On 29 March 2021, the Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) published their Policy Statements which include the final rules that in-scope firms will be required to comply with by 31 March 2022.
Our interactions with customers are following common themes.
We’ve pulled together some of those threads to provide clarity for firms who are on, or yet to begin their journey to compliance.
Senior Management awareness and Governance
We are still regularly speaking with firms who are deciding where responsibility should sit for the delivery of Operational Resilience. Many assume the SMF4 will shoulder the work. We’ve also seen it placed with the Head of IT (even when they aren’t SMF24), as the historic link to Business Continuity, Cyber Security and Disaster Recovery.
However, the regulator is clear. As SS1/21 states:
‘Where it exists, the Chief Operations Senior Management Function (SMF) 24 should hold overall responsibility for implementing operational resilience policies...’
The SMF4, SMF16, CIO and other function leaders form key parts in this work, supporting the IBS and scenario phases as well as guiding and challenging opinion throughout.
More broadly, the PRA has a clear expectation of senior management.
They should “have adequate knowledge, skills, and experience in order to provide constructive challenge to senior management and meet their oversight responsibilities in relation to operational resilience”.
Operational Resilience overlaps with operational risk, financial resilience, business continuity and disaster recovery and we’ve discovered the value of a high-level board education session, that clearly defines the key concepts and regulator expectations.
The session should offer an introduction to operational resilience, break down the key components to ensure operational embedding and regulatory compliance and help the Exec visualise the 6 key project phases.
You should also outline the FCA’s expectations of Board and Senior Management, and what Execs and Non-Execs should have oversight of and should be challenging.
Identifying synergies with other regulatory obligations
In their Statement of Policy, The Bank of England notes that their “...approach is to consider SS2/21 (Outsourcing and Third Party) and the PRA’s operational resilience policy in combination”.
However, when we ask firms how they are linking Operational Resilience with the delivery of the Outsourcing requirements, the answer is almost always, “it could be better”.
Once your working groups are set up, ensure that they are in sync; combining resources and exchanging information to identify efficiencies.
There are several crossover points between the two regulations, not least the identification, and subsequent mapping of Important Business Services.
As the PRA points out, “...the mapping and testing of third parties are necessary....to obtain an accurate understanding of operational resilience”.
You can find out more about synergies between Operational Resilience and Outsourcing in our insights document, “Outsourcing and third party risk management”.
Creating a Requirements Traceability Matrix, drawing from both Operational Resilience and Outsourcing regulations offers the opportunity to identify those synergies in your organisation.
Our table below offers a simple outline of existing synergies between Operational Resilience, Outsourcing and IT.
Resourcing the project
From the Consultation Paper to the final Supervisory Statement, questions were raised about the resource intensity required to complete mapping and testing by 31st March 2022.
The PRA’s responded resolutely, stating firms, “should have mapped their important business services and commenced a programme of scenario testing (by 31st March 2022)”.
Achieving this balance, to create the right volume and right blend of resources has proven challenging for some.
Firms will require someone with experience in Operational Resilience to lead the work, oversee and steer the project, and act as a skilled facilitator in workshops.
This subject matter expert (SME) will also be valuable in the latter stages of the project, adding expertise and feedback when working through scenario creation, and defining impact tolerances.
Often overlooked at the project planning stage, is the need to run two workstreams in tandem; one to run the pilot with a selected IBS, and one to map all other IBS’s. Therefore, depending on the size of your business and the number of Important Business Services, you will probably need at least two dedicated Business Analysts to support the workstreams.
If firms can resource the project internally, they may still find it useful to add external support when working to create scenarios and define impact tolerances. The external expert can act as a sounding board for assumptions and provide industry insights and benchmarking to bring an independent viewpoint.
Defining Important Business Services
Firms are applying very different interpretations of the regulation when identifying Important Business Services. Some firms identify just three and some firms more than twenty.
For most firms, the actual number should fall somewhere between ten and fifteen.
So, why the disparity?
It’s perhaps indicative of the PRA’s flexible and proportionate guidance which allows firms to define their own Important Business Services without a taxonomy for guidance. In addition, the most common misstep is the inclusion of internal processes as Important Business Services.
For example, a firm might consider executing the annual compliance monitoring plan or settlements as an Important Business Service. Whilst these are key internal processes for any regulated firm, they shouldn’t make the list.
The PRA strongly encourages firms to prioritise those services which focus on delivery to the “external end-user”. Even where internal processes could impact the delivery of that service, firms should focus on the external service. The regulator indicates that defining standalone internal services as an IBS may water down the focus on the “most important services”.
The PRA’s graphic below shows a workable example, from retail banking, of Important Business Services and how they crossover with critical services and business services.
It’s worth noting that small and medium firms do not need to assess their impact on the market, as “...the PRA considers that it would be proportionate for small and medium firms to be excluded from the requirement to assess their potential impact on financial stability”.
This concession should help small and medium firms to design a proportionate response for operational resilience.
Setting impact tolerances
The final Statement helped to clarify some of the questions about setting Impact Tolerances.
Firms were initially wary of this phase, but the clarifications helped. For each Important Business Service;
- The impact tolerance can be set according to varying metrics,
- As a minimum and to ensure consistency, the FCA and PRA consider it necessary that each IBS must be set according to a defined timescale. This could be 2-4 hours, or “a point in time”, e.g., “the end of the day”
- The timescale can be used in conjunction with other metrics, for example, “customer complaints or volume of interrupted transactions
- Set impact tolerances for both FCA and PRA outcomes, where those outcomes differ
- Where the tolerances differ, you may operate inside the tolerance of whichever threshold is “the most stringent”, however, you must demonstrate that you have performed adequate scenario testing for both the longer and shorter impact tolerances
- You can set the same impact tolerance for both FCA and PRA outcomes.
Setting each individual impact tolerance as well as the definition of intolerable harm is left to individual firms, based on their scale and business activity.
Firms can set impact tolerances using the existing company and industry data and processes. For example;
- Your current risk register used in conjunction with (and as suggested by the PRA), “...previous incidents or near misses within the organisation, across the financial sector and in other sectors and jurisdictions”
- Using existing Key Risk Indicators is a helpful template for defining and aligning impact tolerances.
Finally, we can learn lessons from larger firms, which are already well advanced in their Operational Resilience programmes.
Some of those firms used a simple approach to categorise their Importance Business Services, which in turn, made setting the impact tolerances straightforward.
One example is outlined below.
On reviewing their approach in the Lessons Learned self-assessment, this firm decided that the Category C Services identified in their initial IBS identification should no longer be classed as such. They now operate even more simply, with Category A and B Services.
Many firms are now underway with their Operational Resilience projects, or are at least defining project scope, project governance and securing budgets.
FourthLine is working with several clients to help them achieve compliance and react to the challenges of the regulation through a mixture of consulting, training, and recruitment.
Please get in touch here to learn about our tailored and proportionate responses for Operational Resilience.
For further insights on Operational Resilience, go to our Operational Resilience micro-site