We have not yet seen the level of corporate failures that many predicted over the past year, but as government support measures, such as the furlough scheme, are withdrawn insolvencies may increase. Should this happen to a third-party service provider, there may be a significant impact on your business. Firms have one year to implement the regulators' operational resilience strategy requirements, so understanding the expectations for third party risk management is key.
On 29 March 2021, the Prudential Regulation Authority (PRA) issued a supervisory statement on outsourcing and third-party risk management. Firms must identify and regularly assess their reliance on critical service providers and put risk management systems and strategies in place to deal with outsourced service providers. Management needs to understand how quickly they could replace a key service provider if it can no longer fulfil its obligations to the firm. The economic uncertainty caused by the current circumstances has increased the risk of this occurring, and the seismic shifts across the market: from acceleration of longer-term structural changes to businesses re-focusing in response to the crisis, may make it more difficult to find alternative providers.
Firms also need to be aware of concentration risks. Consider how important your firm is to any third-party provider. Should that provider have to reduce the number of clients it services, what priority will be given to your firm compared to others? Firms need to consider how easily they can switch providers should the need arise.
Regulators understand that firms cannot make detailed predictions of what happens within a third-party provider, but they are looking for management to initiate active dialogue about the part they play in their own firm’s operational resilience: their ability to deliver an important business service, and meet the tolerance a firm has set for itself.
It will be interesting to see how firms and the regulators interpret and put in to practice this increasingly important element of operational resilience. As restructuring professionals, we are acutely aware of the importance of key suppliers. A considerable amount of our time is spent understanding businesses’ reliance on third parties and putting in place contingency plans in case their continued support cannot be relied upon.
How much management time firms will commit to this is unclear. Will the increased focus on this area, both from a regulatory perspective and broader concerns about operational resilience in the current circumstances, move it up the agenda?
The PRA published this supervisory statement on outsourcing and third-party risk management statement to complement its existing requirements and expectations on operational resilience, and the guidance from the Financial Conduct Authority (FCA). The final guidance on operational resilience was published on 29 March 2021. The deadline for implementing changes is 31 March 2022.
The FCA has said that senior management is expected to take responsibility for delivery of policy outcomes. This means that if businesses face a disruptive event, and management cannot evidence appropriate recovery or contingency planning to rectify this in a timely way, then both the firm as well as senior managers may be held accountable by the FCA and/or PRA.
Many firms have already started implementing an operational resilience framework based on the proposals for this guidance issued in December 2019. The regulators have issued several clarifications and amended definitions in response to feedback received on those initial proposals.
Firms need to identify key business services that would cause harm to consumers or market integrity if they were disrupted. These important business services should be identified annually, as well as after a material change in the business. The level of granularity required should be such that management are able to consider what the risks would be to end-users if each 'important business service' was disrupted, and apply impact tolerances to each of them.
In response to requests for clarity, the regulators have confirmed that internal services, such as HR or payroll, should not be identified as important business services.
Once management understand how consumers would be harmed in the event of any disruption, firms need to measure the maximum tolerable level of disruption to each important business service. Tolerances should be based on one disruption only, so that firms can understand how quickly they could restore service after that particular disruption.
'Length of time' has now been made a mandatory metric when measuring impact tolerance, together with 'any other relevant metrics'– for example maximum value of disruption or number of customers affected. The policy document also clarifies that firms regulated by both the FCA and PRA will need to identify two separate impact tolerances for their important business services, although they could be set at the same level.
Firms are required to identify and document the people, processes, technology and information required to deliver each important business service. This is to identify vulnerabilities and to test their ability to remain within impact tolerances. This 'mapping' of each key service should be detailed enough to help identify the resources required to deliver each service.
Amid concerns that mapping was one of the most resource intensive elements for firms, the recent policy document clarifies that a 'proportionate' approach is appropriate. Firms should take an "outcomes-based approach, in ways most appropriate for their circumstances". The regulators have also confirmed that only initial mapping needs to be completed by 31 March 2022. Firms are not expected to have informed mapping "to the full extent of sophistication" by this deadline. Mapping needs to be an ongoing process and should evolve over time. However, by 31 March 2025 firms need to have "sound, effective and comprehensive strategies, processes and systems" in place to enable them to address risks that might affect their ability to remain within their impact tolerances.
Firms are required to undertake scenario testing to understand whether it can remain within its impact tolerances, and to ensure that suitable mitigation and recovery strategies are put in place. As part of this, management are required to maintain and update a self-assessment document. This should identify weaknesses within their operational resilience arrangements, outline the scenario testing performed and its findings.
The FCA and PRA also specifically require firms to undertake 'lessons learned' exercises to identify, prioritise and invest in their ability to respond and recover from disruptions as effectively as possible. The self-assessment and lessons learned documentation must be available to the regulators upon request, so it is important that all decisions and processes are properly documented and regularly reviewed.
By 31 March 2022 firms must have commenced scenario testing to a level of sophistication that enables identification of vulnerabilities in their operational resilience. As with mapping, scenario testing is expected to be ongoing, and should be performed at increased levels of sophistication over time, with full strategies and systems in place by 31 March 2025.
This increased focus on operational resilience should benefit firms more than simply satisfying the regulators. It overlaps with wind-down and contingency planning; the processes of both identifying key business activities that could impact customers and the market, and mapping should also allow firms to create more robust and deliverable wind-down plans. In the event of financial stress, it should assist restructuring professionals in developing contingency plans in a more efficient, robust and cost-effective manner.
For more information get in touch with Andy Charters, Financial Services Restructuring.