Since the FCA and PRA published their Operational Resilience policy statement in March 2021, in-scope financial service firms have spent a lot of time and resources on developing a framework and creating a self-assessment form by the end of March 2022, in line with the regulators' expectations.
But the journey to full Operational Resilience compliance still lies ahead. Firms are now in the Operational Resilience ‘transition period’. The policy runs until 31 March 2025, and the actions that firms take during this time will be critical to achieving full compliance.
Maintaining the momentum they built during the last year will be critical. Firms will face many internal and external challenges while building and embedding their resilience programme over the next three years.
In this blog, I highlight a few external indicators that should be considered in the transition period in order to build a mature view of resilience.
- There are hints that a joint FCA/PRA paper will be due later in 2022 on third-party cloud providers combined with the recent policy statement from HM Treasury suggesting further strengthening of rules on third-party risk management and greater regulatory focus on concentration risk. A tricky question is how you embed resilience in unregulated third parties that are not in scope for SS1/21 and SS2/21.
- Recent Bank of England and FCA speeches and communications gave a good indicator of their priorities. Since March 2022, they have regularly commented on the granularity of resource mapping, the importance of separating impact tolerances from RTOs, sophistication and progress on IBS testing and the investment approach to resilience. How will firms prioritise all these areas without adding further strain to already stretched internal resources?
- In a digital-first age, customer tolerance for service outages is very low. Increased customer expectation for uninterrupted service availability and stability of digital platforms and services present a real risk to the reputation of firms.
- Widespread acceptance of flexible working means that working from home policies can become a significant factor in a firm's resilience. New working patterns may mean fewer “boots on the ground”, affecting documented resilience workarounds.
- The explosion of resilience regulation and guidance over the past 18 months has seen output from the US, Hong Kong, Singapore and Europe. International firms may consider programmes with a global scope to create a joined-up approach.
- The Digital Operational Resilience Act (DORA) introduces a framework for firms encompassing cyber risk, third-party risk and operational resilience. Preparation and implementation of DORA will align corporate strategy with technology risk.
The purpose of the new Operational Resilience regime is not to demonstrate how resilient financial services firms are, but for them to proactively assess where they may have resilience gaps and look to address them as soon as ‘reasonably practical’ before 31 March 2025.
The next three years will be challenging and firms need to act now to:
- Address the vulnerabilities they have identified
- Embed an operational resilience mindset throughout the organisation
- Adjust their target operating models to support resilience
Significant, long-term time and resource investment remain for in-scope firms, especially engaging with third-party providers that support the delivery of important business services and building robust scenario testing programmes that can demonstrate the progress they are making in enhancing their resilience.
In my next blog, I will discuss a few internal factors firms should consider on their journey to operational compliance.
How FourthLine can help:
FourthLine is working with a number of financial service firms to help them with Operational Resilience enablement and Outsourcing and Third-Party Risk Management(OTPRM), through a mixture of consulting, managed service and resourcing options.
To speak to us about how we can help your firm with your Operational Resilience or OTPRM programme, click here>
To read our new Operational Resilience Technical paper, click here>