Operational Resilience | What's the  impact on 3rd party suppliers?

In March this year, the FCA (Financial Conduct Authority) and Prudential Regulatory Authority (PRA) launched joint policies for Operational Resilience. The PRA released an accompanying supervisory statement (SS2/21) Outsourcing and third-party risk management.

The policy and accompanying statement require an increased level of transparency from regulated firms displaying their awareness and active management of risks related to third-parties as part of the wider expectation of improved operational resilience.

The new regulations require firms to identify their material outsourcing and critical suppliers and to further evidence robust risk management specifically ensuring customer protection, market protection and preventing threats to firm safety and soundness.

This increased regulatory scrutiny will have a direct impact on financial services suppliers both regulated and non-regulated.

The most obvious near-term impact will be a greater degree of supplier assurance which may take the form of the following activities:

  • Increased complexity of assurance questionnaires
  • Increased evidentiary requirements as part of assurance activities (e.g., cyber penetration test reports)
  • Requests for contract amendments to include additional assurance criteria
  • Specific requests to include clauses for “the right to audit” by both firms and the regulators
  • Requests for supplier participation in resilience scenario testing

All these activities stem directly from the policy requirements on regulated firms. These changes will cascade into procurement and RFP practices, becoming a potential differentiator when assessing suppliers.

Alongside the changes for existing suppliers in scope for assurance, the Resilience Policies make it clear that a more output-driven assessment of supplier criticality is required.

This will bring additional suppliers and/or specialist providers into the scope of the enhanced governance frameworks which they may have no prior experience of responding to at the level required.

In the Medium to long term, the experience of firms through Covid has also raised the wider issue of the level of resilience within supply chains more generally and may see increasing demands for greater resilience planning and reporting from third parties and better oversight and assurance of sub-contracted and fourth-party relationships.

This is especially true for suppliers classified as material outsourcers to regulated firms.

How FourthLine can help:

As part of our continually evolving Operational Resilience delivery, we are actively looking at how 3rd party suppliers can best meet the challenges of this changing governance environment.

The first step is a greater understanding of the new Operational Resilience policies and their impact on firms.

This will enable suppliers to better anticipate the needs of their clients and customers to ensure market-leading approaches and capabilities are aligned with the changing landscape.

You can get in touch here to find out more about our tailored and proportionate responses to Operational Resilience and 3rd Party Risk Management.

Download our 3rd Party Risk Management Insight Deck here>



Topics: Featured, Risk Management, Insurance, SMCR, Learning, operational resilience, Third Party Risk Management

October 25, 2021
Talk to an expert

Chris Moran
Written by Chris Moran

Chris is an Operational Resilience and Business Continuity specialist with 11 years of experience within the financial sector. Most recently Chris has been heavily involved in implementing Operational Resilience programmes across banking and insurance firms with a focus on Impact tolerances and scenario testing. He is experienced in integrating Resilience risk management within existing enterprise risk management frameworks including training and support of first line teams. In addition to understanding of both the FCA and PRA policies Chris also has the knowledge and expertise to design operational programmes tailored to suit the proportionality of a wide range of different firms across the financial sector.