Operational disruptions can cause wide-reaching harm to consumers and pose a risk to market integrity, threaten the viability of firms and cause instability in the financial system. Following several high profile operational failures and the widespread disruption caused by coronavirus (Covid-19), regulators felt it necessary to improve resilience.
On 31 March 2021, the FCA, PRA and the Bank of England published a policy statement (PS21/3) setting out new requirements to strengthen operational resilience in the financial services sector.
Operational resilience is the ability of firms and the financial sector to prevent, adapt, respond to, recover and learn from operational disruptions. It’s not a new concept and there’s no prescription for how to achieve operational resilience. Firms choose how they get there, but being operationally resilient is not optional.
The regulation applies to banks, building societies, designated investment firms, insurers, Recognised Investment Exchanges (RIEs), enhanced scope senior managers’ and certification regime (SM&CR) firms and entities authorised or registered under the Payment Services Regulations 2017 (PSRs 2017) or the Electronic Money Regulations 2011 (EMRs 2011), UK Solvency II firms, the Society of Lloyd’s and its managing agents (insurers), Central Counterparties; Recognised Payment System Operators and Specified Service Providers; Central Securities Depositories
The regulatory timeline for assuring operational resilience requires firms to remain within their impact tolerances as soon as is reasonably practical. At the end of the transition period, firms should ensure they’re able to continually operate within their impact tolerances (31 March 2025 onwards).
- Identify Important Business Services (IBS) and set impact tolerance for each.
- Perform mapping of the people, processes, technology, facilities and information resources necessary to deliver each IBS (including external third parties).
- Identify how IBS could fail and list procedures and measures to mitigate the risk of failure.
- Identify any current vulnerabilities in the operational resilience framework and develop an action plans to address them.
- Develop a testing plan to ensure ‘regular’ risk based testing of scenarios against a range of severe but plausible scenarios.
- Embed into governance and develop or repurpose communications plans accordingly.
Assurance and Testing Services
- Reviewing operational resilience or BCP frameworks against regulatory requirements and leading industry practice and providing pragmatic enhancement recommendations.
- Providing outsourced independent testing of operational or BCP frameworks to assure resilience.
- Assessing current operational resilience frameworks to provide recommendations to meet the latest regulatory requirements.
- Supporting firms in designing robust and evidence based operational resilience frameworks that are proportionate to their role in the financial system.
- Providing SME implementation support to deliver enhanced operational resilience frameworks
- Post implementation reviews of inhouse operational resilience transformation.
Following an operational incident, crisis or regulator intervention, we support firms through the end to end process of remediation and make sure lessons are learned. This includes:
- Root cause analysis
- Remediation planning
- Remediation programme management
- Design and implementation of framework remediation
- Testing remediation effectiveness