The term ‘operational resilience’ encompasses what used to be called ‘business continuity’ or ‘operational risk management’. This initiative comes from the UK regulators, keen to bring various strands of similar work together. An initiative that has the end consumer of business services in mind, and assumes that disruption will happen.
In 2018, all three regulators (Bank of England (BoE), Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) published a joint discussion paper. The paper highlighted how important they felt the issue was, both to the financial system and the UK economy as a whole. The regulators have made clear that ensuring continuity of important business services is essential to operational resilience and preventing consumer harm. The paper also introduced the concept of 'impact tolerance statements' and asked for views on how best they could build on existing requirements to ensure statements continue to be effective, as the market and technology develops.
Naturally, firms will need to make large cost and time investments to take this work forward, but ultimately, there will be significant benefits. If firms embrace, rather than simply see it as a regulatory obligation, there should be many long-term advantages - for example, more stable and reliable operating platforms, clearly defined and tested workarounds when disruption occurs, and better consumer outcomes.
Firms operating in other jurisdictions as well as the UK, or globally, could replicate the principles outlined by the UK regulators, or apply them elsewhere. Therefore, there is an opportunity for UK firms to take the lead in developing internal frameworks.
Cyber resilience is an important, and currently more developed, aspect of operational resilience as a whole, and you can find out more on the IA's work on this subject in the member area.
Since this discussion paper and subsequent consultation, the FCA have now published their policy statement. In addition, the BoE, PRA and FCA published a shared final policy summary on the requirements to strengthen operational resilience in the financial services sector. Here is our analysis of the policy statement and what it means for investment managers.
On 29th March, the FCA published their final rules on operational resilience. These requirements are mainly as laid out in the original consultation with the exception that they have provided firms with a bit more time and flexibility to meet mapping and scenario testing requirements.
Timeline
The rules will come into force on 31 March 2022. By then, firms must have identified their important business services, set impact tolerances for the maximum tolerable disruption and carried out mapping and testing to a level of sophistication necessary to do so. Firms must also have identified any vulnerabilities in their operational resilience.
As soon as possible after 31 March 2022, and no later than 31 March 2025, firms must have performed mapping and testing so that they are able to remain within impact tolerances for each important business service. Firms must also have made the necessary investments to enable them to operate consistently within their impact tolerances.
Scope
The rules will affect banks, building societies, designated investment firms, insurers, Recognised Investment Exchanges (RIEs), enhanced scope senior managers and certification regime (SM&CR) firms and entities authorised or registered under the Payment Services Regulations 2017 (PSRs 2017) or the Electronic Money Regulations 2011 (EMRs 2011).
For those not in scope, given recent events and the potential future focus of regulators, Core firms under SM&CR may benefit from familiarising themselves with the regime.
Requirements
The requirements are mainly as laid out in the original consultation. Firms will be expected to:
A firm must identify its important business services and review these if there is a material change to the firm’s business or the market in which it operates and in any event, no later than 1 year after it last carried out the relevant assessment.
A firm must, for each of its important business services, set an impact tolerance and review these if there is a material change to the firm’s business or the market in which it operates and in any event, no later than 1 year after it last carried out the relevant assessment.
A firm must have in place sound, effective and comprehensive strategies, processes and systems to enable it to comply with its obligations and that are comprehensive and proportionate to the nature, scale and complexity of the firm’s activities.
A firm must identify and document the people, processes, technology, facilities and information necessary to deliver each of its important business services. This must be sufficient to allow the firm to identify vulnerabilities and remedy these as appropriate.
A firm must develop and keep up to date a testing plan that appropriately details how it will gain assurance that it can remain within the impact tolerances for each of its important business services.
A firm must carry out scenario testing, to assess its ability to remain within its impact tolerance for each of its important business services in the event of a severe but plausible disruption of its operations.
A firm must, following scenario testing or, in the event of an operational disruption, after such event, conduct a lessons learned exercise that allows the firm to identify weaknesses and take action to improve its ability to effectively respond and recover from future disruptions. Following the lessons learned exercise, a firm must make necessary improvements to address weaknesses identified to ensure that it can remain within its impact tolerances.
A firm must make, and keep up to date, a written record of its assessment of its compliance with the requirements in this chapter, including, but not limited to, a written record of:
A firm must ensure that its governing body approves and regularly reviews the self assessment and lessons learned exercise documentation.
A firm must maintain an internal and external communication strategy to act quickly and effectively to reduce the anticipated harm caused by operational disruptions. A firm must provide clear, timely and relevant communications to stakeholders in the event of an operational disruption
|
Consultation Paper |
Policy Statement PS21/3 |
Scope |
Enhanced firms under SM&CR are in scope. |
The scope remains unchanged. |
---|---|---|
Important Business Services |
Identify important business services that if disrupted could cause harm to consumers or market integrity. |
Firms will be required to identify their important business services, however the PS offers more clarity on the FCA’s expectations. For instance, they indicate that while internal processes (such as payroll) are important for maintaining a firm’s operational resilience, they do not in of themselves constitute important business services. |
Impact Tolerances |
Set impact tolerances for each important business service specifying at a minimum, the length of time for which a disruption to that important business service can be tolerated. |
This requirement remains largely unchanged. However, there is a new expectation for firms to take into account the impact of failure of other related important business services when setting impact tolerances for an individual important business service (ie if services share common resources). This should be undertaken in a proportionate manner |
Mapping |
Identify and document the people, processes, technology, facilities and information that support a firm’s important business services. |
Firms are still required to identify and document the necessary people, processes, technology and information required to deliver each of its important business services. Firms are also responsible for accurately mapping any relationship outsourced to an external third party. |
Scenario testing |
Firms should test their ability to remain within their impact tolerances through a range of severe but plausible disruption scenarios. This should be conducted regularly to identify any vulnerabilities that need remediation. |
This requirement remains the same as articulated in the CP. However, the FCA have amended their requirement for firms to test their ability to remain within their impact tolerances annually as proposed, and instead firms are required to scenario test when there is a material change to the firm, following improvements made by the firm in response to a previous test and in any event, on a regular basis. |
Lessons learned exercises |
Conduct lessons learned exercises to identify, prioritise and invest in their ability to respond and recover from disruptions as effectively as possible |
This requirement remains the same as articulated in the CP. |
Communications plans |
Develop internal and external communications plans for when important business services are disrupted |
This requirement remains the same, and there is further clarity that firms can repurpose existing communications plans/strategies where appropriate. |
Self-assessment |
Create a self-assessment document to evidence a firm’s compliance with the requirements. |
This requirement remains the same as articulated in the CP. |
Comparison of the IA’s asks for the FCA in our response to CP19/32 and the outcome in PS 21/3:
|
IA response to CP19/32 |
Policy Statement |
---|---|---|
Scope |
We welcomed proportionality in the regulator’s thinking via the focus only on firms who are more likely to have an impact on other parties or market stability. However, we did not necessarily agree that using a firms’ SM&CR status as a proxy for this is the most appropriate mechanism. We noted that some members voluntarily ‘opted-up’ their SM&CR status to ‘enhanced’ previously and now find themselves in scope of these regulations. As stated, in many cases this is not problematic due to their existing attention on the topic. However, the arbitrary selection of the SM&CR status of firms being used as the threshold for applicability is slightly disadvantageous to them. |
The proposed scope outlined in the CP remains the same. The FCA outlined that they expect firms changing their status from ‘core’ to ‘enhanced-scope’ SMCR, and so bringing themselves into scope of this policy, to approach implementation in the same way as other enhanced firms. |
Outcomes based |
We welcomed the outcomes-based nature of the proposed regulations as firms are best-placed to understand their own internal business models, products and customer types in order to determine their important business services and impact tolerances for instance.
|
The PS remains outcomes-focused, indicating that firms are best placed to set their impact tolerances at the appropriate level and identify their important business services. |
Investment management specific examples |
We raised to the FCA that there is a notable lack of investment management specific examples in the CP. |
It is welcome that the FCA have included an example fictional enhanced scope SM&CR investment manager to help illustrate its requirements.
|
Important Business Services |
|
The FCA indicate that firms are best placed to identify which of their services should be classed as important business services in the context of their business models and that they should determine the appropriate level of granularity. |
Impact Tolerances |
|
|
Duration metric |
|
|
Dual-regulated firms |
We recognised that it is logical to set different impact tolerance requirements given the different considerations of each regulator and their underlying responsibilities, we urged regulatory cohesion as far as possible to mitigate against any unnecessary burden on firms. |
Dual-regulated firms will need to set two impact tolerances. If the same business service is defined as an important business service under both PRA and FCA rules, the firm should have separate impact tolerances in consideration of the objectives of the two supervisory authorities (however if appropriate, this may be at the same point for each). |
Outsourcing |
|
|
Mapping |
|
|
Testing |
|
|
Industry-wide tests |
Firms would benefit from further clarity on what the FCA expects on how or if firms should coordinate testing with their key suppliers. Moreover, it would be helpful to gain feedback on the feasibility of such a testing process and whether that in itself could harm the resiliency of the firms and the markets. For example, such testing may need to be scheduled and co-ordinated across industry. Due to the risk of failure involved and the resultant disruption, such an event should not take place without the involvement of the regulator.
|
The FCA believe that the introduction of industry-wide tests could be helpful for some firms, and particularly smaller firms, this needs to be balanced against the cost and resources to develop and maintain these tests and will consider if these tests could be developed over the longer term as part of their supervisory approach. |
Testing methods |
We welcomed the fact that testing may consist of one or more of ‘paper-based, simulations or live-systems’ and that firms are able to decide the most appropriate mechanism(s) to satisfy themselves of their resiliency. We took from this that it would be permissible for firms to solely conduct more theoretical forms of testing. However, if theoretical scenario testing is not considered sufficient, it should be noted that using more realistic or live testing would likely introduce risks that regulatory authorities need to be alive to, and potentially involved in.
|
The appropriate testing method will vary according to firm and that testing methods will also vary depending on the ‘severe but plausible’ scenarios identified by the firm in question. |
Self-assessment |
|
|
Transitional arrangements |
|
|
International alignment |
|
|
The IA has a series of workstreams focused on helping members operationalise different elements of the regulator’s operational resilience requirements.
From December 2019 to June 2020 we ran an Important Business Services Working Group. The Group looked at the processing of defining important business services and came up with a methodology that firms can adapt to suit their particular business model. The findings can be found here. Additionally, a more detailed overview of the Group's work, including the full operating model of the fictional firm used can be found here: Business Services.
The Governance Working Group, supported by EY was convened over 2020 explore the necessary internal arrangements to support the implementation of operational resilience. In February 2021 the group issued their guidance Effective Governance of Operational Resilience, representing the culmination of the discussions held on effective governance arrangements to oversee an operational resilience strategy.
In September 2020, the Impact Tolerances Working Group was set up in conjunction with PwC, to help members address the challenges with setting impact tolerances and identifying suitable metrics to measure these. We will be publishing our output on this topic very soon.
We will soon be launching our Scenario Testing Working Group with KPMG. This Group will be looking at the incoming requirement for firms to effectively test their ability to remain within their impact tolerances, during a severe but plausible scenario and assessing the most effective way to achieve this. Interested members should apply here.
Find out more on the Operational Resilience Committee workplan here.
The IA response to the Consultation Paper
We submitted a response to the consultation paper in September 2020. As well as responding to the specific questions raised in the paper, we emphasised:
The joint regulators issued a discussion paper in July 2018. In summary, the regulators believe that firms can achieve better operational resilience by focusing more on setting, monitoring and testing specific impact tolerances for key business services. These define how much disruption can be tolerated. Important concepts in the paper include:
Regulatory Publications
Member Meetings
Presentations
Blog Posts
We have compiled a series of blog posts:
‘Severe but plausible’ - the regulators set out their operational resilience expectations looking at the publication of the PS.
Operational resilience and effective governance – how prepared are you?
Operational resilience through the COVID-19 lens - launching our updated Important Business Services guidance.
Remotely Busy - Operational Resilience During COVID-19 looking at some of the key resiliency themes experienced by members during this health emergency.
Webinars
For full details of the IA's work plan on operational resilience and how the IA is supporting its members through the implementation of regulations in this important topic, click the 'go' button below to visit the members area.
For more information, please contact