Operational Resilience

The term ‘operational resilience’ encompasses what used to be called ‘business continuity’ or ‘operational risk management’. This initiative comes from the UK regulators, keen to bring various strands of similar work together. An initiative that has the end consumer of business services in mind, and assumes that disruption will happen.

COVID-19 UPDATE

The fall-out of the coronavirus pandemic has had resounding effects not just in human and medical terms but has proved a test of firms’ operational resilience. The IA are supporting members during this time by obtaining their views and experiences via bilateral conversations and weekly calls with Committee members, and using this to inform conversations with regulators and policymakers. For more information on how the IA can support members please see our COVID-19 expert page. 

It should be noted that the Operational Resilience Consultation Paper (CP 19/32) deadline was extended until 1 October in light of current events and that the IA have now submitted the industry response. 

In July 2018, each of the regulators of the wider financial services industry published a discussion paper, which aimed to

This was the first time that all three regulators (Bank of England (BoE), Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA)) had published a joint discussion paper. The paper highlighted how important they felt the issue was, both to the financial system and the UK economy as a whole.

The paper sets out the regulators' view that continuity of business services is essential to operational resilience. The paper also introduced the concept of 'impact tolerance statements' and asked for views on how best they could build on existing requirements to ensure statements continue to be effective, as the market and technology develops.

Naturally, firms will need to make large cost and time investments to take this work forward, but ultimately, there will be significant benefits. If firms embrace, rather than simply see it as a regulatory obligation, there should be many long-term advantages - for example, more stable and reliable operating platforms, clearly defined and tested workarounds when disruption occurs, and better consumer outcomes.

Firms operating in other jurisdictions as well as the UK, or globally, could replicate the principles outlined by the UK regulators, or apply them elsewhere. Therefore, there is an opportunity for UK firms to take the lead in developing internal frameworks.

Cyber resilience is an important, and currently more developed, aspect of operational resilience as a whole, and you can find out more on the IA's work on this subject in the member area.

LATEST DEVELOPMENTS (most recent first)

Consultation Paper

The IA submitted our response to the FCA's consultation. Due to COVID-19, a policy statement is now expected in Q1 2021 followed by at least a 12-month implementation period

The IA response to the Consultation Paper

We submitted a response to the consultation paper in September 2020. As well as responding to the specific questions raised in the paper, we emphasised:

• Resilience has been at the forefront of everyone’s thinking this year in ways we have never witnessed before. The UK regulators are entitled to feel justified in starting the conversation on this topic ahead of the crisis and bringing about progress within the financial services arena.
• We are supportive of the proposed regulations and the overall objective of building a financial system better able to deal with disruptive events when they occur. As the Covid-19 pandemic demonstrated, the investment management industry has a high level of resiliency built upon many years of ‘business continuity’ planning and developments in part prompted by the earlier discussion paper.
• Firms have benefitted from the regulator’s clear provision of notice and signposting of these changes, given the DP and the clear inclusion of the subject as an important priority in key communications with industry. 
• The application of proportionality in the regulator’s thinking via the focus only on firms who are more likely to have an impact on other parties or market stability is a very welcome move. We do not necessarily agree that using a firms’ SM&CR status as a proxy for this is the most appropriate mechanism, but nevertheless welcome the principle.
• The outcomes-based nature of the proposed regulations are also welcome as firms are best-placed to understand their own internal business models, products and customer types. Additionally, the proposed transitional arrangements allow firms time to make the necessary changes to achieve compliance with their impact tolerances. Such changes may be significant in size especially where IT change is needed, and so this additional time allowance is to be welcomed.
• As the proposed regulations are not prescriptive, there is naturally a lack of explicitness in some areas. As we have shown, we are keen to continue to work with you on supporting our members by establishing best practices guidelines in areas such as the definition of investment-sector specific business services.
• Finally, we do not agree with the draft requirement that time duration is always a measure within impact tolerances. We explain that there are areas where other metrics are more appropriate, and believe that if firms are able to demonstrate this, they should have the ability to choose another metric as the measurement.

Blog Posts

We have compiled a series of blog posts:

Operational resilience through the COVID-19 lens - launching our updated Important Business Services guidance.

Remotely Busy - Operational Resilience During COVID-19 looking at some of the key resiliency themes experienced by members during this health emergency.

Webinars

• July 2020: The Future of Fund Operations
• June 2020: Operational Resilience in FinTech
• June 2020: iNED: Operational resilience
• June 2020: Operational Resilience: Maintaining client service and engagement
• April 2020: COVID-19 Operational Resilience

Discussion Paper

The joint regulators issued a discussion paper in July 2018. In summary, the regulators believe that firms can achieve better operational resilience by focusing more on setting, monitoring and testing specific impact tolerances for key business services. These define how much disruption can be tolerated. Important concepts in the paper include:

• focusing on the continuity of the most important business services as an essential component of managing operational resilience;
• setting board-approved impact tolerances, which quantify the level of disruption that can be tolerated;
• planning that assumes disruption will occur, as well as seeking to prevent it.