Avoid falling short of new operational resilience regulations
In 2021, the UK’s Financial Conduct Authority (FCA) finalised the regulatory policies for operational resilience and set deadlines for firms to comply.
By 31 March 2022, firms must identify their important business services and set impact tolerances for them. And they must be able to show they’ve done enough mapping and testing to enable them to do so.
Since the announcement, financial services firms have been working at pace to deliver the outcome-focused approach the regulators are looking for.
Yet in January 2022, the FCA gave a clear message that some firms were falling short:
“We haven't seen many impact tolerances set yet, nor much in the way of mapping or testing. If this is making you think you are falling short, you have to act swiftly. You must act now to make sure you are ready for that 31 March deadline.” Suman Ziaullah, Head of Technology Resilience and Cyber at the FCA
With the first operational resilience deadline upon us, what can financial services leaders do to avoid a clash with regulators?
We’ve identified five actions financial services leaders can take to avoid common pitfalls.
Ensure your approach to selecting important business services and setting impact tolerances is logical, clearly documented and repeatable
The more advanced operational resilience programmes can provide distinct, data-driven and repeatable methodologies for selecting their most important business services and setting impact tolerances.
As we’ve supported firms across the market, we’ve seen many fail to fully document their important business service selection criteria. Using existing metrics can justify approaches and ground them in analytical thinking. Metrics such as market share, customer segmentation and, where appropriate, consumer research can support the identification of important business services. More mature programmes have regular review cycles to consider changes to the business.
For impact tolerances, firms should be able to demonstrate a detailed and documented methodology that considers the impact on consumers and the market. Setting impact tolerances isn’t a one-time exercise and firms can’t rely on existing recovery time objectives, which are inward looking and often don’t consider external impacts.
Ensure mapping is detailed and part of BAU
Firms need to ensure the approach to mapping consistently considers and documents dependencies across the all the key pillars – people, processes, facilities, technology and information.
One area we often see firms overlook is the mapping of information. While this can be difficult due to the absence of available information, it’s important to dedicate resources to do it. Successful programmes have been able to break through siloed and disparate working practices to document the required information.
The FCA has taken a flexible approach to mapping by March 2022, but it has emphasised that mapping should be mature enough to enable firms to identify important business services, set impact tolerances and identify vulnerabilities.
Following the initial mapping of important business services, it’s important to keep mapping under review to account for any significant change in dependencies across the firm. Leaders should consider how to embed mapping into the change management process.
Outsourcing, third parties and intragroup arrangements should be core to your programme
Some firms are experiencing significant pressure in complying with EBA guidelines, PRA SS2/21 requirements and the March 2022 operational resilience deadline. Leaders should ensure they understand the differences and similarities in regulatory intent and have a clear and joined up plan across business functions to meet the requirements.
For operational resilience, the FCA’s Suman Ziaullah was clear that firms unable to understand the vulnerabilities across the value chains of their important business services have a “clear indicator that you may not be able to remain within your impact tolerances.” So, firms should engage with suppliers and partners beyond a rudimentary review of contractual documentation to ensure they are adequately considering dependencies.
Intragroup arrangements present a cultural and historic challenge that will require redress following years of informal arrangements. In some cases, non-UK headquartered firms have had trouble engaging with the UK requirements, resulting in delays and a lack of progress. UK leaders must receive appropriate reporting and demonstrate influence and control over intragroup arrangements, including assessing operational resilience impacts when parent bodies look to make significant changes.
Develop a clear strategy for operational resilience testing
As with mapping, the regulators have taken a flexible approach to scenario testing, requiring firms to test enough to identify important business services, set impact tolerances and identify vulnerabilities. Firms should invest in the appropriate level of resource to plan and deliver severe yet plausible scenarios that assess the current ability to remain within impact tolerances.
Operational resilience provides an opportunity to take a central view of the wide range of testing already happening across the firm, such as business continuity, cyber, regression and component. These can all also consider important business services, impact tolerances and vulnerabilities, and show the levels of testing rigour applied.
Creating a set of severe yet plausible scenarios based on mapping, key threats and vulnerabilities also provides an opportunity to drive further synergies in organisational testing beyond operational resilience.
Engage your SMF24s, senior leadership and governance bodies in operational resilience
The FCA is clear that senior executives should lead operational resilience and that the Board must be able to show it’s satisfied the firm is meeting responsibilities.
As many firms are currently drafting and reviewing their self-assessment documents, it’s critical to engage senior executives. SMF24s will need to ensure teams are highlighting vulnerabilities as they arise in operational resilience programmes, so they can secure the investment required to address them. In an environment of cost cutting, there will need to be a shift to ensure leaders see operational resilience as more than a cost centre – it’s a USP that will support and protect profitability.
Financial services leaders can avoid colliding with regulators by ensuring operational resilience is part of business as usual activities such as change control, management of third parties and testing, and ensuring senior leadership actively monitors it.