misleading to stakeholders, including regulators, should an operational disruption occur.
The purpose of the self-assessment is to articulate the firm’s resilience journey and work carried out over time, to demonstrate its Operational Resilience and plans to remediate any
vulnerabilities and findings. The Board is accountable for approving the self-assessment and demonstrating that prioritised investment decisions are being made in respect of services which cannot be delivered within impact tolerances.
Boards are specifically required to approve the important business services identified for their firm and the impact tolerances that have been set for each of these, as well as the documented self-assessment. Firms are required establish clear accountability and responsibility for the oversight and management of operational resilience.
Timeline for Delivery
The effective date that the rules come into force is 31 March 2022.
Operational Resilience is a journey and an iterative learning process. It is not to be underestimated and firms must build in sufficient time. They may have various assets within the organisation which they can leverage as a starting point.
There is a lot to be done by 31 March 2022 but not everything. Regulators expect mapping and testing of important business services to evolve and become more sophisticated over time. By 31 March 2022 firms must set out their gap analysis and self assessment identifying the major shortcomings and where more work is required. Regulators are expecting firms to have done this thoroughly.