With only two months to go to meet the deadline of March 2022, firms are advanced with Operational Resilience regulatory requirements and most are now completing their Self-Assessment.
The content and format of the Self-Assessment is a grey area for many firms. Below we highlighted a few suggestions to help your firm ensure quality:
20% of non-executives haven`t engaged with the Board yet to discuss the approach to operational resilience. So, it is essential to increase awareness and engagement regarding the work; Important Business Services, Impact Tolerances, and any other challenges encountered. To be efficient in doing this, avoid the temptation to give an endless report to senior management. You should rather provide a document that is clear and concise.
-
-
Draw upon wider sources of information to identify vulnerabilities Your self-assessment document should go beyond mapping and scenario testing activities. The policy is built upon other rules and guidance that rely on major factors like Business Continuity, Risk Management, Change Management or Outsourcing.
Moreover, with the aim of identifying vulnerabilities, it is crucial to design a multi-remediation program that considers other useful sources such as historical data, or your firm's risk register. The creation of a multi-remediation program will require some investment and will need to be a dynamic program, however, it will be worth it to measure the ability to put together several insights and evidence which is key for Self-Assessment.
-
Self-Assessment structure
There is no right way to do this. Someone can choose to write a story describing the progress and maturity of Operational Resilience, while others won't. Whatever you decide, the most logical way is to separate outputs from inputs.
Outputs:
-
-
-
The Important Business Services and the rationale of why they were selected
-
The rationale for why Impact Tolerances were set in such a specific way
-
The scenario testing undertaken
-
The vulnerabilities explored, and the firm's plans for the next steps of Operational Resilience
Inputs:
-
-
-
How the firm arrived at conclusions
-
What was the methodology used to determine Important Business Services
-
How are Impact Tolerances set
-
How the Important Business Services have been mapped
-
How the Scenarios have been built
There is no right way to build a Self-Assessment document, and since the Regulators have so far provided very few minimum expectations there are differing views.
However, if you'd like to hear more about the support we are providing to financial services firms to provide and assure the self-assessment document, please get in touch here
How FourthLine can help:
FourthLine is working with financial services clients to help them achieve compliance and react to the challenges of operational resilience, through a mixture of consulting and resourcing propositions.
Download our Operational Resilience Service Pack here>
