Following a number of requests for information from the PRA across financial services, we would like to present our understanding of some of the key feedback themes which firms may wish to factor into their maturity roadmap for 2025.
1. Mapping
The PRA has noted that some firms' mapping is not sufficiently detailed indicating a potential lack of awareness of critical dependencies.
To varying degrees, some or all of the following points apply to most firms:
2. Impact Tolerances
In many cases, impact tolerances are still being set with a view of a firm's expectations or risk appetite and not based on consideration for safety and soundness or market impact. This is typical evidenced through alignment to existing SLAs or RTOs.
This typically leads to short impact tolerances which in some cases imply a 24-hour outage could cause the firm to become financially vulnerable. Given the requirements under Solvency II and capital adequacy requirements this immediately indicates an inappropriate methodology has been used.
In addition, the PRA observes that copy pasting impact tolerances from one IBS to the next with no supporting rationale or evidence as to why this is appropriate does not satisfy its expectations for robust rationales and methodologies.
3. Testing
Some firms have not started a programme of scenario testing and have not been able to evidence a timetable to support IBS testing. This constitutes a non-compliant programme.
The PRA also highlighted a requirement for testing to be able to consider the firm-wide capabilities against the severe but plausible scenarios including crisis & incident management, communications, service workarounds and recovery capability.
Arguably the key activity to understanding a firm's level of operational resilience lies with scenario testing. Without assessing the capability to respond, adapt and recover from a severe but plausible scenario, firms remain open to resilience risks and unknown vulnerabilities.
4. Self-assessment
In some cases, firms' self-assessment documents failed to provide enough detail on the programme, the methodologies employed and the ongoing plan. For many firms, it was clear that the self-assessment was not the living and breathing document that the PRA intended and following March 2022, has gathered dust, leading to programme inertia.
Finally, the PRA indicates that for any firms undergoing, planning or anticipating significant change activity, there should be evidence that specific risks to Important Business Services and appropriate mitigants have been considered and documented in the self-assessment.
For firms requiring programme uplift following regulatory review, we can support timely remobilisation, resocialisation, and remediation of the operational resilience programme.