Covid-19 posed an unprecedented challenge to the operational resilience of the financial services sector in 2020. But despite a generally positive response to the crisis, with a major new regulatory framework on the horizon, firms still have plenty of work to do.
Operational resilience has emerged as a key UK regulatory priority in recent years. The regulators’ focus on this area proved prescient in 2020, as Covid-19 put firms’ ability to prevent and respond to operational disruptions to the ultimate test.
In the UK, the PRA and the FCA first signalled their intention to overhaul the regulatory framework in relation to operational resilience in July 2018, when they published a joint discussion paper on an approach to improve the operational resilience of firms. In December 2019, the PRA and FCA released a suite of co-ordinated proposals putting flesh on the bones of the earlier discussion paper and setting out a host of new requirements designed to strengthen the operational resilience of firms. These proposals also responded to a report on major IT failures in the financial services sector published by the House of Commons Treasury Committee in October 2019, which called for regulatory intervention to improve the operational resilience of the sector. The pandemic arrived before the consultation on the new proposals closed and so tested firms’ ability to respond to disruption on the basis of their existing business continuity and contingency plans. In this respect, the crisis was a premature trial of a regulatory regime on the cusp of significant change. In general, however, the financial services sector is regarded as having performed creditably during the pandemic from an operational resilience perspective. For the most part, worst fears have not been realised and firms have instead managed to avoid widespread and lasting disruption to the provision of key business services. As we look ahead to 2021, firms could be forgiven for thinking that the lion’s share of their operational resilience work is now behind them. But with the finalised rules expected to be published in the coming months and firms facing the prospect of having to implement the new requirements as early as the end of this year, it is clear that operational resilience will continue to be a major strategic priority for boards and senior managers. Even with the benefit of an extended timetable on account of Covid-19, the experience gained in 2020, and the recent regulatory focus on this topic, firms no doubt still have plenty of work to do. Whilst the new requirements may not apply to all firms (in particular, not all the proposed requirements will apply to certain FCA solo-regulated firms or branches), this new regime should be treated as important guidance on the regulators’ expectations. The reality is that if something goes wrong at your firm, and you cannot evidence that you had adequate recovery/contingency plans in place to address the issue in a timely fashion, then both the firm and individual senior managers/staff members may be held accountable by the FCA and/or PRA. We discussed what the proposals mean in practice for banks during our Emerging Themes webinar on 21 January 2021 and for insurers during our Emerging Themes webinar on 28 January 2021.
Key proposals The new PRA and FCA consultation proposals concentrate on three key areas:
- Prioritising the things that matter Boards and senior management should prioritise those activities that, if disrupted, would pose a risk to: consumers, the stability of the UK financial sector, or the firm’s safety and soundness. For many firms, this will mean a shift away from thinking about the resilience of individual systems and resources and a shift towards focusing on the important business services that are provided to users.
- Setting clear standards for operational resilience Firms should articulate specific maximum tolerable levels of disruption, including time limits within which the firm will be able to resume the delivery of important business services following severe but plausible disruptions.
- Investing to build resilience Firms should have contingency arrangements in place to enable them to resume the delivery of important business services, taking action in advance to ensure that important business services are able to remain within tolerable levels of disruption in severe but plausible scenarios.
What will this look like in practice? In practice, the new proposals will require firms to take the following key steps:
- Identify important business services – Firms should identify important business services and consider the risk that disruption of those services poses to consumers, the firm’s safety and soundness, the stability of the financial sector, and wider market integrity.
- Setting impact tolerances – Firms will be required to set an impact tolerance for each of their important business services. An impact tolerance is defined as the maximum acceptable level of disruption to an important business service. Firms should state their impact tolerances using clear metrics. Firms should set at least one impact tolerance for each important business service they have identified.
- Mapping – Firms will be required to identify and document the necessary people, processes, technology, facilities and information required to deliver each of their important business services. This identification process is referred to as “mapping”. It should include outsourced and third party providers over which the firm may not have direct control.
- Outsourcing – Firms will need to revisit their outsourcing arrangements to ensure they comply with the new requirements. For solo-regulated firms, a focus on outsourcing will be an important part of the “mapping” process, whilst for dual-regulated firms the PRA has proposed an enhanced regulatory framework (accompanied by a new Supervisory Statement) in relation to outsourcing and third party management.
- Scenario testing – Firms will be required to test their ability to remain within impact tolerances in severe but plausible disruption scenarios. Firms should focus on response and recovery actions.
- Governance – Boards will be specifically required to approve and regularly review the important business services identified for their firm and the impact tolerances that have been set for each of these. This will allow the Board to make prioritisation and investment decisions.
- Lessons learned – Firms must conduct “lessons learned” exercises to identify, prioritise and invest in their ability to respond and recover from disruptions as effectively as possible.
- Communication plans – Firms will need to develop internal and external communications plans for when important business services are disrupted.
- Self-assessment document – Firms must carry out a documented self-assessment of compliance with the new requirements (including the methodologies used). The Board will be accountable for and should approve the information set out in these documents.
"An onerous set of new requirements that will take time to implement effectively."
The PRA and FCA proposals contain an onerous set of new requirements that will take time to implement effectively. The papering exercise to evidence compliance will be extensive and investment may be required if gaps are identified. Many firms will need to start from the ground up in implementing these requirements rather than simply make minor tweaks to their existing arrangements.
"Firms can expect operational resilience to remain a key focus for supervisory and enforcement action going forward."
"Operational resilience issues have been the subject of several recent major enforcement actions resulting in multi-million pound fines being imposed on firms. In the wake of the pandemic, firms can expect operational resilience to remain a key focus for supervisory and enforcement action going forward. Therefore, despite a largely positive response to the pandemic in 2020 on an operational resilience front, we recommend that firms do not leave it too late to start planning for the new PRA and FCA operational resilience requirements."
We recommend that firms do not leave it too late.