The March 2022 deadline for operational resilience required in-scope firms to:
- Identify Important Business Services
- Map those services to a degree of granularity to understand vulnerabilities
- Set impact tolerances and begin a programme of testing against the Important Business Services
- Show your workings and action plans in a Self-Assessment
During the transitional period from April 2022 to March 2025, firms must mature their programmes, create an operational framework and make the necessary investments to prevent or materially reduce the likelihood that any outage of an Important Business Service will breach Impact Tolerance thereby causing intolerable harm to consumers, the market or the firm.
Whilst the transitional period provides a helpful window for firms to reach their desired level of maturity, it doesn’t mean that firms are clear of regulatory responsibility until March 2025.
What’s not always apparent in our conversations across financial services, is that operational resilience is in fact, a live regulation! It has been since 1st April 2022.
More specifically, since 1st April, a firm breaching impact tolerance in a live incident must report that breach to the Regulator(s).
Under SYSC15A.2.11 G...”the FCA expects to be notified of any failure by a firm to meet an impact tolerance.”
In the event of an impact tolerance breach, as a minimum response, firms should take the following steps:
- Execute your Recovery & Comms Strategy to,
- Recover the service as quickly as possible.
- Best practice would also dictate that during and after the incident you should communicate with the customers of that service to reduce or mitigate the risk of intolerable harm.
- Report the breach to the required Regulator(s). You should have pre-defined templates to support this process.
- Remediate to improve your level of resilience thereby preventing any reoccurrence of the outage.
- Complete a lessons learnt exercise to highlight process improvement areas.
- Conduct a Root Cause Analysis identifying the fundamental reasons for the outage.
- Review the Impact Tolerance to understand if it was correctly set, and, readjust if necessary.
Assuming you can recover the service in a timely manner, regulators are likely to want to see your Self-Assessment to determine if,
- you were aware of the vulnerability that caused the outage and,
- review your resilience investment strategy to understand if your intended investments would close that vulnerability.
With SYSC 15A.2.11G in mind, firms should be taking the necessary steps to ensure their Recovery and Communication strategy is robust enough.
We’ve seen these strategies include:
- regulatory communication templates,
- recovery playbooks for each Important Business Service,
- lessons learned templates
- as well as appropriate review processes as part of internal governance.
In terms of Self-Assessment, firms should be working to make it fit for purpose with robust methodologies, identified vulnerabilities and a supporting investment plan to assuage any regulatory concerns.
How FourthLine can help:
FourthLine is working with a number of financial service firms to help them with Operational Resilience enablement and Outsourcing and 3rd-Party Risk Management, through a mixture of end-to-end consulting and resourcing options.
To read our new Operational Resilience Technical paper, click here>
To speak to a consultant about how we can help your firm with your Operational Resilience or OTPRM programme, click here>
