The term ‘operational resilience’ encompasses what used to be called ‘business continuity’ or ‘operational risk management’. This initiative comes from the UK regulators, keen to bring various strands of similar work together. An initiative that has the end consumer of business services in mind, and assumes that disruption will happen.
The fall-out of the coronavirus pandemic has had resounding effects not just in human and medical terms but has proved a test of firms’ operational resilience. The IA are supporting members during this time by obtaining their views and experiences via bilateral conversations and weekly calls with Committee members, and using this to inform conversations with regulators and policymakers. For more information on how the IA can support members please see our COVID-19 expert page.
It should be noted that the Operational Resilience Consultation Paper (CP 19/32) deadline has been extended until 1 October in light of current events.
In July 2018, each of the regulators of the wider financial services industry published a discussion paper, which aimed to
This was the first time that all three regulators (Bank of England (BoE), Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA)) had published a joint discussion paper. The paper highlighted how important they felt the issue was, both to the financial system and the UK economy as a whole.
The paper sets out the regulators' view that continuity of business services is essential to operational resilience. The paper also introduced the concept of 'impact tolerance statements' and asked for views on how best they could build on existing requirements to ensure statements continue to be effective, as the market and technology develops.
Naturally, firms will need to make large cost and time investments to take this work forward, but ultimately, there will be significant benefits. If firms embrace, rather than simply see it as a regulatory obligation, there should be many long-term advantages - for example, more stable and reliable operating platforms, clearly defined and tested workarounds when disruption occurs, and better consumer outcomes.
Firms operating in other jurisdictions as well as the UK, or globally, could replicate the principles outlined by the UK regulators, or apply them elsewhere. Therefore, there is an opportunity for UK firms to take the lead in developing internal frameworks.
Cyber resilience is an important, and currently more developed, aspect of operational resilience as a whole, and you can find out more on the IA's work on this subject in the member area.
LATEST DEVELOPMENTS (most recent first)
We have compiled a series of blog posts:
Operational resilience through the COVID-19 lens - launching our updated Important Business Services guidance.
Remotely Busy - Operational Resilience During COVID-19 looking at some of the key resiliency themes experienced by members during this health emergency.
The consultation, which runs until 1 October 2020 (previously 3 April 2020), is available here. A policy statement was expected in Autumn 2020 and a likely implementation during 2021 but due to COVID-19 this has been postponed.
The IA response to the Discussion Paper
We submitted a response to the discussion paper in October 2018. As well as responding to the specific questions raised in the paper, we emphasised five points:
1. Regulators should recognise the work already being done in this area by investment management firms, under the guise of operational risk management, contingency assessments, business continuity planning, and ICAAP scenario testing and reporting;
2. Regulators should apply proportionality to this issue and focus on where the real risks to customers and markets lie - on financial market infrastructures and systemically-important firms;
3. This work should note that the importance of third-party suppliers, cloud outsourcing and therefore market concentration in the risks that firms face;
4. The proposed services-based approach should be considered alongside the ongoing systems and processes-based approach. It should not be implemented as a replacement;
5. To improve the clarity of regulatory expectations, more guidance would be useful. For example, to help firms understand what the regulator defines as a 'vital service' or a firm's 'most important business service'.
The joint regulators issued a discussion paper in July 2018. In summary, the regulators believe that firms can achieve better operational resilience by focusing more on setting, monitoring and testing specific impact tolerances for key business services. These define how much disruption can be tolerated. Important concepts in the paper include:
For full details of the IA's work plan on operational resilience and how the IA is supporting its members through the implementation of regulations in this important topic, click the 'go' button below to visit the members area.