Last December the PRA, FCA and the Bank of England released a series of consultation papers outlining their co-ordinated approach to operational resilience.
While there is little divergence from the initial discussion paper, firms should review how the developments affect their emerging operational resilience frameworks, explains Paul Young.
Operational resilience regulation accepts that service outages happen and aims to minimise the harm to consumers and the wider economy. To do this, firms must identify their important business services and stay within pre-agreed tolerance levels. Mapping supporting processes helps identify potential causes of outages and find contingency methods to restore important business services.
Recapping the operational resilience changes
Building on these key concepts, the BoE/PRA and FCA operational resilience consultations expand on key definitions and expectations in the following areas:
Clarification over the term "business service"
These are on-going services to customers that consist of a chain of activities. They should not be confused with an overall business line or product.
A non-prescriptive approach to management of supporting functions
Firms should determine which parts of the activity chain are important to determine the granularity of the approach. Supporting services should be prioritised by a risk assessment in order to help implement impact tolerances.
Mapping aims to identify weaknesses underpinning business services
These may include limited ability to substitute resources, high complexity, single points of failure and concentration risks.
Operational resilience is a board level concern
The board and senior management should approve the identification of important business services, the setting of impact tolerances, selection of stress scenarios, and the prioritisation of investments. This relies on adequate management information with clear responsibility structures and ultimate accountability resting with the chief operations role (SMF 24) under the Senior Managers and Certification Regime.
Differentiation between risk appetite and impact tolerance
Risk appetite focuses on potential risk, but impact tolerance assumes the risk has crystallised and concentrates on the aftermath.
A proportionate stress-testing plan
This should consider different types of scenario testing, frequency, resourcing and changes to the testing environment or parameters. Scenarios should be severe, but plausible.
Firms should maintain a self-assessment
Summarising the firm’s approach to operational resilience, an up-to-date self-assessment must be approved by the board and available to regulators on request. There is currently no reporting requirement, but this is to be clarified in 2020.
A consistent approach across the group
Operational resilience is a group-level concern, which goes beyond the individual entity and a consistent application is important.
Outsourcing presents an additional risk
As with any outsourced function, regulatory responsibility remains with the firm, not the third party. Mapping and scenario selection must take outsourced functions into account and contractual clauses should support the regulation. The PRA released a consultation paper on outsourcing with the operational resilience documents in December.
Identifying important business services and their supporting activities is inherently broad and implementation will be a challenge for the sector. This is particularly true for groups and large organisations, who may have a significant number of important services and a complex network of supporting processes. These processes will cross all areas of the business and firms should consider the interaction between other regulatory expectations, such as operational continuity in resolution (OCIR), outsourcing, business resilience and cyber security.
What to do now?
Although the consultation closes in April, the BoE/PRA and FCA operational resilience papers included draft supervisory statements, so it’s unlikely that these will change considerably, and firms have a lot of work to do. FCA-regulated firms will have a three-year transition period for impact tolerances, but the regulators expect these firms to be able to remain within their tolerance levels as soon as possible. They will need to reflect actions being taken within their self-assessment document.
Firms should set up a project team (with senior oversight) to identify their important business services and map the supporting activities and resources. The team should establish a series of extreme, but plausible, scenarios to test the firm’s operational resilience and use these outputs to create appropriate impact tolerances. Firms should develop a robust operational resilience strategy, with appropriate governance and monitoring processes and look for synergy with existing processes.
Contact us for more information on operational resilience and how we can help.
Raising the bar – getting operational resilience rightFind out more