Enquire
logo_outline-1

An Overview of Operational Resilience

governance third parties oversight operational resilience audit trail outsourcing
Recognised CPD Badge (transparent) 24 (1)
Operational Resilience has been a hot topic in the UK for a number of years and has gathered momentum recently as the supervisory bodies issued final requirements and firms now prepare for implementation by March 2022.
 

In 2017, Charlotte Gerken, then Director of Supervisory Risk Specialists at the Bank of England spoke at the Operational Risk Europe Conference in London. Her opening statement was: 

“There is a growing literature on operational resilience and the short working definition I’ll use is the ability to adapt operations to continue functioning, when – not if – circumstances change.” 

Wind forward to 2021, we have a suite of papers generated by the Bank of England, Prudential Regulatory Authority (PRA) and the Financial Conduct Authority (FCA), which echo this message. 

Firms must have plans in place to enable them to continue business, no matter what the cause of the disruption. This is not merely a question of identifying and assessing risks, firms must assume that risks do and will crystallise. 

Given such events as cyberattacks and global pandemics, it’s not surprising to learn that Operational Resilience is a hot topic globally. Regulatory bodies expect firms to not only have the usual business continuity planning in place, but also a robust process that takes a holistic view of risks. 

Businesses must look externally at any third party arrangements that could impact a firm’s ability to maintain services as well as beyond the UK to consider cross border dependencies. The regulators have indicated that they believe the UK requirements are aligned with the Principles of the Basel Committee on Banking Supervision (BCBS). This should help to avoid any duplication of effort for firms. The UK also continues to coordinate efforts with the G7 and G20 countries. 

Regulatory Approach:

The supervisory bodies in the UK have a shared operational resilience strategy and have coordinated efforts by issuing joint statements and consultations culminating in 2021 with the publication of their Final Statements and Policies. This coordination serves to emphasise the importance of Operational Resilience to the UK financial services and ultimately the economy.
 

A resilient financial system is one that can absorb shocks rather than contribute to them. The financial sector needs an approach to operational risk management that includes preventative measures and the capabilities – in terms of people, processes and organisational culture – to adapt and recover when things go wrong. 

Scope:

The Operational Resilience Requirements will apply to the following sectors:

How does Operational Resilience differ from Operational Risk?
 

Operational Resilience is different from traditional business continuity and disaster recovery. These tend to be seen in silos and as a compliance exercise focussing on minimising the probability of a risk event occurring and ensuring firms can absorb financial losses. The ability to withstand financial loss is not sufficient to ensure continuity of business services. 

Operational Resilience focuses on the ability to adapt to emerging threats and the dependencies and requirements for providing critical business services. 

Where Operational Risk defines the non-financial risks facing a business, Operational Resilience refers to the steps an organisation takes to address these risks to minimise impact and disruption. 

Firms should consider their structure, people, processes and technology to adapt and ensure critical services can continue to be delivered through disruption. In this way, firms take an holistic view by pulling together their risk management framework; information management; incident management and business continuity to ensure overall operational resilience.

 
 

Operational Resilience Requirements

The regulatory approach is based on the belief that businesses are likely to be more operationally resilient if the businesses are designed and managed based on the assumption that disruption will occur. The regulators published their requirements earlier this year with firms required to: 

  • identify Important Business Services. Firms must consider how disruption to those business services can impact a firm’s own interests as well as cause harm to customers and wider market participants
  • set a tolerance for the maximum disruption to each Important Business Service whilst ensuring that firms can continue to deliver those service. Firms must ensure that they are able to stay within their impact tolerances during severe scenarios.
  • map and test Important Business Services to identify any vulnerabilities and drive change as required.
  • conduct lessons learned by identifying the required resources to meet operational resilience responsibilities
  • develop effective communicate plans to mitigate service disruptions
  • complete a self-assessment to demonstrate that firms are meeting their responsibilities. 

The 12-month implementation period has started with the expectation that the firms will have the above steps completed by 31 March 2022. This is followed by a transitional period ending 31 March 2025, by which time firms should have:

  • performed mapping and testing so that they are able to remain within impact tolerances for each important business service
  • made the necessary investments to enable firms to operate consistently within their impact tolerance
Governance
 

Boards and senior management teams need to focus on their back up plans; responses to incidents and recovery plans to ensure the continuity of a business service. This requires an understanding of any vulnerabilities relating to managing people, processes and culture so that they respond quickly when things go wrong. Firms should be able to act quickly and communicate effectively to those affected to manage expectations, but to also maintain and restore confidence in the service.

With the advent of the Senior Manager’s & Certification Regime (SM&CR) comes greater individual accountability and more regulatory scrutiny. For example, under PRA’s Senior Managers and Certification Regime (SM&CR), firms must have a senior manager responsible for the internal operations and technology for a firm (SMF14).

Responsibilities include: 

  • business continuity
  • cybersecurity
  • information technology
  • internal operations
  • operational continuity, resilience and strategy
  • outsourcing, procurement and vendor management and
  • management of services shared with other group members. 

This list repeats the message that operational resilience is broad in scope and firms need to look at external dependencies. 

Reporting

FCA firms already have a requirement to disclose any event effecting the firm of which the regulator would expect notice. Relating to Operational Resilience, this could include any material event which:

  • results in a significant loss of data
  • results in the unavailability or control of your IT systems
  • affects a large number of customers
  • results in unauthorised access to your information systems 

Firms now have 9 months in which to complete analysis, planning and implementation. Whilst there is a transitional period, regulators expect firms to have implemented their plans by 31 March 2022. During the transitional period, firms need to ensure they are able to address risks that prevent them from staying within their impact tolerances for each important business service. 

Ruleguard Webinar:

Join our webinar on 21 July 2021, Operational Resilience: an Overview.

Please click here to register your interest.

How can we help?

Ruleguard has a range of tools to help firms fulfil their obligations. Click on the links below or contact us for further information.

Tel: 020 3965 2166

Senior Managers and Certification Regime: https://www.ruleguard.com/smcr 

Contact the author

 

Head of Client Regulation| Ruleguard