January 10, 2022
The FCA and PRA have published their final rules on operational resilience requirements, with the key objective to ensure that financial services firms are prepared and able to deliver their key and important business services in the event of disruption.
Explore our insights and what this might mean for your firm.
What is Operational Resilience?
In effect, operational resilience is being able to prevent, adapt, respond to, recover and learn from operational disruptions. Firms must have a thorough understanding of their important business services, as well as the processes, systems and people that underpin them.
The new rules do not replace existing requirements on how firms manage operational risk or business continuity planning but set new requirements to enhance firms’ resilience. There is a shift of how firms have to think about disruption – rather than focusing on the likelihood of the risk occurring and the impact if they do, the new requirements are underpinned by the assumption of disruption crystallising and how quickly the firm can recover from such disruption. The Covid-19 pandemic threw this into sharp relief for the industry.
Unlike existing business continuity planning, the focus has shifted from protecting the firm and its reputation to preventing incidents from impacting consumers and the wider financial market.
The new UK rules will apply to a wide range of firms, including banks, building societies, PRA-designated investment firms, insurers, Recognised Investment Exchanges, Enhanced-scope SMCR firms.
The key Operational Resilience requirements include:
Important Business Services—Firms must identify their “important business services”, which is defined as a service provided by a firm, or by another person on behalf of the firm, to one or more clients which, if disrupted, could: (i) cause intolerable levels of harm to any one or more of the firm’s clients, or (ii) pose a risk to the soundness, stability or resilience of the UK financial system, or the orderly operation of the financial markets. Firms should consider a number of factors in order to determine what constitute important business services , which include but are not limited to: the nature and size of their client base, the time criticality for clients in receiving a service, the substitutability of the service, the potential impact of a failure of the service on the UK financial system, whether disruption to the service could amount to a breach of a legal or regulatory obligation and the level of inherent conduct and market risk. The firm’s important business services will have to be reviewed at least annually or when there is a material change to the business, including if the firm carries out a new activity, outsources a new/existing service to a third party, or there are changes to its service in terms of scale or potential impact.
Impact Tolerances—Firms are required to set “impact tolerances” for each of their important business services, which is the term the FCA/PRA use to mean the maximum tolerable level of disruption to an important business service, as measured by a length of time in addition to any other relevant metrics, reflecting the point at which any further disruption to the important business service could cause ‘intolerable harm’ to any one or more of the firm’s clients or pose a risk to the soundness, stability or resilience of the UK financial system or the orderly operation of the financial markets. Similar factors will need to be considered as those in relation to important business services for setting the appropriate impact tolerances Again, this assessment will have to be reviewed at least annually or when there is a material change to the business.
Mapping and Scenario Testing—Firms need to identify and document the people, processes, technology, facilities and information necessary to deliver each of its important business services. Firms must also develop, maintain and execute plans to test their abilities to remain within impact tolerances in ‘severe but plausible’ scenarios. This includes where the firm relies on a third party to deliver an important business service, therefore firms have to map and test third parties so that they have a sufficient understanding of their vulnerabilities.
Communication Plans—Firms must develop internal and external communication plans for when disruptions happen, which clearly have to identify key decision makers and show escalation paths.
Self-Assessment Document and Lessons Learn Exercises—Firms must conduct ‘lessons learnt’ exercises following scenario testing or operational disruptions and must take the necessary actions to improve their ability to effectively respond and recover from future disruption. Firms will also have to prepare a tailored “self-assessment document”, showing the firm’s resilience journey and how it complies with the requirements. This will have to be reviewed, updated and approved by the Board ‘regularly’. While it doesn’t need to be submitted to the FCA, it will need to be complete and made available to the FCA, on request, from 31 March 2022.
Linda Gibson, Head of Regulatory Change (December 2021)
It is clear that the regulators are expecting firms to give operational resilience the same focus as financial resilience. The new rules will have a significant impact on firms, extending to strategy, governance and third-party management. Implementing the new requirements will require significant coordination and input across all business functions, and considerable scenario analysis and agreement before final Board review and approval.
Crucially, the first implementation date of 31 March 2022 to implement a policy is just the beginning. Firms will need to evidence going forward that they can stay within tolerance for their most important business services.
The FCA is not the only regulator looking at Operational Resilience. It is also a key focus for regulators across EMEA and globally and therefore firms will need a coordinated approach across their business operations. For example, the Central Bank of Ireland (CBI) recently published their proposals on Operational Resilience Guidelines which is closely aligned with the UK standards, and there are also legislative proposals under way at an EU level for a framework on digital operational resilience (‘DORA’).