On 5 December 2019, the Bank of England (BoE), the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) released a number of publications on operational resilience, marking the launch of a consultation phase which will inform how the UK authorities seek to embed the consideration of operational resilience into the regulatory framework.
The publications include:
- A joint policy summary: Building operational resilience: Impact tolerances for important business services;
- PRA consultation paper 29/19 (CP29/19) Operational resilience: Impact tolerances for important business services with covering summary page;
- PRA consultation paper 30/19 (CP30/19) Outsourcing and third party risk management with covering summary page;
- A speech delivered by Megan Butler, FCA Executive Director of Supervision: Investment, Wholesale and Specialist, to the TISA Operational Resilience Forum in London; and
The response date for the five consultation papers is 3 April 2020. The regulators are expected to publish their final policies on operational resilience in the second half of 2020. Firms will be expected to implement the rules towards the end of 2021, with a transitional period of three years accorded to firms with respect to remaining within impact tolerances. We cover implementation dates at the end of this note.
In this note, we outline the approach which the regulators are proposing to adopt drawing from FCA CP19/32 and PRA CP29/19. We then cover some key points on outsourcing from PRA CP 30/19.
A common approach
The proposals in the consultation papers build on concepts advanced in the regulators’ joint July 2018 Discussion Paper 01/18 (DP01/18) Building the UK financial sector’s operational resilience. Importantly, the regulators’ starting point is that operational disruption will happen. The papers do not set out a prevent approach, but look to bolster firms’ mitigation of crystallised risks.
The BoE, PRA and FCA propose that firms and financial market infrastructures, such as CCPs and CSDs, would be expected to:
- identify their important business services that if disrupted could cause harm to consumers or market integrity, threaten the viability of firms or cause instability in the financial system;
- set impact tolerances for each important business service, which would quantify the maximum tolerable level of disruption they would tolerate;
- identify and document the people, processes, technology, facilities and information that support their important business services; and
- take actions to be able to remain within their impact tolerances through a range of severe but plausible disruption scenarios.
As with most significant step changes in regulation, operational resilience brings with it a number of key concepts, and we discuss these below. However, before turning to the concepts themselves, it’s important to highlight the reliance being placed on firms’ judgement, for example, in relation to establishing ‘impact tolerances’. During and immediately following implementation, it is likely that firms will be quite far apart from one another. Divergence across the industry should be addressed as regulators get a broad view of how the industry is approaching operational resilience. As a minimum, supervisory feedback, if not specified policy or guidance, should start to drive some consistency and comparability of approach among peer firms.
Important business services / a business services approach: At the heart of the proposals is an approach which requires firms to identify and work to ensure the continuity of important business services. Important business services are:
- those which are provided by the firm to an external end user which, if disrupted, could pose a risk to the stability of the UK financial system, to the firm’s own safety and soundness, or in the case of insurers, to policyholders, according to the PRA’s proposals; and/or
- those which are provided by the firm, or by another person on behalf of the firm which, if disrupted, could cause intolerable levels of harm to any one or more of the firm’s clients or risk the soundness, stability or resilience of the UK financial system or the orderly operation of markets, according to the FCA’s proposals.
Business services differ from business lines, such as mortgages, which, as the PRA remarks, are a collection of services and activities.
Firms will need to identify their important business services, and (under the FCA’s proposals) will need to review these at least annually or when there is a material change to their business or their operating environment. Firms which are part of a group will also need to identify important group business services; these are important business services which are provided by a member of the firm’s group to external end users.
Firms will be expected to document the resources – people, processes, technology, facilities and information – required to deliver important business services. Mapping should include any reliance on third parties, for example, for technology platforms. This mapping process will help to inform decision-making, the setting of impact tolerances and scenario testing (which we discuss further below). Firms will only need to map their important business services. The mapping exercise should be signed-off at an appropriate level. It is worth giving some consideration to how the exercise is documented and presented as this is likely to be a document (or collection of documents) which will be of interest to the firm’s supervisors. The firm should also consider how this operational resilience mapping sits alongside and is reasonably consistent with, for example, statements of responsibility under the senior managers and certification regime (SMCR), outsourcing registers, resolution assessments, and/or other documentation required under the regulatory framework.
The regulators do not specify which business services should be identified as important, noting that this is a matter of judgement for boards and senior management. Both the PRA and the FCA provide some examples of important business services, such as, a bank’s payment services, an investment bank’s ability to provide currency hedging services, (for insurers) the sudden removal of cover for businesses’ compulsory operational and the provision of ATM cash withdrawals to customers. Additionally, both set out some criteria for boards and senior managers to consider during the identification exercise. It’s intended that the identification of important business services will help to ensure that boards and senior managers prioritise and make appropriate investment decisions.
The concept of important business service is likely to develop over time, not least in response to any future operational disruptions which highlight particular business services that may not have been considered important.
Impact tolerances: For each important business service, a firm must set impact tolerances. This differs from risk appetite in the sense that risk appetites tend to focus on corporate objectives as opposed to the impact on, for example, the UK financial system. Impact tolerance describes the maximum tolerable level of disruption to an important business service. Firms will be expected to set clear and specific impact tolerances, for example, a duration metric for the disruption to an important business service.
Firms will be expected to remain within their impact tolerances. Boards and senior management will be expected to approve impact tolerances, and should use these measures to inform efforts to improve operational resilience. The FCA’s proposals include a requirement for boards and senior management to review impact tolerances at least annually and whenever there is a material change to their business or operational environment. Both the PRA and the FCA propose to allow a three year transitional period for firms to reach a position of being able to stay within their impact tolerances.
As with the concept of important business services, it is reasonable to expect that the setting and monitoring of impact tolerances will develop. It is possible that technology developments, particularly RegTech and SupTech solutions, could facilitate an increasingly sophisticated approach by both firms and regulators.
Firms that are subject to PRA supervision should also note that the Financial Policy Committee (FPC) which has responsibility for monitoring the UK financial system is considering setting impact tolerances for vital services. The PRA will consult on how the FPC tolerances will interact with those which firms will set for important business services.
Scenario Testing: Firms are expected to test their ability to remain within impact tolerances for each of their important business services. Scenarios should describe a range of adverse circumstances, varying in nature, severity and duration which is appropriate to the firm’s business and risk profile. Previous incidents or near misses and/or horizon risks may inform the scenarios which firms develop to test their ability to remain within their impact tolerances. Scenarios should be ‘severe’ but ‘plausible’. Defining scenarios is likely to be a distinct exercise of itself for firms.
The PRA’s CP notes that it “recognises that it would not be proportionate to require firms to able to remain within impact tolerances in all circumstances.” Extreme scenarios, such as a failure of civil infrastructure, may render continuity of important business services impossible for a period.
While neither the PRA nor the FCA propose specific scenarios at this time, the FCA provides some “scenario factors” as guidance for firms, and the PRA indicates that it may set scenarios at a future date if necessary.
To facilitate continuous improvement, firms are expected to conduct post-scenario testing “lessons learned” exercises.
Self-Assessment: Both regulators propose introducing a requirement for firms to document a self-assessment of compliance with the operational resilience rules. Firms’ boards and senior management will be accountable for, and should approve, the self-assessment.
This self-assessment would be made available to either the PRA or the FCA on request. As previously mentioned, firms should consider how to ensure appropriate consistency between the self-assessment of compliance with operational resilience rules and, for example, the contents of the firm’s outsourcing register (which regulators may also request) or notifications of rule breaches made under FCA Principle 11/PRA Fundamental Rule 7.
Governance: The introduction of rules and guidance on operational resilience will have an impact on firm’s governance arrangements. In particular, where firms have a Chief Operations Function holder (Senior Manager Function 24 (SMF24)), both the FCA and the PRA envisage a key role for this individual in the implementation and maintenance of the operational resilience rules.
Under the Senior Managers and Certification Regime (SMCR), individuals that perform SMF24 have responsibility for managing the internal operations or technology of the firm (or a part of the firm), including:
- business continuity;
- information technology;
- internal operations;
- operational continuity, resilience and strategy;
- outsourcing, procurement and vendor management; and
- (where the firm is part of a group) management of services shared with other group members .
Where a firm does not have an individual holding SMF24, it will need to identify the most appropriate individual within the firm to have accountability for operational resilience.
Outsourcing and third party arrangements
In CP30/19, the PRA is consulting on a draft supervisory statement (SS) to cover outsourcing and third party risk management. The draft SS contains material which is drawn from existing and proposed European Banking Authority (EBA) and European Insurance and Occupational Pensions Authority (EIOPA) guidance, with which firms within the scope of PRA supervision will be familiar.
As could be expected, the PRA’s approach incorporates the principle of proportionality. The draft SS also discusses in some detail the activities – outsourcing and third party arrangements – which are to be covered by the SS. While acknowledging that some third party arrangements do not meet traditional definitions of ‘outsourcing’, the PRA highlights that such activities may have an impact or potential impact on, for example, UK financial stability, the PRA’s statutory objectives, the operational resilience of one or more firms, the performance of regulated activities, and/or BoE resolution objectives. As such, those activities warrant similar focus and a control framework aligned to that for outsourcing arrangements.
The draft SS also sets out proposed guidance on the PRA provides guidance on the completion of an outsourcing register. Firms should review this against existing registers as the PRA is proposing to specify date formats and, for example, to require firms to summarise risk assessments in 250 characters.
In the following table, for each consultation paper, we set out the types of business to which the proposals are intended to apply, the response deadlines and any forward-looking dates which are mentioned in the consultation.