Building Operational Resilience – Consolidating implementation of the regulator’s rules

31 March 2022 marked a key watershed moment in UK financial services as firms regulated by the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) were required to implement, by this date, rules regarding the approach to building operational resilience. This was a culmination of a three year process beginning with consultation papers published in December 2019 CP19/32 (FCA) and CP29/19 (PRA) and the publication of the final rules in policies in March 2021 PS21/3 (FCA) and SS1/21 (PRA).

Firms have made significant efforts over the past three years to understand, develop and implement key aspects of the rules, including identifying important business services, defining impact tolerances for each of the services, performing a mapping exercise for each of the services, identifying plausible scenarios and developing test plans, establishing governance over operational resilience and documenting a self-assessment encapsulating their operational resilience framework.

The operational resilience journey now continues with firms embedding their operational resilience framework into their policy and process framework and into existing business continuity arrangements, with a three-year window up to March 2025 to test plausible scenarios to ensure important business services can remain within impact tolerances. Firms were initially required to set impact tolerances using clear metrics, usually a time-based metric, but with maturity and further evolution of operational resilience capabilities firms should look to develop further metrics related to aspects such as the impact on processing volumes, number of customers affected, market impact and financial loss. Ultimately, the initial regulatory expectation was that the impact tolerance would be simple metrics (time and data) which could be informed by consideration of evolving IBS’s, thresholds, past experience and industry trends. This then would be supported through a mature enough operational resilience function/framework.

The keys next steps with respect to operational resilience have been highlighted by David Bailey, Executive Director, UK Deposit Takers Supervision (Bank of England), at a speech given in April 2022 – ‘Operational resilience: next steps on the PRA’s supervisory roadmap’.

The general message is that firms have made a positive start on the journey to achieve operational resilience, but developments are still needed before the March 2025 deadline. The PRA will lead on coordinating information-sharing and expertise gained across industry and with other regulatory bodies to guide firms along this journey.

In his speech David Bailey referred to key developments and events that have re-emphasised the focus on operational resilience, including migration of services to cloud computing, the Covid-19 pandemic and the crisis in Ukraine, and the challenges these have brought, such as adapting to a remote working model and dependencies on services and third-party providers globally. While the sector has shown resiliency to these challenges, firms still need to make progress to achieve the expected level of resilience, particularly in areas affecting consumers and evolving consumer personal finance and retail habits such as payments services, mobile app, third party and website failures.

The speech focused on three key areas:

1. The Operational Resilience Policy and the PRA’s expectations

A summary of the Policy is that: firms should have identified their important business services (IBS) taking a holistic approach and considering the external end user and potential to threaten regulatory objectives:

• Firms should have set impact tolerances based on time-based metrics for their IBS on the assumption that disruption will occur
• Firms should have performed mapping of the IBS and developed a testing strategy, to be implemented within a three-year window up to March 2025 based on plausible scenarios and identified vulnerabilities to demonstrate their ability to remain within impact tolerances.

A key point highlighted is the interaction and dependencies between operational resilience,  outsourcing and third-party risk management when considering impact tolerances and plausible scenarios.

2. Initial assessment of firms’ progress

IBS

Firms have generally made positive progress in identifying their IBS. This is also a view shared by RSM based on our work with firms over the past year.

The speech emphasises that, while firms have taken different approaches to identify their IBS and with respect to the level of granularity of the IBS, a degree of flexibility has been allowed by the regulator by not specifying exactly what an IBS should be and a degree of difference was expected. RSM’s experience is that firms have made the effort to identify their IBS pertinent to their size, complexity and risk profile through firmwide stakeholder consultation.

Going forward, firms are expected to clarify how they incorporate converging approaches and shared understanding across the industry into their IBS as the guidelines in the policy on IBS evolve and differences in approaches become narrower. It is critical when identifying IBS to achieve an optimal level of granularity to ensure an IBS has an identifiable external user, can be distinguished from other services and can be linked to one impact tolerance. Further, this needs to be at the level where the Board can make prioritisation, risk and investment decisions.

Impact Tolerances

Firms have been particularly challenged when defining impact tolerances based on complexity around granularity of IBS and linking them to the regulatory objectives around customer harm, market harm and a firm’s financial stability and soundness. Firms have not in general considered all such aspects when considering impact tolerances and are expected to address gaps as a priority. RSM’s experience is that firms have generally considered a simple time-based metric in defining their impact tolerances.

The PRA will increase its focus on impact tolerances going forward to ensure firms are justified in their definitions and that comparisons and information sharing takes place amongst the industry to allow individual firms to benchmark themselves.

Mapping and testing

The PRA expressed surprise that firms had made progress on developing mapping and testing frameworks quicker than expected, leveraging existing business continuity frameworks. However, maturity of thinking varies and significant work is required to achieve coherent mapping and testing frameworks before the final deadline of March 2025.

RSM has noted that firms have made significant progress in at least agreeing a test plan, performing the desktop exercise and actual testing of mainly the recovery processes.

3. Future Steps

The PRA is expecting full implementation of the policy by March 2025 and expects firms to proactively develop and progress their approaches to mapping and testing and invest in remediating the vulnerabilities identified.

The PRA will set out a course of firm engagement after analysing submissions received and will work with other bodies like UK Finance and the FCA, as well as international bodies like the Basel Committee, to build and facilitate information sharing and growth of expertise across the sector.

The speech highlighted some other areas of ongoing work that have implications for operational resilience, including the Bank of England’s Cyber Stress Test and addressing the risks posed by Critical Third Parties. FCA and PRA publications on these areas should help to inform the operational resilience approach.

For further information, please contact Paul O’Leary or Riza Unal.