The FCA hosted a live event providing feedback to the industry regards preparation for the March 2022 deadline. During the session, representatives from both the FCA and PRA presented feedback and responded to industry queries.
The regulators were keen to remind everyone that Operational Resilience aims to encourage better outcomes for consumers and the markets as a whole.
Steps to complete before 31 March 2022:
The regulators expect that all in-scope firms should have:
Identified their Important Business Services (IBS)
Set impact tolerances for each IBS
Completed mapping and testing to enable identification of vulnerabilities
Prepared communication plans to manage any incidents
Defined a process to identify and use lessons learned
Approved the first self-assessment
At this stage, a firm needs to know what level of disruption it can withstand without causing intolerable harm.
In an earlier blog, we examined the operational resilience requirements. Firms should ensure that they have documented clearly the steps they have taken and explained their rationale.
What should firms do after 31 March 2022?
From this point, the transitional period commences and lasts for three years ending on 31 March 2025. During the transitional period, firms should continue mapping and testing to remain within the impact tolerance.
The regulators have indicated that they have no specific plans to request copies of the self-assessment immediately after 31 March. However, if a firm breaches its regulatory obligations, the regulators will likely ask to see the self-assessment document. Therefore, firms must maintain the self-assessment document appropriately.
The regulators gathered data from some high impact firms, which allowed the regulators to review how those firms had identified their IBS and the rationale for their choice. The supervisors were also interested in the methodology adopted by firms to set their impact tolerances as well as the rationale used to set impact tolerances.
Have you identified your IBS correctly?
Whilst the regulators noted that progress is being made, there is still room for improvement. FCA indicated that firms needed to provide further consideration to the following areas:
Improving the documented rationale for identifying each individual IBS. This could include metrics such as consumer research to support the decision. Bearing in mind regulatory concerns about concentration risks, firms could also consider the availability of alternative providers and the type of consumers likely to be affected by the IBS
Incorrect identification of IBS. Firms were reminded that an IBS impacts the external end-user. For this reason, internal processes, such as payroll, would not be deemed an IBS
How and why have firms set impact tolerances?
Impact tolerances should be relevant to the harm experienced. Again, the regulators were keen to emphasise that the goal is to avoid breaching the impact tolerances. Firms should consider what they can do now regarding vulnerabilities in their services. Where do they need to invest?
NB: Disruptions will occur, resilience means not breaching a tolerance.
Despite guidance provided in consultation and policy statements, firms are taking the traditional risk management approach towards operational resilience by measuring revenue and reputational risk. Firms need to look externally. Firms need to justify the methodology used to set tolerances via metrics and rationale. The example used by the regulators was where a firm had set a tolerance of 12 hours for a service outage. The firm should ask itself:
Why have we set our tolerance for an outage at 12 hours rather than 11 hours?
What makes 12 hours a greater risk to the end-user?
The board or equivalent governing body is responsible for approving the self-assessment. Naturally, the board must be assured that the firm has met and continues to meet the operational resilience requirements. The self-assessment document should provide sufficient detail to provide this assurance to the board. The board must hold the senior managers accountable and challenge the decisions, rationale and methodology adopted.
The regulators also reminded firms that cyber threats continue to evolve and must form part of a firm’s operational resilience. Firms were told that:
"...it is wise to include it in the scenario testing. It is highly plausible."
What should you be doing?
The key message from the regulator:
Firms must act now and be ready for 31 March 2022.
Where firms have concerns about meeting this milestone, they should contact the regulators sooner rather than later.
In our blog “Is outsourcing on your radar?”, we explored some of the regulatory concerns, firms should review these concerns and ensure that they have addressed any weaknesses in these areas.
How Ruleguard can help you:
Ruleguard is an industry-leading software platform designed to help regulated firms manage the burden of evidencing and monitoring compliance. It has a range of tools to help firms fulfil their obligations across the UK, Europe and APAC regions.
Ruleguard allows firms to organise planning for extreme but plausible scenarios, model impact tolerances and identify investment gaps.
It also helps firms to:
define service levels and tolerance thresholds for each service to define how much impact on customers and the market is acceptable in extreme but plausible scenarios
vary the resource parameters using our intuitive interface and see how these changes impact your service thresholds in the model
easily identify gaps for investment and automatically create a resilience self-assessment document for board review.
The scale of operational resilience compliance can seem daunting, but with Ruleguard's experience and technical design skills, we’ll help you quickly have it under control. https://www.ruleguard.com/operational-resilience.
Get in touch with the Ruleguard team to learn more call 020 3965 2166 or email email@example.com
Don't miss our webinars
Ruleguard hosts regular events. To register your interest or view our past events please click here.
Request a complimentary copy of our White Paper on Operational Resilience click here.
Visit our website to find out more about how Ruleguard can help:
Contact the author
Head of Client Regulation| Ruleguard