Operational Resilience and Third Party Risk Management

Resources
Thought Leadership
Operational Resilience and Third Party Risk Management

What is the regulators’ perspective on Operational Resilience? >>

Which organisations are impacted by the Operational Resilience obligations? >>

Why is this important now? – Key definitions explained >>

How should firms be demonstrating compliance and approaching this exercise? >>

When do firms need to comply with the requirements by? >>

PART 1

What does it mean for you?

The disruption experienced across many business sectors over the last 18 months has been met with various operational challenges. While many firms have taken steps to minimise significant lasting impact, measures taken do not go far enough.

Over the next few weeks, our Senior Director and Regulatory Compliance Lead, Lindsey Domingo at Xcina Consulting, addresses key questions Boards and Senior Managers should be asking following the proposals and expectations set out by the FCA, PRA and Bank of England.

PART 2 | OUTSOURCING AND THIRD PARTY RISK MANAGEMENT >>

What is the Regulators’ perspective on Operational Resilience?

Background and Context

A key priority for supervisory authorities is to put in place a stronger regulatory framework to promote the operational resilience of firms and financial market infrastructures.

The PRA, FCA and Bank of England have adopted a joint approach on Operational Resilience. They published a discussion paper in 2018 followed by a consultation paper in December 2019.

A joint covering document with their respective policy statements (discussed later) was released on 29 March 2021. The PRA’s new policy statement on Outsourcing and Third Party Risk Management was issued at the same time.

From the regulators’ perspective, the objective of Operational Resilience is to improve the market as a whole:

With a focus on each individual firm
With a continuous improvement mindset

The publication of these policy statements is in line with parallel developments and convergence happening at international level, notably:

The Basel Committee for Banking Standards (BCBS) guidelines on principles for operational resilience (31 March 2021)
The European Commission Digital Operational Resilience Act (DORA) draft proposal (September 2020)
The US Joint Authorities’ paper on operational resilience (October 2020)

Operational Resilience is an overarching framework which brings together and complements a number of existing regulatory policies and requirements including:

Recovery and Resolution Planning, Operational Continuity in Resolution, Resolvability Assessment Framework and Business Continuity Planning (BCP)
European Banking Authority (EBA) Guidelines on Information and Communication Technology (ICT) and security risk management as well as outsourcing arrangements

Which organisations are impacted by the Operational Resilience obligations?

In Scope

The following firms fall within the scope of the regulators’ policy statements on Operational Resilience:

UK banks, building societies, and PRA-designated investment firms (“banks”) including subsidiaries
UK Solvency II firms, the Society of Lloyd’s, and its managing agents (“insurers”)
Recognised Investment Exchanges
Enhanced scope senior managers and certification regime (SM&CR) firms
Entities authorised or registered under the Payment Services Regulations or the Electronic Money Regulations

Out of Scope

Firms which are not in scope notably include SM&CR core firms. However, given recent events and the potential future regulatory focus, we would advise they would benefit from familiarising themselves with the Operational Resilience requirements.

Those who are providing services to a firm in scope may also be impacted as they will need to be able to demonstrate resilient processes to support that client.

Notwithstanding the foregoing, all firms should also continue to meet their existing obligations notably in terms of business continuity, outsourcing and information security.

Why is this important now?

There is some consensus that Operational Resilience is not just a regulatory exercise, but instead a better way to run a firm, help improve controls and deliver better outcomes for customers and the market.

The regulators’ approach to operational resilience assumes that disruptions will occur which will prevent firms from operating as usual and providing their services for a period.

Not least in the light of the pandemic which has brought resilience to the forefront of everyone’s thinking, it is imperative for firms to take a proactive approach to Operational Resilience.

Key definitions explained

Operational Resilience is the ability of firms, financial market infrastructures and the financial services sector as a whole to prevent, respond to, recover and learn from operational disruptions, as defined by the Bank of England, PRA and FCA.

A few examples of events that would cause operational disruption include market instability, cyber-attacks, geo-political events, third party provider failures, system outages and natural disasters such as pandemics, fire or floods.

The regulators’ approach for Operational Resilience recognises that you cannot have full contingencies for every vulnerability and that disruptions will occur. It does not focus on preventative measures to reduce the likelihood of disruption, but rather on recovering from a disruption which has already crystallized.

In our view, Operational Resilience is not altogether a new issue but it has traditionally been managed with a narrower recovery focus (e.g. Disaster Recovery and Business Continuity Planning) at an individual business unit or asset level.

One key point of emphasis is that Operational Resilience is end-to-end, broader than technology and also outward facing. It focuses on the regulators’ objectives, in other words the impact on clients and markets rather than on the firm’s own business objectives.

Operational Resilience is holistic and dynamic, and considers how the fundamental capabilities of people, processes, technology and third parties enable a firm to adapt and recover when things go wrong.

A business service is a service that a firm provides which delivers a specific outcome or service to an identifiable user external to the firm. It is distinguished from business lines, which are a collection of services and activities.

Important business services and impact tolerances form the cornerstones of Operational Resilience.

Important business services are those services a firm provides which, if disrupted, could:

pose a risk to a firm’s safety and soundness or, the financial stability of the UK (PRA objective)
potentially cause intolerable harm to the consumers of the firm’s services or risk to market integrity – i.e. soundness, stability or resilience of the UK financial system (FCA objective)

In this context, consumers are regarded as those that are the direct consumers of the firm’s services or in other ways dependent upon them. This includes both retail and wholesale market participants.

An impact tolerance is the maximum tolerable level of disruption to an important business service assuming that disruption to the supporting systems and processes will occur.

How should firms be demonstrating compliance and approaching this exercise?

Overview of the requirements

Firms are expected to perform the steps outlined below. Each of these requirements will be covered in more detail in the coming weeks.

Identify their important business services

The regulators’ definitions of important business services refer to an intolerable level of harm for consumers, risks to the Firm’s safety and soundness and to UK financial stability.

The standard to be met is set quite high. Firms should identify all business services and shortlist the ones with a severe impact based on the definitions.

Set impact tolerances for each important business service

Impact tolerances are expressed by reference to specific outcomes and metrics, which should always include the maximum tolerable duration (time-based metric). Firms could also include other considerations such as volume of disruption (e.g. the number and types of consumers affected) or a measure of data integrity. Dual-regulated firms are expected to set up two impact tolerances for each important business service in line with each regulator’s statutory objectives.

Identify and map the resources supporting the important business services

The end-to-end mapping of resources and capabilities for each important business service is a critical foundation for scenario testing and is likely to be the most resource-intensive part of the exercise in a large complex organisation. This mapping should allow a firm to ascertain whether supporting resources (i.e. people, processes, technology, facilities and information, including third party providers) are fit for purpose; to identify vulnerabilities; and to consider what would happen if resources were to become unavailable.

Conduct scenario testing to assess the ability to remain within impact tolerances

Scenario testing is about testing the firm’s ability to remain within impact tolerances in severe but plausible disruption scenarios, focusing on recovery and response arrangements (as opposed to preventative measures). Third parties are part of a firm’s end-to-end process and need to be prepared, for instance, to support operational resilience testing.

Develop internal and external communications plans

In the event of an operational disruption, firms must pay due regard to the information needs of their clients. They need to be able to provide clear, timely and relevant communications which are fair, clear and not misleading to stakeholders, including regulators, should an operational disruption occur.

Maintain a self-assessment document detailing the firm’s Operational Resilience journey

The purpose of the self-assessment is to articulate the firm’s resilience journey and work carried out over time, to demonstrate its Operational Resilience and plans to remediate any
vulnerabilities and findings. The Board is accountable for approving the self-assessment and demonstrating that prioritised investment decisions are being made in respect of services which cannot be delivered within impact tolerances.

Make Operational Resilience a priority at Board and Executive levels, with a clear Governance framework

Boards are specifically required to approve the important business services identified for their firm and the impact tolerances that have been set for each of these, as well as the documented self-assessment. Firms are required establish clear accountability and responsibility for the oversight and management of operational resilience.

Operational Resilience Requirements

When do firms need to comply with the requirements by?

Timeline for Delivery

The effective date that the rules come into force is 31 March 2022.

Outsourcing Third Party Management

Conclusion

Operational Resilience is a journey and an iterative learning process. It is not to be underestimated and firms must build in sufficient time. They may have various assets within the organisation which they can leverage as a starting point.

There is a lot to be done by 31 March 2022 but not everything. Regulators expect mapping and testing of important business services to evolve and become more sophisticated over time. By 31 March 2022 firms must set out their gap analysis and self assessment identifying the major shortcomings and where more work is required. Regulators are expecting firms to have done this thoroughly.