Several of our clients have received feedback from the PRA on their Operational Resilience programmes and a consistent theme is concern over the maturity of scenario testing.
Both FCA & PRA regulations require firms to test the resilience of their Important Business Services (IBS) against “severe but plausible” scenarios. Based on their interpretation of the regulations, many firms have focused on a narrow view of only considering and reporting on the testing of Important Business Services. In some cases, firms have identified and matured operational workarounds for key resources, but in many cases, firms have merely assessed recovery capability (RTO / SLA / MTPD) against Impact Tolerance.
However, the feedback from the PRA indicates that they may be more interested in a wider view of the firm’s overall resilience against a given scenario rather than a narrow view of just IBS resilience.
In other words, the question being asked is not “can IBS x avoid breaching impact tolerance if impacted by a cyber-attack?” but instead, “how resilient is the firm to cyber-attacks and how can you demonstrate that the firm's current capability will avoid impact tolerance breaches?”.
As a result, FourthLine has redesigned our approach to Resilience testing with a greater focus on the enterprise-wide capabilities firms need to establish, and evidence, to achieve an appropriate level of resilience. A single scenario test will never be sufficient to evidence all the capabilities necessary for a firm to claim operational resilience.
The Fourthline approach is to look holistically across the organisation and for each threat scenario, to identify the capabilities the firm requires in order to prevent, adapt and recover from each scenario. Our approach considers both:
- Testing to ensure capabilities (e.g., recovery testing and Incident and Crisis Management testing)
- Risk Identification testing assurance testing necessary to evidence strong risk management (e.g., cyber penetration testing, third-party assurance activities)
For a firm to be confident in its ability to withstand a threat scenario, it must be able to carry out testing and report on all associated capabilities that directly contribute to the firm’s resilience against that scenario. This means testing at an enterprise, service, process, and resource level and will provides a view of resilience capability against the firm’s highest risk scenarios.
Achieving this level of coordination requires a level of assessment, prioritisation and reporting across all operational risk disciplines, which is not widespread. Moreover, in our experience firms aren’t thinking along these lines or including this type of approach in their 2025 resilience objectives, an overarching resilience strategy or operational resilience project roadmaps.
How FourthLine can help
If you'd like to understand how our enablement and full delivery approaches may benefit your firm's operational resilience programme, enquire here or book a time with one of our consultants here now
