In light of various operational failings across financial services firms, and with a shared goal of maintaining financial stability, the UK regulators have worked together to produce an ambitious programme of work on operational resilience for firms and financial market infrastructures (FMIs).
At the end of 2019, the Bank of England (the BoE), the Financial Conduct Authority (the FCA) and the Prudential Regulation Authority (the PRA) published a number of consultation papers with proposals to ensure the operational resilience of the UK's financial services industry. These are set out in:
- BoE operational resilience consultations for FMIs;
- FCA consultation on operational resilience (CP19/32);
- PRA consultation on operational resilience (CP29/19); and
- PRA consultation on outsourcing and third party risk management (CP30/19).
This briefing reviews the FCA and PRA consultations and draws out some of the key considerations for affected firms. ¹
5 things you need to know
1. What is Operational Resilience?
Operational resilience refers to the ability of firms and the financial sector as a whole to prevent, adapt, respond to, recover and learn from operational disruptions.
2. How is this different from business continuity and operational continuity?
Operational resilience aims to ensure that firms can adapt their operations to continue functioning when – not if – circumstances change. This includes by adopting a recovery-centric "business services" approach whereby firms:
- assume severe disruptive events will in fact happen and plan on that basis;
- focus on the wider impact of disruption to the supply of products and services (“business services”) to end users, not solely on systems recovery;
- set impact tolerances and use scenario testing as a way of enhancing existing arrangements; and
- identify resilience gaps and consider areas for investment to enhance the ability to maintain continuity of products and services.
This goes further than business continuity planning and operational continuity which deal with siloes of functions and individual processes that make up a whole business service.
3. What are the proposals?
The FCA and PRA have proposed new rules for inclusion in the FCA Handbook and the PRA Rulebook. Each regulator's proposals are slightly different, tailored to their objectives. Dual regulated firms will need to consider both sets of rules.
In summary, these require firms to:
- Identify their important business services. An important business service is effectively a service provided by a firm which, if disrupted, could cause intolerable levels of (1) harm to any one or more of the firm's clients; (2) risk to the soundness, stability or resilience of the UK financial system or the orderly operation of financial markets; and (3) for PRA-authorised firms, the firm's safety and soundness.
- For each important business service identified, set an impact tolerance considering the factors prescribed by the FCA and/or PRA. An impact tolerance is an articulation of the maximum acceptable level of disruption for an important business service. Effectively, this will be the point at which any further disruption to the important business service could pose intolerable harm to a client or to the stability of the UK financial system.
- Remain within that impact tolerance even in the event of operational disruption(s). This requires firms to have in place effective internal controls and processes to ensure this and comply with the various specific obligations set out in the Handbook/Rulebook. This will involve carefully mapping the important business services and all of the people, processes technology and information deemed necessary to deliver them and putting in place protections to ensure their protection in the event of disruption.
- Conduct scenario testing to measure the resilience of important business services and establish whether the important business service can remain within the impact tolerances. This must result in self-assessments of operational resilience and lessons learned exercises to ensure that the testing is meaningfully interpreted and acted on.
- Put in place a communications strategy. Firms will need to ensure that there are joined up communications between all relevant functions within the firm (such as the business area that owns the data, customer services, operations, technology, and any third party providers) and robust procedures for communications externally to be used in the event of disruptions.
- Review outsourcing arrangements in line with the PRA draft Supervisory Statement. Firms will have already undertaken an implementation project to prepare for the EBA Guidelines on Outsourcing Arrangements, which took effect on 30 September 2019. Although the PRA's draft Supervisory Statement broadly follows the EBA Guidelines there are a few layers of interpretive nuance or additional requirements. Firms will need to review the final proposals and make some tweaks to their policies, procedures and template documentation.
4. When do the proposals need to be implemented by?
The proposals are at consultation stage, with the consultation period for each paper closing on 3 April 2020.
Final rules and policy statements are expected in autumn 2020. It is not clear when the FCA's proposals will be implemented except that the obligation to remain within impact tolerances benefits from a three year transitional period. The PRA's operational resilience proposals will be implemented in the second half of 2021 with a transitional period until 2024 for the obligation to remain within impact tolerances.
5. Where does operational resilience fit into the current regulatory framework?
The regulators explain that the policy proposals aim to set new requirements that enhance operational resilience and are not intended to conflict with or supersede existing requirements such as policies to manage operational risk or business continuity planning.
The proposals tie in with a number of European pieces of work, namely the requirements on providers of payment services to have in a place an operational and security risk management framework, the new EBA Guidelines on Outsourcing Arrangements and the forthcoming EBA Guidelines on ICT and Security Risk Management which are due to apply from 30 June 2020.
All of these policy initiatives are focused on tackling technology risk, this is clearly a focus of regulators at both a UK and European level.
5 things you need to do
1. Define and understand your business services
The regulators expect firms and FMIs to consider the entire chain of activities which make up a business service, from taking on an obligation, to delivery of the service, and determination of which part of the chain is critical to delivery. All resources that are required to deliver the important business service, or any part of it, should be operationally resilient.
This means that you will need to consider your business operations, identify those important business services from an FCA and, if applicable, a PRA perspective. Important business services will need to be considered against those functions that have been identified as critical functions for the purposes of operational continuity rules and critical / important operational functions for the purposes of the outsourcing requirements to ensure consistency and proportionality of approach.
2. Define your "impact tolerances"
The regulators define an impact tolerance in the proposals as "the maximum acceptable level of disruption to an important business service, including the maximum tolerable duration of a disruption". Impact tolerance is expressed by reference to specific outcomes and metrics, which should always include the maximum tolerable duration and may include other metrics such as volume of disruption.
The means that you will need to set impact tolerances for each important business service. These need to be both realistic and reasonable. By this we mean that you will need to ensure that you are able to deliver important business services within impact tolerances in severe but plausible scenarios (otherwise you will be in breach of the requirements). However, the impact tolerances must be set based on a reasonable assessment of harm that disruption could cause.
3. Assess and address vulnerabilities that might challenges these impact tolerances
Improving operational resilience will require you to comprehensively understand your business operations and map the systems and processes that support important business services.
Mapping will both highlight vulnerabilities and inform testing of your ability to remain within impact tolerances. You will need to take (and evidence) decisive and effective actions to remedy resilience gaps. This might include addressing vulnerabilities in legacy systems, replacing outdated or weak infrastructure, increasing system capacity, achieving full fail-over capability, addressing key person dependencies, and putting in place a communications strategy.
4. Define scenarios and stress test
Firms will need to identify the scenarios that could cause them to exceed impact tolerances. In the proposals, the regulators have all included guidance on possible scenarios and factors that might be considered when developing testing plans.
The regulators do not propose to provide scenarios, so you will need to develop your own. For example, you might create scenarios modelled against incidents or near misses experienced by the firm previously or by other firms in the sector. You could incrementally increase the "severity" of a scenario by, for example, modelling for an increased number of issues or types of resources that are unavailable to support an important business service during a disruption or a longer duration of the disruption.
5. Ongoing compliance
Once important business services have been identified, impact tolerances set, scenarios crafted and stress testing conducted, firms face the ongoing challenge of ensuring impact tolerances are then never breached. Once the finalised policy comes into force, firms will have up to a maximum of three years to meet their obligation to stay within impact tolerances. However, you will need to effectively document your progress in a self-assessment during this transitional period.
In addition, firms will need to comply with the Supervisory Statement on outsourcing, which means further review and categorisation of outsourcing arrangements and a gap analysis of the EBA implementation project against any additional PRA expectations.
Update on outsourcing requirements
The operational resilience consultations also tie in with the implementation of the EBA Guidelines on Outsourcing Arrangements. The PRA is also consulting on its implementation of these guidelines. For background on this, also read: Addleshaw Goddard's March 2019 briefing note on the EBA Guidelines on Outsourcing Arrangements.
The PRA draft supervisory statement sets out the PRA's expectations of how firms should comply with their outsourcing requirements. It adds to the EBA commentary, with a further layer of complexity for firms to consider. For example, additional guidance on arrangements that are in scope of the definition of outsourcing and new considerations around the proportionality principle.