Operational resilience – is your firm ready?
Published
20 May 2022
COVID 19
If there is one lesson learned from the Covid-19 pandemic, it’s the importance of having an effective business continuity plan! Pre Covid-19, it’s fair to say that your firm’s business resumption and continuity response should have been a key item on the Risk Register, along with ensuring that the supporting systems and controls were in place and subject to regular testing. Several firms may also have detailed scenario planning in place to support the Internal Capital Adequacy Assessment Process (ICAAP), but how many will have planned specifically for an event such as Covid-19, with all its associated implications? Responding quickly and effectively to Covid-related restrictions has been a whole different ball game to managing a few days’ outage caused by a burst water main, localised gas leak, or an internal IT systems failure. Firms’ business continuity plans will have been well and truly tested over the last 2 years, and many will have been rewritten with the benefit of experience!
In one of those strange quirks of timing, in December 2019 the FCA published CP19/32 ‘Building operational resilience: impact tolerances for important business services’ and feedback to DP18/04 – covering the joint FCA / PRA policy summary on operational resilience. In March 2020, the UK entered its first Covid lockdown.
The regulators’ answer to operational disruption
Addressing operational resilience is a joint initiative between the FCA and PRA and CP19/32 underlined the importance of ensuring that the UK financial sector is operationally resilient. The consultation was followed by the publication of FCA’s PS21/3 Building Operational Resilience in March 2021, implementing the majority of proposals across various financial services sectors including insurers, enhanced scope SMCR firms and payment services providers.
In a nutshell, operational resilience is the ability of firms, financial market infrastructures and the financial services industry per se to prevent, address, recover and learn from operational disruption.
The FCA’s view is that operational disruption and the unavailability of important business services have the potential to cause wide-reaching harm to consumers and/or risk to market integrity, whilst threatening the viability of firms and causing instability in the financial system. The disruption caused by Covid-19 has shown why it is critically important for firms to understand the important business services they provide, and to invest in their resilience arrangements to protect themselves, consumers, and markets.
What’s changing?
By 31 March 2022 firms must have:
- Identified the business services that, if disrupted, could cause intolerable harm to their consumers pose a risk to market integrity, threaten the viability of firms or cause instability in the financial system
- Set impact tolerances for the maximum tolerable disruption to these services
- Carried out mapping and testing to a level of sophistication necessary to identify important business services, set impact tolerances and identify any vulnerabilities in its operational resilience
- Conducted lessons learned exercises to identify, prioritise, and invest in their ability to respond and recover from disruptions as effectively as possible
- Developed internal and external communications plans for when important business services are disrupted
- Prepared self-assessment documentation
As soon as reasonably practicable after 31 March 2022 and no later than 31 March 2025, firms will need to have:
- Performed mapping and testing so that they can remain within impact tolerances for each important business service
- Made the necessary investments to be able to operate consistently within their impact tolerance
What do these changes mean?
The FCA and PRA expect firms to be operationally resilient by having a comprehensive understanding and mapping of the people, processes, technology, facilities, and information necessary to deliver each of the important business services.
“Important business services” means a service provided by a firm, or by another person on behalf of the firm, to one or more customers of the firm which, if disrupted, could cause intolerable levels of harm to those customers or to market integrity. Firms must therefore identify those services which, if disrupted could lead to potential consumer harm.
This is very much down to the firm’s judgment but must focus on services which impact consumers. For the purposes of this exercise, internal functions such as payroll services are not important business services, although they may be essential to the smooth running of the firm and so can still be included as part of the firm’s mapping exercise.
These services should be reviewed at least annually, or earlier where there is a material change. The firm should document its detailed reasoning as to how it has determined its important business services. In particular, there should be a distinct reasoning to support each important business service and detailed methodologies/metrics will be helpful in demonstrating the rationale. For example, it may include the numbers of consumers that might be affected, the ability (or otherwise) of consumers to move to an alternative provider, and the way in which consumers could be harmed.
It is difficult to determine the degree of impact that will be tolerable without first understanding what impact could look like and how it might change as the level of disruption becomes more severe (e.g. it becomes prolonged and/or more widespread). Firms need to consider in detail the point at which any further disruption could cause intolerable harm, i.e. the point at which the harm caused to the customer is so acute, long lasting, or widespread that it cannot be easily remedied. It also includes the scenario in which a risk is posed to the firm’s safety and soundness and/or financial system/market stability has crystallised (e.g. customers defaulting, material movements in market pricing, availability of products from the industry being impacted, wind-down plan thresholds being breached). One of the keys actions will be to engage different parts of the business in the conversation, including customer facing, as well as operations and technology teams.
Firms need to test their impact tolerances in a range of “severe but plausible” scenarios. This approach will give firms a clear idea of where unexpected events may fall outside acceptable tolerances when they come to test them. This should include circumstances inside and outside the firm’s control; for example, cyber-attacks, regional/national power failures etc.
Operational resilience and third parties/ outsourcing arrangements
Firms increasingly depend on third party providers and outsourcers. This means firms need to manage these providers effectively, to reduce the risk of operational disruption and harm being caused to their consumers. Generally, outsourcing occurs when a firm engages a third-party service provider to perform a process, service, or activity on its behalf; for example, a firm may outsource hosting of a customer data centre or customer business process to a third-party. Firms should have appropriate risk management systems and controls in place which include outsourced activities and these should be accommodated in the mapping of important business services.
Remember – a firm is responsible and accountable for all the regulatory obligations that apply to outsourcing and third-party service arrangements that it has commissioned.
The FCA’s supervisory approach from 1 April 2022
The FCA has stated that it will contact firms for feedback on how they have/are implementing the requirements.
In particular, the self-assessment document must be available on request from 31 March 2022.
Board and senior manager responsibility
In line with good standards of general governance and the Senior Managers & Certification Regime (SM&CR), senior managers in all firms should know what they are responsible and ultimately accountable for. This includes establishing clear lines of responsibility for the management and oversight of operational resilience.
Firms will be expected to structure the oversight of operational resilience in a way that is effective and proportionate for their business, using existing committees or establishing new ones if necessary. Attention must be paid to achieving a clear delegation of responsibilities where an important business service is supported by a wide range of people and systems. Irrespective of firm size or complexity there should be clarity on who is responsible for what within a firm, including operational resilience. The individual with overall accountability is likely to be the person performing the Chief Operations Officer function (SMF24) and that person’s Statement of Responsibilities should be updated to include operational resilience. Where firms do not have an individual performing the SMF24 function, the firm will need to determine the most appropriate individual within the firm who to take accountability.
The firm’s Board (or management body) will be expected to receive appropriate management information to inform its decision making where this has consequences for operational resilience. The Board should provide evidence that it is satisfied that the firm is meeting its responsibilities in this area. Individual board members will not necessarily be required to be technical experts in operational resilience but should, collectively, have adequate knowledge, skills and expertise to provide constructive challenge to senior management as part of their oversight responsibilities.
Final thoughts
- Firms have been given quite a short implementation period of 12 months for the initial work to be completed, followed by a three-year transition period, by the end of which firms will be expected to have carried out any remediations necessary to ensure that they meet the impact tolerances they have set for their important business services
- The onus continues to be placed squarely on senior leadership to ensure a firm’s ongoing operational resilience. The Board should sign-off on the identification of important business services with associated impact tolerances and review and approve the firm’s operational resilience self-assessment. The responsibility of a firm’s SMF24 (or equivalent) for the overall delivery of its operational resilience strategy should also be affirmed
- There is a focus on important business services and impact tolerances. It is for firms to identify their important business services and then to focus on their resilience by setting impact tolerances that convey the maximum tolerable interruption of those services when faced with a severe but plausible disruption scenario. Whilst the focus is on the resilience (or continuity) of those services under severe but plausible scenarios, there should be a continuing focus on the prevention of such disruptions
- Test, test, test. Testing the resilience of services against severe but plausible disruptions must be carried out. The regulators are not prescriptive about what kinds of tests should be conducted but are keen to see the industry develop innovative ways of simulating disruptions and demonstrating resilience.
Source: Article “Operational resilience – is your firm ready?” was written by The ZISHI Cornerstone experts, and published in the Advice Matters Magazine | 2022 | Vol 03 | Edition 01