January 5, 2023
The FCA and PRA have published their final rules on operational resilience requirements, with the key objective to ensure that financial services firms are prepared and able to deliver their key and important business services in the event of disruption.
The UK is not the only regulator looking at operational resilience. It is also a key focus for regulators across EMEA and globally. In Ireland, the Central Bank of Ireland (CBI) has published cross industry guidance on operational resilience which is closely aligned with the UK standards, and most recently EU has published its Digital Operational Resilience Act (DORA).
Explore our insights and what this might mean for your firm.
What is Operational Resilience?
In effect, operational resilience is being able to identify and prepare for, respond, and adapt to, then recover and learn from operational disruptions. Firms must have a thorough understanding of their important business services, as well as the people, processes, facilities, information, and systems that underpin them.
The new rules do not replace existing requirements on how firms manage operational risk or business continuity planning but set new requirements to enhance firms’ resilience. There is a shift of how firms should think about disruption – rather than focusing on the likelihood of the risk occurring and the impact if they do, the new requirements are underpinned by the assumption of disruption crystallising and how quickly the firm can recover from such disruption. The Covid-19 pandemic threw this into sharp relief for the industry.
Unlike existing business continuity planning, the focus has shifted from protecting the firm and its reputation to preventing incidents from impacting consumers and the wider financial market.
The new UK rules will apply to a wide range of firms, including banks, building societies, PRA-designated investment firms, insurers, Recognised Investment Exchanges, Enhanced-scope SMCR firms. The Irish rules apply to all regulated financial service providers. Pershing EMEA is in scope for these operational resilience requirements within both jurisdictions.
The EU’s DORA creates a regulatory framework on digital operational resilience whereby all firms need to make sure they can withstand, respond to and recover from all types of ICT-related disruptions and threats. These requirements are homogenous across all EU member states, including PSIL in Ireland. The core aim is to prevent and mitigate cyber threats.
The key Operational Resilience requirements include:
Critical / Important Business Services—Firms must identify their “important business services”, which can be defined as a service provided by a firm, or by another person on behalf of the firm, to one or more clients which, if disrupted, could: (i) cause intolerable levels of harm to any one or more of the firm’s clients, or (ii) pose a risk to the soundness, stability or resilience of the financial system, or the orderly operation of the financial markets. Firms should consider a number of factors in order to determine what constitute important business services, which include but are not limited to: the nature and size of their client base, the time criticality for clients in receiving a service, the substitutability of the service, the potential impact of a failure of the service on the wider financial system, whether disruption to the service could amount to a breach of a legal or regulatory obligation and the level of inherent conduct and market risk.
The firm’s important business services will have to be reviewed at least annually or when there is a material change to the business, including if the firm carries out a new activity, outsources a new/existing service to a third party, or there are changes to its service in terms of scale or potential impact.
Impact Tolerances—Firms are required to set “impact tolerances” for each of their important business services, which is the term they used to describe the maximum tolerable level of disruption to an important business service, as measured by a length of time in addition to any other relevant metrics, reflecting the point at which any further disruption to the important business service could cause ‘intolerable harm’ to any one or more of the firm’s clients or pose a risk to the soundness, stability or resilience of the financial system or the orderly operation of the financial markets. Similar factors will need to be considered as those in relation to important business services for setting the appropriate impact tolerances. This assessment will have to be reviewed at least annually or when there is a material change to our business.
Mapping and Scenario Testing—Firms need to identify and document the people, processes, technology, facilities, and information necessary to deliver each of its important business services. Firms must also develop, maintain, and execute plans to test their abilities to remain within impact tolerances in ‘severe but plausible’ scenarios. This includes where the firm relies on a third party to deliver an important business service, therefore firms have to map and test third parties so that they have a sufficient understanding of their vulnerabilities.
Communication Plans—Firms must develop internal and external communication plans for when disruptions happen, which clearly have to identify key decision makers and show escalation paths.
Self-Assessment Document and Lessons Learn Exercises—Firms must conduct ‘lessons learnt’ exercises following scenario testing or operational disruptions and must take the necessary actions to improve their ability to effectively respond and recover from future disruption. Firms will also have to prepare a tailored “self-assessment document”, showing the firm’s resilience journey and how it complies with the requirements. This will have to be reviewed, updated and approved by the Board ‘regularly’.
Linda Gibson, Head of Regulatory Change (December 2022)
It is clear that the regulators are expecting firms to give operational resilience the same focus as financial resilience.
Crucially, the first UK implementation date of 31 March 2022 was just the beginning and firms will need to evidence going forward that they can stay within tolerance for their most important business services.
As we anticipated, the regulators have started to provide the industry with feedback and signal the direction of travel. The PRA published a speech in June 2022, where they call out that they have seen a variety of approaches in terms of granularity with which firms have identified their important business services. In addition, the PRA identified some gaps in terms of how dual-regulated firms have set their impact tolerances against both the FCA and PRA’s objectives. It also indicated the need for firms to be able to justify their rationale in how they implemented the first phase of requirements. The FCA will likely take the same approach, and this could become a key discussion point of their supervisory visits with firms.