Possibility
Explore our work: what we do, how we do it, and the value we create for our clients.
Impact
Culture
Possibility
Explore our work: what we do, how we do it, and the value we create for our clients.
Global Shifts
Empowered consumers
Healthier humans
Future organisations
Business for better
Safer societies
Sustainable world
Industries
Consumer and manufacturing
Defence and security
Energy and utilities
Financial services
Government and public sector
Health
Life sciences
Transport
Services
Set growth strategy
Build brands, products, and services
Reimagine AI, digital, and data
Improve organisational performance
Deliver complex programmes
Empower your people
Impact
Culture
In the media

Stalled at the lights: meeting regulatory expectations for operational resilience

Sundeep Gupta

By Sundeep Gupta

Global Banking Regulation Review

04 February 2021

Tags

This article was first published in Global Banking Regulation Review

The lights have gone green and a range of banks, insurers, asset managers and wider financial services organisations have started their operational resilience programmes in earnest to follow regulatory guidance.

In the UK both the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) have made it clear that operational resilience is as important as financial resilience, and it is likely that the published policy at the end of Q1 will closely follow the principles and draft policy set out in the recent consultation papers. In 2020, global regulators and bodies increasingly issued equivalent expectations through consultation papers and guidance, a trend expected to continue in 2021.

While most firms we have worked with are using pragmatic, proportionate and repeatable methods to deliver operational resilience, there are significant areas that have been historically neglected, often due to the weight of competing regulatory programmes. These areas require rapid investment and inclusion to successfully address new regulatory focus.

To ensure these oversights are addressed properly, we believe there are three things firms need to do differently in 2021. First, start at the top with active ownership delivered through formalised governance structures. Second, manage third parties to align operational resilience requirements and existing programmes, while managing intra-group arrangements. Finally, firms should rapidly evolve their change controls and processes to assess the impact of operational resilience pillars.

Start at the top

Through a range of meetings and industry platforms, regulators have made clear that defined, board-level sponsorship and “hands on” engagement with the delivery of the programme will lead to a successful outcome. We have found operational resilience governance structures are broadly absent, and that where they are in place, key individuals do not have the detailed understanding required, and no plans for training are in place. Worryingly, we have also seen that a number of senior manager function 24 (SMF24) personnel – responsible for operational resilience under the UK’s Senior Managers & Certification Regime – are not equipped with the appropriate knowledge or resources to successfully deliver on their role.

To address this gap, firms must define the sponsorship and governance for operational resilience, and ensure that tailored and detailed training is provided to board members, SMF24s, important business service (IBS) owners and delivery leads. Delegation of responsibilities needs to be clear and coupled with clear levels of documented supervision.

Align operational resilience requirements

Third parties play an increasingly important part in delivering IBSs for firms. There is an expectation from the regulators that firms will do much more to manage these third parties’ performance, especially where there are operational resilience dependencies and risks.

Existing third-party arrangements and remedial programmes are not sufficient to meet operational resilience requirements. In most cases the requirements have not been communicated, and neither has the urgency to deliver been understood. Procurement teams are stretched and are not asking probing questions on what governance would be in place for each major outsourced contract. We have also observed that when something goes wrong, contractual clauses are not always in place to manage third parties rigorously.

Further, we have observed little awareness or proactive management of intra-group arrangements. Intra-group dependencies will need to consider how they govern operational resilience, especially where there are dependencies on entities in different parts of the world, and how influence can be demonstrated.

To address this, firms must define the third-party and intra-group operational resilience requirements and bake them into their delivery programmes. They must ensure that questionnaires and due diligence for critical third parties are probing and consider “fourth” parties as appropriate. Finally, they must consider governance, change control arrangements, and feedback mechanisms within intra-group arrangements.

Rapidly evolve change controls and processes

Change control processes will continue to be key in preventing disruption to services. Traditionally, change control is rooted in information technology (IT) change, and needs to evolve to include IBSs and mapping. From our recent work with a broad range of clients, we have observed that change control is not being considered or built into operational resilience work programmes. Regulators will be looking to review the change control process, including a focus on incidents, problems and changes, before any changes are implemented.

Firms must therefore take steps to identify gaps and the required improvements to the change control process and supporting impact assessments, and to build change control improvements into their operational resilience programme.

Finally, when the mapping activity for IBSs is completed, firms must test the captured interlinkages and interdependencies, to gain assurance that when a change is planned, the appropriate impacts on different parts of the business can be considered and form part of the testing process to minimise disruption.

Look beyond the lights – to the next junction

Mapping activity – while not yet so far underway to worry about stalling existing priorities – is already being given extensive consideration by regulators, who are already baking it into firm reviews. Therefore, we recommend that firms start to consider some preparatory actions in this area.

For example, firms should ensure there is sufficient mapping coverage, with a focus on interconnectedness and interdependencies, and the right policies, controls or technology in place, so as to ensure high data quality, accuracy and reporting.

In advance of regulatory policy being issued, operational resilience teams are working hard to interpret and deliver against expectations. There are key areas that are not to be forgotten and the initial steps recommended will contribute to the overall levels of resiliency.

Explore more

Press release

PA Consulting - Bringing Ingenuity to Life

We're proud to announce the publication of ‘Ingenuity Review 23’.
Female engineer working in modern office holding wind turbine model
In the media

Fintechs and banks join forces for green transition

Explore the pivotal role of banks and fintechs in driving green transition and addressing climate action.
Female engineer working in modern office holding wind turbine model
London Big Ben and traffic on Westminster Bridge
Press release

PA Consulting comments on the Spring Budget

Heading towards a General Election, our experts share their thoughts on the UK Chancellor’s announcements.
London Big Ben and traffic on Westminster Bridge
Young Asian woman shopping online on her smartphone and making mobile payment with credit card
In the media

Here, banks are responsible for compensation for fraud

PA financial services expert Caroline Wayman clarifies how Consumer Duty will help protect customers affected by payment fraud.
Young Asian woman shopping online on her smartphone and making mobile payment with credit card

Contact the team

We look forward to hearing from you.
Get in touch

Get actionable insight straight to your inbox via our monthly newsletter.