Skip to content

Share

  • Add this article to your LinkedIn page
  • Add this article to your Twitter feed
  • Add this article to your Facebook page
  • Email this article
  • View or print a PDF of this page
  • Share further
  • Add this article to your Pinterest board
  • Add this article to your Google page
  • Share this article on Reddit
  • Share this article on StumbleUpon
  • Bookmark this page
PA OPINION

How pension firms can prepare for operational resilience regulation

The Financial Conduct Authority (FCA) will soon issue new regulations on operational resilience and The Pensions Regulator (TPR) is sure to head in the same direction. Not least because the COVID-19 crisis is focusing attention on the pensions industry’s ability to withstand operational shocks.

But how can pension firms prepare for operational resilience regulations?

Identify what’s important

The FCA will focus on firms’ ability to operate Important Business Services (IBS), setting impact tolerances for these services and running simulations to test preparedness. What qualifies as an IBS, however, isn’t necessarily what’s critical for a firm but what’s critical for customers, other market participants and financial resilience.

Pension providers should explore five issues as they assess whether a business function is an IBS and establish service tolerances:

  1. Client fragility: Who are our most vulnerable customers?
  2. Critical periods: Are there times when systems have a higher level of criticality, such as during end of month processing, regulatory submissions or monthly pensions payment? If we couldn’t make payments for a given time, what would be impact on a counterparty?
  3. Service recovery order: Is there an order to recovering services in the event of an issue? For example, should lump sum withdrawal capability have a higher priority than transfers in?
  4. Best execution: Firms making trades already have regulatory best execution obligations, but should we strengthen trading system resilience to ensure customers can stay in the market?
  5. Protecting customer data: In the event of a cyber security incident that disclosed personal data, what would the impact be?

The regulators will expect firms to be able to demonstrate a clear understanding of their IBSs, backed by rigorous analysis and data to set tolerances. Many IT and operational areas are used to asking themselves questions about which of their services are important. Where they might have less experience is using data to inform their choices. For example, using complaints data to drive investment in service improvements that matter to customers or using management statistics to identify trends in outages.

Firms will need to map IBSs and then understand sub-services, individual systems and IT components and teams that provide support. But doing so will be daunting and it will be difficult to set realistic tolerances that reflect industry best practice without specialist support.

Deliver resilience

Firms must start activities to deliver on the regulator’s operational resilience expectations now. In our experience, there are five key areas that drive operational resilience:

  • Home in on the detail: Boards and senior managers will be expected to take a greater interest in operations, IT and change management. The consultation papers from the regulators would require boards and senior management to approve IBSs identified for their firm.  Boards must carve out time and attention to focus on operational resilience.
  • Prioritise investment: Boards must steer investment and prioritise resources into IBSs. High quality analysis must underpin investment decisions.
  • Clarify responsibilities: Boards must agree who has responsibility under the Senior Managers & Certification Regime; usually the Chief Operating Officer (SMF24). Managers in a SMF24 role already have responsibility to oversee cyber security, business continuity and resilience.
  • Gain consensus:  COOs need to identify the types of tactical, operational and strategic decisions the firm will need to take – then build a firmwide consensus on how to move forward.
  • Build confidence: Oversee assurance activities such as Business Continuity/Disaster Resilience testing, CBEST threat led intelligence testing and desktop exercises. COOs will need to obtain external advice to calibrate efforts and avoid blind spots.

Evidence Preparedness

A suitable testing regime will provide evidence about whether resilience arrangements will effectively enable the firm to remain within its impact tolerances. The regulators have set a clear expectation that impact tolerances and test outputs will be part of their reviews of firms, so and should be ‘available on request’.

Regulators will expect to see well developed recovery plans covering a wide range of organisational activities, including:

  • alternative working arrangements if key systems or outsourced services aren’t available
  • collaboration with industry groups to manage incidents, as well as having resource to work with other market participants that are experiencing difficulties
  • capturing data and lessons learnt to drive future improvements
  • effective stakeholder communications.

For many firms, this reflects their current operational practices. For some, it will be a step up in terms of maturity and capability.

Regulators are expected to issue new policy statements in Q4 2020 with compliance expected from Q1 2021. While the final form of operational resilience regulations is unknown, pension providers should start to act now. A carefully planned set of improvements will be less painful than playing catch-up when new regulations come into force.

Contact the author

Find out more about our work in financial services

Financial Services - Pensions

×

By using this website, you accept the use of cookies. For more information on how to manage cookies, please read our privacy policy.