The FCA has published its findings from a recent review of business continuity planning (BCP) among small and medium-sized retail banks, payments institutions and electronic money institutions.

Although the findings suggest that many firms have taken meaningful steps to build operational resilience into their systems and processes, the FCA also identifies a number of areas for improvement. It encourages firms proactively to review, test and revise their arrangements ahead of further supervisory work to be conducted later this year, in particular with respect to scenario testing, incident response planning, training and management oversight.

The importance of this topic is underscored by the fact that the PRA currently has a number of enforcement cases underway against senior managers at UK financial institutions for IT failures, a point confirmed last week by Lyndon Nelson, executive director for regulatory operations and supervisory risk specialists at the PRA, in evidence to the Treasury Select Committee.

Background

The FCA's review follows on from the publication of the joint FCA and PRA discussion paper "Building the UK financial sector's operational resilience" in July 2018 (the Joint Discussion Paper) and also covers ground which overlaps to some degree with recent FCA publications on the related issue of cyber security and resilience – see, for example, the "Cyber and Technology Resilience: Themes from cross-sector survey 2017/18" paper of November 2018 (the Cyber Resilience Paper) and the "Cyber security – industry insights" document of March 2019.

The continuing regulatory focus on this area is borne out further by the emphasis on operational resilience as a cross-sector priority in the FCA's recently published Business Plan for 2019/20 and the Final Notice issued jointly by the PRA and FCA to Raphaels Bank on 30 May 2019 for failing properly to manage outsourcing arrangements between April 2014 and December 2016.

The FCA's review

In undertaking its review, the FCA found that most firms have demonstrated a good understanding of BCP, but noted that there are "some important areas where improvements could be made".

The FCA assessed firms' approaches to four particular aspects of BCP:

  • planning for and managing business continuity events;
  • responding to disruptions, e.g. by implementing business continuity contingencies, including communications protocols;
  • recovering from events by returning swiftly and efficiently to normal service; and
  • identifying potential or actual consumer harm caused by an event and taking the appropriate steps to remediate where necessary.

With respect to planning, the FCA found that most firms had a clearly documented BCP strategy with an appropriately defined risk appetite, and that they used governance forums for approval, challenge and maintenance of policies, plans and frameworks.

However, the FCA noted that:

  • only "some firms" had considered real-life scenario testing going beyond the basic scenarios of denial of premises access and denial of IT service;
  • a lack of adequate consideration is being given to the link between large-scale change projects and BCP. Firms are encouraged to plan for unanticipated disruptions when implementing significant changes;
  • there was a lack of relevant and tailored training being rolled out across the whole of a firm's employee population, as opposed to simply just technical staff.

Management and oversight of events is often assigned to staff at too low a level in firms, with insufficient challenge to those staff on current capabilities from senior management. With regard to responding, the FCA noted that some firms had crisis management plans containing pre-approved communications for both employees and customers, and that most firms documented several contingency plans for customer-critical processes.

Potential areas for improvement, however, were also identified:

  • Most firms had not created and developed "playbooks" covering different potential scenarios with multiple impacts and containing guidance on appropriate communications, the contingencies required to respond and the roles and responsibilities of individuals managing the event.
  • The FCA also recommends that firms should consider whether their incident response plans should be subject to independent verification and oversight, whether internal or external.

On the topic of recovering from events and offering appropriate remediation, the FCA noted that all firms used post-incident reviews as a catalyst for updating and improvement of BCP policies, and that some firms proactively contacted customers during an event if harm had occurred.

However, it also recommends that firms ensure that adequate management information is used to identify potential or actual harm proactively and consider what lessons can be learned from an event. This echoes a theme present in other recent FCA communications in which the regulator has expressed some concern regarding the quality of management information presented to senior management at firms and their ability fully to understand it given the technical nature of certain BCP issues such as cyber threats: see, for example, chapter 3 of the Cyber Resilience Paper.

Next steps and actions for firms

The FCA is advising firms to consider the contents of the Joint Discussion Paper and has made it clear that it expects firms to carry out self-assessments of policies, frameworks and plans on an ongoing basis. Although the review was carried out among small and medium-sized retail banks, payments institutions and electronic money institutions, it will be of interest to all regulated firms – and all businesses – regardless of their size.

The 2019/20 Business Plan says that, as part of its focus on operational resilience, the FCA intends to undertake a number of further activities in this area this year. For example, it plans to:

  • utilise regulatory tools to test the cyber capabilities of high-impact firms;
  • undertake multi-firm supervisory work to better understand the protection measures that firms take against cyber attacks; and
  • do further work to understand and assess the approach taken by firms to change management and third party service provider management.

Firms will want to make sure that they are well prepared to deal with any queries from the regulator in these areas.

Conclusion

With the increasing frequency and severity of cyber attacks and operational disruptions suffered by businesses, it is important that firms are prepared in order to mitigate the risks associated with such events. The FCA's findings and recent papers ought to assist when assessing whether policies and procedures are able to stand up to testing. We would be happy to review your existing BCP and discuss with you how you might improve upon this in light of the FCA's comments.