2. Initial assessment of firms’ progress

IBS

Firms have generally made positive progress in identifying their IBS. This is also a view shared by RSM based on our work with firms over the past year.

The speech emphasises that, while firms have taken different approaches to identify their IBS and with respect to the level of granularity of the IBS, a degree of flexibility has been allowed by the regulator by not specifying exactly what an IBS should be and a degree of difference was expected. RSM’s experience is that firms have made the effort to identify their IBS pertinent to their size, complexity and risk profile through firmwide stakeholder consultation.

Going forward, firms are expected to clarify how they incorporate converging approaches and shared understanding across the industry into their IBS as the guidelines in the policy on IBS evolve and differences in approaches become narrower. It is critical when identifying IBS to achieve an optimal level of granularity to ensure an IBS has an identifiable external user, can be distinguished from other services and can be linked to one impact tolerance. Further, this needs to be at the level where the Board can make prioritisation, risk and investment decisions.

Impact Tolerances

Firms have been particularly challenged when defining impact tolerances based on complexity around granularity of IBS and linking them to the regulatory objectives around customer harm, market harm and a firm’s financial stability and soundness. Firms have not in general considered all such aspects when considering impact tolerances and are expected to address gaps as a priority. RSM’s experience is that firms have generally considered a simple time-based metric in defining their impact tolerances.

The PRA will increase its focus on impact tolerances going forward to ensure firms are justified in their definitions and that comparisons and information sharing takes place amongst the industry to allow individual firms to benchmark themselves.

Mapping and testing

The PRA expressed surprise that firms had made progress on developing mapping and testing frameworks quicker than expected, leveraging existing business continuity frameworks. However, maturity of thinking varies and significant work is required to achieve coherent mapping and testing frameworks before the final deadline of March 2025.

RSM has noted that firms have made significant progress in at least agreeing a test plan, performing the desktop exercise and actual testing of mainly the recovery processes.

3. Future Steps

The PRA is expecting full implementation of the policy by March 2025 and expects firms to proactively develop and progress their approaches to mapping and testing and invest in remediating the vulnerabilities identified.

The PRA will set out a course of firm engagement after analysing submissions received and will work with other bodies like UK Finance and the FCA, as well as international bodies like the Basel Committee, to build and facilitate information sharing and growth of expertise across the sector.

The speech highlighted some other areas of ongoing work that have implications for operational resilience, including the Bank of England’s Cyber Stress Test and addressing the risks posed by Critical Third Parties. FCA and PRA publications on these areas should help to inform the operational resilience approach.

For further information, please contact Riza Unal.