A key priority of both the PRA and FCA (“the regulators”) is to put in place a stronger regulatory framework to promote operational resilience of firms and financial market infrastructures (FMI).
In July 2018, the regulators published their joint Discussion Paper (DP) on Operational Resilience. The DP set out the regulators approach to operational resilience.
Fast forward 17 months to December 2019, the regulators have now published their Consultation Papers (CP) on Building Operational Resilience with the aim of developing and expanding the points raised in the discussion paper based on feedback received.
Summary of key proposals
Operational resilience is the ability of organisations and the financial sector as a whole to prevent, adapt, respond to, recover and learn from operational disruptions. Operational disruptions and the unavailability of important business services have the potential to cause wide-reaching harm to consumers and market integrity, threaten the viability of firms and cause instability in the financial system. The consultation paper therefore focuses on how the provision of these services can be maintained in the event of disruptions.
Similarly to the discussion paper, the consultation paper proposes that firms should take the following actions to ensure operational resilience:
- Mapping - organisations should identify important business services and document the people, processes, technology, facilities and information that support the delivery of that service. By looking at all the stages required in providing the business service, an organisation will be able to develop a clearer picture of how best to support its resilience
- Impact Tolerances – organisations should set impact tolerances for each important business service (i.e. thresholds for maximum tolerable disruption). One defined, organisations should test their ability to remain within impact tolerances through a range of severe but plausible scenarios whereby service provision is disrupted.
- Lessons learned – organisations should conduct lessons learned exercises to identify, prioritise and invest in the ability to respond and recover from disruptions as effectively as possible.
- Communication plans – organisations should develop internal and external communications for when important business services are disrupted.
In a number of areas, the regulators have sought to provide additional clarity by amending the definition of key terms:
- Important business service – a service provided by a firm or FMI to an external end user or participant where a disruption to the provision of the service could cause intolerable harm to consumers or market participants; harm market integrity; threaten policyholder protection; safety and soundness; or financial stability
- Impact Tolerances – the maximum tolerable level of disruption to an important business service, including the maximum tolerable duration of a disruption.
- Scenario testing - an organsiation or FMI’s ability to remain within its impact tolerance for each of its important business services in the event of a severe (or in the case of FMIs, extreme) but plausible disruption of its operations. In carrying out the scenario testing, an organisation must identify an appropriate range of adverse circumstances of varying nature, severity and duration relevant to its business and risk profile and consider the risks to delivery of the firm or FMI’s important business services in those circumstances.
The consultation papers reflect the need to apply proportionality when organisations comply with their obligations and the papers contain a number of worked examples of the requirements based on different size organisations.
Finally, the regulators have introduced the concept of a self-assessment as it is important for organisations to be able to demonstrate that they are meeting their responsibilities in respect of operational resilience. It is therefore proposed that organisations should create a self-assessment document which includes:
- The organisation’s important business services
- The impact tolerances set for these important business services
- The organsiations’s approach to mapping, including how the organisation has identified its resources, and how it has used mapping to identify vulnerabilities and support scenario testing
- The organisation’s strategy for testing its ability to deliver important business services within impact tolerances through severe but plausible scenarios, including a description of the scenarios used, the types of testing undertaken and the scenarios under which organisations could not remain within their impact tolerances
- An identification of the vulnerabilities that threaten the organistion’s ability to deliver its important business services within impact tolerances, including the actions taken or planned, and justifications for their completion time
- The firm’s lessons learned exercise
- The methodologies used to undertake the above activities.
The regulators will close the consultation period on 3 April 2020. Once feedback has been considered, it is the intention that rules will be finalised in a Policy Statement will be published towards the end of 2020.
How BDO can assist
As experienced financial services and technology experts, we have the breadth and depth of expertise to assist firms in developing their resilience capabilities.
To find out more, download our latest report.