New policies on operational resilience from UK regulators gives firms the confidence to push ahead with necessary changes and investment.
On March 29, 2021, new operational resilience policies were published by the Bank of England, the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA). While these policies are closely aligned to the key points made in earlier consultation papers, they continue to stress the importance of identifying and maintaining important business services (IBSs) that are essential to operational resilience and preventing consumer harm.
There are several themes, and subsequent implications, for firms to consider as they deliver their operational resilience programmes:
Definitions and timelines
The clarity and flexibility provided by the UK regulators will enable firms to confidently progress with their operational resilience delivery programmes with renewed certainty. The specified timelines will drive the prioritisation of activities and the level of detail to which they will need to be completed. No longer needing to deliver mapping and testing in totality by March 31, 2022, means that firms will need to ensure that their delivery programmes account for an iterative approach that delivers continual improvement. We expect that firms will be rapidly refreshing their delivery plans in line with published policy.
IBSs and impact tolerances are at the heart of operational resilience
In addition to duration, firms will need to consider a wide range of factors — including vulnerable customers — when identifying IBSs and their impact tolerances. The requirement to refresh this annually means that firms will need to define, document and embed a practical and repeatable approach to delivering both IBSs and impact tolerances, as opposed to a one-off ‘tick-box’ exercise.
Firms are also expected to consider what happens when multiple services fail at once, as this has a compounding effect on the failure of the rest of their operations. On this topic, firms should also identify group services that are shared across different geographies and functions. Both additional considerations will require further firm-wide engagement, time and delivery resources.
Strong third-party management and governance will be key
This means that firms will likely need to significantly enhance their approach to third-party management in order to gain assurance that their delivery provider is able to continually deliver within impact tolerances. Cross-programme sponsorship will be critical to ensuring that delivery expectations are met in what is an increasingly important area. Hands-on governance by board-level stakeholders and the SMF24 will need refreshed reporting frameworks and regular training, both of which will need to be baked into delivery roadmaps.
Realisation of benefits
Now that firms have the timelines, policy and supervisory statements for operational resilience, they will need to undertake efforts to deliver the regulatory change required. Embedding operational resilience into the DNA of a firm will require practical steps, such as updating change control and impact assessments arrangements, regular and customised training programmes, and using the lens of IBSs as part of BAU. In turn, firms will capitalise on more reliable operations and consistently better customer outcomes.