UK financial firms given green light on operational resilience
This article was first published in FT Global Risk Regulator
New policies on operational resilience from UK regulators gives firms the confidence to push ahead with necessary changes and investment.
On March 29, 2021, new operational resilience policies were published by the Bank of England, the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA). While these policies are closely aligned to the key points made in earlier consultation papers, they continue to stress the importance of identifying and maintaining important business services (IBSs) that are essential to operational resilience and preventing consumer harm.
There are several themes, and subsequent implications, for firms to consider as they deliver their operational resilience programmes:
Definitions and timelines
- The PRA and FCA have aligned definitions and requirements to their individual objectives, legislation and regulatory frameworks
- The policies retain the existing flexibility, proportionality and levels of pragmatism in enabling individual firms to apply the rules and guidance
- Furthering an iterative and continual improvement approach is encouraged; for example, recognising that both mapping and scenario testing will take significant effort
- Additional guidance and clarity have been provided on timeframes for implementation: firms are required to identify IBSs and impact tolerances by March 31, 2022, and must undertake mapping and scenario testing to the level of sophistication required to support this, while also identifying any vulnerabilities. Firms will then need to ensure that they are able to operate within their impact tolerances by March 2025.
The clarity and flexibility provided by the UK regulators will enable firms to confidently progress with their operational resilience delivery programmes with renewed certainty. The specified timelines will drive the prioritisation of activities and the level of detail to which they will need to be completed. No longer needing to deliver mapping and testing in totality by March 31, 2022, means that firms will need to ensure that their delivery programmes account for an iterative approach that delivers continual improvement. We expect that firms will be rapidly refreshing their delivery plans in line with published policy.
IBSs and impact tolerances are at the heart of operational resilience
- Duration has been specified as a metric that must be included in impact tolerances, and can be supplemented with additional metrics, such as the number of impacted customers
- While firms are not expected to set specific impact tolerances for vulnerable customers, they should be considered as a part of identifying IBSs and setting impact tolerances
- IBSs, impact tolerances and mappings are to be reviewed annually at a minimum or when there is material change. Testing is to be undertaken when there is a material change to IBSs, or following improvements made by the firm to findings from a previous test, or on a regular basis
- Firms are directed to continue to set impact tolerances for IBSs with reference to a single disruption, as opposed to an aggregation. As a part of the approach, firms are encouraged to consider how the disruption to multiple services may affect intolerable harm
- Where appropriate, firms should introduce a proportionate number of group IBSs.
In addition to duration, firms will need to consider a wide range of factors — including vulnerable customers — when identifying IBSs and their impact tolerances. The requirement to refresh this annually means that firms will need to define, document and embed a practical and repeatable approach to delivering both IBSs and impact tolerances, as opposed to a one-off ‘tick-box’ exercise.
Firms are also expected to consider what happens when multiple services fail at once, as this has a compounding effect on the failure of the rest of their operations. On this topic, firms should also identify group services that are shared across different geographies and functions. Both additional considerations will require further firm-wide engagement, time and delivery resources.
Strong third-party management and governance will be key
- A reiteration has been made that where there is a reliance on a third party, firms should satisfy themselves that they will be able to operate within tolerance. This could include understanding relevant fourth and fifth parties and undertaking testing with third parties
- Governance and board-level ‘hands-on’ engagement is reiterated, as is the role of the senior manager function 24 (SMF24), who will provide oversight of operational resilience
- Communications and self-assessments are topics that feature and remain broadly consistent with the consultation papers. There are, of course, exceptions — for example, ‘lessons learned’ being added to PRA Self Assessments.
This means that firms will likely need to significantly enhance their approach to third-party management in order to gain assurance that their delivery provider is able to continually deliver within impact tolerances. Cross-programme sponsorship will be critical to ensuring that delivery expectations are met in what is an increasingly important area. Hands-on governance by board-level stakeholders and the SMF24 will need refreshed reporting frameworks and regular training, both of which will need to be baked into delivery roadmaps.
Realisation of benefits
Now that firms have the timelines, policy and supervisory statements for operational resilience, they will need to undertake efforts to deliver the regulatory change required. Embedding operational resilience into the DNA of a firm will require practical steps, such as updating change control and impact assessments arrangements, regular and customised training programmes, and using the lens of IBSs as part of BAU. In turn, firms will capitalise on more reliable operations and consistently better customer outcomes.