Measures required to make financial services firms operationally resilient
Operational Resilience rules for the financial sector came into force on 31 March 2022 and the applicable firms must operate within the agreed impact tolerances no later than 31 March 2025.
Since the financial crash of 2008, demonstrating resilience whether in financial or operational form has been high on the priority list for supervisory authorities and industry leaders alike. The introduction of revised financial and insurance regulations in 2014 ensured the financial market participants demonstrate financial stability to withstand any storm. In the last decade, firms have taken a variety of measures to strengthen their financial stability ranging from maintaining better quality liquid assets, adhering to good industry practices in relation to lending, and providing a variety of disclosures to keep stakeholders abreast with quarterly performances.
Taking the above-mentioned measures has helped firms to withstand difficult financial times, however, assessing the operational resilience level at which firms are performing still remains fragmented and requires a detailed operational resilience framework embedded in any firm’s core risk assessment plan.
In 2018, in response to recent outages impacting the financial sector and growing cyber concerns, the Bank of England (the BoE) released a discussion paper titled Building the UK Financial Sector’s Operational Resilience. Followed by the publication of this discussion paper, in March 2021 the Financial Conduct Authority (the FCA) published a series of policy statements outlining the rules which implement Operational Resilience. These rules apply to banks, building societies, PRA-designated investment firms, insurers, Recognised Investment Exchanges, Enhanced scope Senior Managers and Certification Regime firms, and entities authorised and registered under the Payment Services Regulations 2017 and Electronic Money Regulations 2011.
These rules came into force on 31 March 2022 and the applicable firms now have until no later than 31 March 2025 to be able to operate within the agreed impact tolerances.
Regulators’ definition of Operational Resilience
The regulators state that for firms to be operationally resilient, they must demonstrate the ability to withstand adverse changes in their operating environment and continue the delivery of business services and economic functions. Firms must have plans in place to adapt new or temporary systems and processes to continue to provide services and functions in the event of an incident and should return to normal working processes and environment once the disruption is over.
In effect, the aim of Operational Resilience is to change the expectation from prioritising firms' own commercial interests to identifying vulnerabilities and addressing them, understanding the needs of its end-users, and championing a culture of looking forward.
To achieve the above, firms need to take the following steps:
- Prioritise what is important to your clients
- Set clear and measurable goals, and standards
- Invest in improving your resilience
Steps to achieve Operational Resilience
Often, risks, the severity of impact, and dependencies are only identified once something goes wrong. Instead, firms should design and manage operations on the assumption that disruptions will occur to their underlying systems and processes. Thus, to enable firms to develop an effective Operational Resilience framework, the FCA has outlined the following seven key areas:
- Important Business Services (IBS): The starting point is key to the way operational resilience will be designed. The regulators have clearly defined this as a business service provided to an external end-user. It consists of a chain of activities and not a business line or product.
- Mapping: This is the identification and documentation of resources needed to deliver the activities within the important business services.
- Impact Tolerances: This sets the acceptable level of disruption to an important business service, which is measured by the maximum tolerable duration and the extent of the disruption.
- Scenario Testing: These scenarios assume that the disruptions have occurred and focus on response and recovery actions.
- Governance: The Board is expected to oversee and approve all the operational resilience aspects and obtain assurance that there are suitable strategies, processes, and systems to identify important business services, setting tolerances, mapping, and testing.
- Communication: Creation of communication plans to be triggered when services are disrupted.
- Self-Assessment: Firms will need to document their self-assessment measuring compliance with operational resilience regulations, their methodology, their vulnerabilities, scenario testing, and remedial actions. The Board will have to approve the self-assessment.
These requirements are complex in nature and may require various iterations and going back to the basics to understand what comprises as an IBS for your firm, what resources must be mapped to it to ensure continuity of services even during a disruptive period, how the impact tolerances must be set, reviewed and stress tested (and revised where necessary), and what communication strategy you ought to have in place to inform your end-users (including the regulator). The FCA has not prescribed any format which firms must use to base their Operational Resilience framework upon, thus allowing firms some freedom to develop a framework that suitably meets firms' and their end-users needs.
Expected Role of the Board
The regulator expects the Board and senior Management to provide effective oversight to ensure the firm has an effective Operational Resilience framework which includes crisis management. The Board must assess if there is a proportionate and effective cross-functional response team to manage the resilience plans, or whether the firm has used a range of short, medium, and long-term scenarios that severely stress the business and ensure the impact tolerances set by the business truly reflect the needs of their customers.
Why is it important?
In the current times, where we continue to face the aftershocks of the pandemic, severe supply chain issues due to the geopolitical crisis, unprecedented increase in commodities prices, and substantial fluctuation in currency values, it has become even more important for firms to promptly identify and mitigate ever-evolving operational risks. This isn’t a mere regulatory requirement that must be reviewed and signed off on an annual basis but an opportunity to build a robust framework that is adequately tested for a variety of stresses and is well embedded within the firm’s risk management practices.