The term ‘operational resilience’ encompasses what used to be called ‘business continuity’ or ‘operational risk management’. This initiative comes from the UK regulators, keen to bring various strands of similar work together. An initiative that has the end consumer of business services in mind, and assumes that disruption will happen.  

In 2018, all three regulators (Bank of England (BoE), Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) published a joint discussion paper. The paper highlighted how important they felt the issue was, both to the financial system and the UK economy as a whole. The regulators have made clear that ensuring continuity of important business services is essential to operational resilience and preventing consumer harm. The paper also introduced the concept of 'impact tolerance statements' and asked for views on how best they could build on existing requirements to ensure statements continue to be effective, as the market and technology develops.

Naturally, firms will need to make large cost and time investments to take this work forward, but ultimately, there will be significant benefits. If firms embrace, rather than simply see it as a regulatory obligation, there should be many long-term advantages - for example, more stable and reliable operating platforms, clearly defined and tested workarounds when disruption occurs, and better consumer outcomes.

Firms operating in other jurisdictions as well as the UK, or globally, could replicate the principles outlined by the UK regulators, or apply them elsewhere. Therefore, there is an opportunity for UK firms to take the lead in developing internal frameworks.

Cyber resilience is an important, and currently more developed, aspect of operational resilience as a whole, and you can find out more on the IA's work on this subject in the member area.

Since this discussion paper and subsequent consultation, the FCA have now published their policy statement. In addition, the BoE, PRA and FCA published a shared final policy summary  on the requirements to strengthen operational resilience in the financial services sector. Here is our analysis of the policy statement and what it means for investment managers.

 

 

    FCA Policy Statement (PS21/3)

    On 29th March, the FCA published their final rules on operational resilience. These requirements are mainly as laid out in the original consultation with the exception that they have provided firms with a bit more time and flexibility to meet mapping and scenario testing requirements.

    Timeline

    The rules will come into force on 31 March 2022. By then, firms must have identified their important business services, set impact tolerances for the maximum tolerable disruption and carried out mapping and testing to a level of sophistication necessary to do so. Firms must also have identified any vulnerabilities in their operational resilience.  

    As soon as possible after 31 March 2022, and no later than 31 March 2025, firms must have performed mapping and testing so that they are able to remain within impact tolerances for each important business service. Firms must also have made the necessary investments to enable them to operate consistently within their impact tolerances. 

     

    Scope

    The rules will affect banks, building societies, designated investment firms, insurers, Recognised Investment Exchanges (RIEs), enhanced scope senior managers and certification regime (SM&CR) firms and entities authorised or registered under the Payment Services Regulations 2017 (PSRs 2017) or the Electronic Money Regulations 2011 (EMRs 2011).

    For those not in scope, given recent events and the potential future focus of regulators, Core firms under SM&CR may benefit from familiarising themselves with the regime.

     

    Requirements

    The requirements are mainly as laid out in the original consultation. Firms will be expected to:

    • identify their important business services that, if disrupted, could cause harm to consumers or market integrity, threaten the viability of firms or cause instability in the financial system
    • set impact tolerances for each important business service, which would quantify the maximum tolerable level of disruption they would tolerate
    • identify and map the people, processes, technology, facilities and information that support their important business services (including those of their suppliers)
    • take actions to be able to remain within their impact tolerances through a range of severe but plausible disruption scenarios including developing a testing plan and carrying out scenario testing
    • conduct lessons learnt exercises to identify, prioritise, and invest in your ability to respond and recover from disruptions as effectively as possible
    • develop internal and external communications plans for when important business services are disrupted
    • maintain an updated self-assessment document detailing how the firm has assessed its compliance with the regulatory requirements

    Detailed requirements for firms in scope

    Important Business Services

    A firm must identify its important business services and review these if there is a material change to the firm’s business or the market in which it operates and in any event, no later than 1 year after it last carried out the relevant assessment.

    • These services should be distinct and firms should not identify a collection of services as a single important business service.
    • The factors that a firm should consider when identifying its important business services include, but are not limited to:
      • the nature of the client base (including considering vulnerable customers)
      • the ability of clients to obtain the service from other providers
      • the time criticality for clients receiving the service
      • the number of clients to whom the service is provided
      • the sensitivity of data held
      • the potential of the service or firm to inhibit the functioning or stability of the UK financial system 
      • the potential impact to the firm's financial position or reputation
      • whether disruption to the services could amount to a breach of a legal or regulatory obligation
      • the level of inherent conduct and market risk
      • the potential to cause knock-on effects for other market participants
      • the importance of that service to the UK financial system, which may include market share, client concentration and sensitive clients (for example, governments or pension funds)

    Impact Tolerances

    A firm must, for each of its important business services, set an impact tolerance and review these if there is a material change to the firm’s business or the market in which it operates and in any event, no later than 1 year after it last carried out the relevant assessment. 

    • The factors that a firm should consider when setting its impact tolerance include, but are not limited to:
      • the nature of the client base (including considering vulnerable customers)
      • the number of clients that may be adversely impacted and the nature of the impact
      • the potential financial loss to clients
      • the potential financial loss to the firm where this could harm the firm’s clients or pose a risk to the soundness, stability or resilience of the UK financial system or the orderly operation of the financial markets
      • the potential level of reputational damage to the firm
      • the potential impact on market or consumer confidence
      • the potential spread of risks to their other business services, other firms or the UK financial system
      • the potential loss of functionality or access for clients
      • any potential loss of confidentiality, integrity or availability of data
      • the potential aggregate impact of disruptions to multiple important business services, in particular where such services rely on common operational resources
    • When setting its impact tolerance, a firm should take account of the fluctuations in demand for its important business service at different times of the day and throughout the year in order to ensure that its impact tolerance reflects these fluctuations and is appropriate in light of the peak demand for the important business service. 
    • A firm must ensure it can remain within its impact tolerance for each important business service in the event of a severe but plausible disruption to its operations.

    Strategies, processes and systems

    A firm must have in place sound, effective and comprehensive strategies, processes and systems to enable it to comply with its obligations and that are comprehensive and proportionate to the nature, scale and complexity of the firm’s activities.

    Mapping

    A firm must identify and document the people, processes, technology, facilities and information necessary to deliver each of its important business services. This must be sufficient to allow the firm to identify vulnerabilities and remedy these as appropriate.

    • Where a firm relies on a third party for the delivery of an important business service, we would expect the firm to have sufficient understanding of the people, processes, technology, facilities, and information that support the provision by the third party of its services to or on behalf of the firm so as to allow the firm to comply with its obligations
    • Frequency:  Firms must review these if there is a material change to the firm's business, the important business services identified or impact tolerances set and in any event, no later than 1 year after it last carried out the relevant assessment.

    Scenario testing plan

    A firm must develop and keep up to date a testing plan that appropriately details how it will gain assurance that it can remain within the impact tolerances for each of its important business services.

    • Firms should ensure that the testing plan takes account of a number of factors, including but not limited to:
      • the type of scenario testing e.g. paper-based, simulations or through the use of live-systems
      • the scenarios which the firm expects to to be able to remain within their impact tolerances and which ones they may not
      • the frequency of the testing
      • the number of important business services tested
      • the availability and integrity of supporting assets
      • how the firm would communicate with internal and external stakeholders effectively to reduce the harm caused by operational disruptions

    Scenario testing 

    A firm must carry out scenario testing, to assess its ability to remain within its impact tolerance for each of its important business services in the event of a severe but plausible disruption of its operations.

    • In carrying out the scenario testing, a firm must identify an appropriate range of adverse circumstances of varying nature, severity and duration relevant to its business and risk profile and consider the risks to the delivery of the firm’s important business services in those circumstances.
    • Where a firm relies on a third party for the delivery of its important business services, the FCA would expect the firm to work with the third party to ensure the validity of the firm’s scenario testing.
    • In carrying out the scenario testing, a firm should, among other things, consider the following scenarios:
      • corruption, deletion or manipulation of data critical to the delivery of its important business services
      • unavailability of facilities or key people
      • unavailability of third party services, which are critical to the delivery of its important business services
      • disruption to other market participants, where applicable
      • loss or reduced provision of technology underpinning the delivery of important business services.
    • Frequency: a firm must carry out the scenario testing if there is a material change to the firm's business, the important business services identified or impact tolerances set, following improvements made by the firm in response to a previous test and in any event, on a regular basis.

    Lessons learned

    A firm must, following scenario testing or, in the event of an operational disruption, after such event, conduct a lessons learned exercise that allows the firm to identify weaknesses and take action to improve its ability to effectively respond and recover from future disruptions. Following the lessons learned exercise, a firm must make necessary improvements to address weaknesses identified to ensure that it can remain within its impact tolerances.

    Self-assessment and lessons learned exercise documentation

    A firm must make, and keep up to date, a written record of its assessment of its compliance with the requirements in this chapter, including, but not limited to, a written record of:

    • important business services identified by the firm and the justification for the determination made
    • the firm’s impact tolerances and the justification for the level at which they have been set by the firm
    • the firm’s approach to mapping
    • the firm's testing plan and a justification for the plan adopted
    • details of the scenario testing carried out and justification of the assumptions made in relation to scenario design and any identified risks to the firm’s ability to meet its impact tolerances
    • any lessons learned exercise conducted
    • an identification of the vulnerabilities that threaten the firm’s ability to deliver its important business services within the impact tolerances set, including the actions taken or planned and justifications for their completion time
    • its communication strategy and an explanation of how it will enable it to reduce the anticipated harm caused by operational disruptions
    • the methodologies used to undertake the above activities.

    Governance

    A firm must ensure that its governing body approves and regularly reviews the self assessment and lessons learned exercise documentation.

    Communications

    A firm must maintain an internal and external communication strategy to act quickly and effectively to reduce the anticipated harm caused by operational disruptions. A firm must provide clear, timely and relevant communications to stakeholders in the event of an operational disruption

    Comparison of the FCA consultation paper and policy statement

     

    Consultation Paper

    Policy Statement PS21/3

    Scope

    Enhanced firms under SM&CR are in scope.

    The scope remains unchanged.

    Important Business Services

    Identify important business services that if disrupted could cause harm to consumers or market integrity.

    Firms will be required to identify their important business services, however the PS offers more clarity on the FCA’s expectations. For instance, they indicate that while internal processes (such as payroll) are important for maintaining a firm’s operational resilience, they do not in of themselves constitute important business services.

    Impact Tolerances

    Set impact tolerances for each important business service specifying at a minimum, the length of time for which a disruption to that important business service can be tolerated.

    This requirement remains largely unchanged. However, there is a new expectation for firms to take into account the impact of failure of other related important business services when setting impact tolerances for an individual important business service (ie if services share common resources). This should be undertaken in a proportionate manner

    Mapping

    Identify and document the people, processes, technology, facilities and information that support a firm’s important business services.

    Firms are still required to identify and document the necessary people, processes, technology and information required to deliver each of its important business services. Firms are also responsible for accurately mapping any relationship outsourced to an external third party.

    Scenario testing

    Firms should test their ability to remain within their impact tolerances through a range of severe but plausible disruption scenarios.

    This should be conducted regularly to identify any vulnerabilities that need remediation.

    This requirement remains the same as articulated in the CP. However, the FCA have amended their requirement for firms to test their ability to remain within their impact tolerances annually as proposed, and instead firms are required to scenario test when there is a material change to the firm, following improvements made by the firm in response to a previous test and in any event, on a regular basis.

    Lessons learned exercises

    Conduct lessons learned exercises to identify, prioritise and invest in their ability to respond and recover from disruptions as effectively as possible

    This requirement remains the same as articulated in the CP.

    Communications plans

    Develop internal and external communications plans for when important business services are disrupted

    This requirement remains the same, and there is further clarity that firms can repurpose existing communications plans/strategies where appropriate.

    Self-assessment

    Create a self-assessment document to evidence a firm’s compliance with the requirements.

    This requirement remains the same as articulated in the CP.

     

    IA response to CP19/32 vs Policy Statement

    Comparison of the IA’s asks for the FCA in our response to CP19/32 and the outcome in PS 21/3:

     

    IA response to CP19/32

    Policy Statement

    Scope

    We welcomed proportionality in the regulator’s thinking via the focus only on firms who are more likely to have an impact on other parties or market stability. However, we did not necessarily agree that using a firms’ SM&CR status as a proxy for this is the most appropriate mechanism.

    We noted that some members voluntarily ‘opted-up’ their SM&CR status to ‘enhanced’ previously and now find themselves in scope of these regulations. As stated, in many cases this is not problematic due to their existing attention on the topic. However, the arbitrary selection of the SM&CR status of firms being used as the threshold for applicability is slightly disadvantageous to them.

    The proposed scope outlined in the CP remains the same.  

    The FCA outlined that they expect firms changing their status from ‘core’ to ‘enhanced-scope’ SMCR, and so bringing themselves into scope of this policy, to approach implementation in the same way as other enhanced firms.

    Outcomes based

    We welcomed the outcomes-based nature of the proposed regulations as firms are best-placed to understand their own internal business models, products and customer types in order to determine their important business services and impact tolerances for instance.

     

    The PS remains outcomes-focused, indicating that firms are best placed to set their impact tolerances at the appropriate level and identify their important business services.

    Investment management specific examples

    We raised to the FCA that there is a notable lack of investment management specific examples in the CP.

    It is welcome that the FCA have included an example fictional enhanced scope SM&CR investment manager to help illustrate its requirements.

     

    Important Business Services

    • We agreed that focusing on business services is an effective way for firms to understand the impact on consumers in the event of disruption and that firms are best placed to decide what their important business services are.
    • We emphasised that it is important to determine the right level of granularity to avoid a dilution of impact. For example, identifying a large number of services (ie >15) would restrict the impact that reporting to senior management may have, and an understanding of where investment could have a meaningful impact.

    The FCA indicate that firms are best placed to identify which of their services should be classed as important business services in the context of their business models and that they should determine the appropriate level of granularity.

    Impact Tolerances

    • We welcomed the concept of setting impact tolerances and in particular the fact that the FCA had not been prescriptive, and have focused on the overall objective.
    • We raised that an additional complication that firms may face is the reliance and interconnectedness of outsourced service suppliers. It could prove problematic for firms if outsourced service providers have incompatible or inconsistent tolerances to them, and they may lack the ability to change these, or in extreme scenarios change their supplier.
    • As with other areas of the policy, the FCA consider that firms are best placed to set their impact tolerances at the appropriate level.
    • The FCA detail that when a firm is using a third-party provider in the provision of important business services, it should work effectively with that provider to set and remain within impact tolerances. Ultimately, the requirements to set and remain within impact tolerances remain the responsibility of the firm, regardless of whether it uses external parties for the provision of important business services.

    Duration metric

    • We did not agree with the draft requirement that time duration should always be used as one of the metrics in setting impact tolerances.
    • Firms should be able to determine the most appropriate metric to use.

     

    • Firms will be required to understand the maximum amount of time for which disruption to an important business service can be tolerated, or a point in time beyond which disruption cannot be tolerated.
    • The supervisory authorities also clarify that a time-based metric can be defined in different ways and, where appropriate, must be used in conjunction with other metrics.

    Dual-regulated firms

    We recognised that it is logical to set different impact tolerance requirements given the different considerations of each regulator and their underlying responsibilities, we urged regulatory cohesion as far as possible to mitigate against any unnecessary burden on firms.

    Dual-regulated firms will need to set two impact tolerances. If the same business service is defined as an important business service under both PRA and FCA rules, the firm should have separate impact tolerances in consideration of the objectives of the two supervisory authorities (however if appropriate, this may be at the same point for each).

    Outsourcing

    • Given our industry’s reliance and the interconnectedness of outsourced service suppliers, we conveyed that this could prove problematic for firms if outsourced service providers have incompatible or inconsistent tolerances to them, and they may lack the ability to change these, or in extreme scenarios change their supplier. Service providers may face challenges if clients make differing or contradictory requests of them.
    • We asked the FCA to consider that for many of these services, it is not viable to operate a second provider, and migration from one to another can take many years.

     

    • Firms are required to map their important business services and test their ability to remain within impact tolerances, regardless of whether the operational resources are being provided wholly or in part by a third party.
    • Firms that enter into outsourcing or third party arrangements remain fully accountable for complying with all their regulatory obligations. As part of their assurance, firms may ask third parties to provide mapping or scenario testing data but this is not required in all cases, particularly if other assurance mechanisms are effective and more proportionate.

    Mapping

    • Firms reported to us that they would benefit from more guidance on the appropriate level of granularity firms should take when conducting mapping.

     

    • We also raised that given the use of third, fourth and fifth parties in many firms’ supply chains, firms may encounter a differing range of success in terms of the level of detail they can reach in their mapping processes.

     

    • The regulators consider that firms are best placed to determine a proportionate and effective approach to mapping.

     

    • Firms should understand the reliance placed on sub-outsourcing arrangements, and if these arrangements pose a threat to their operational resilience. Firms should, at a minimum, monitor sub-outsourced providers involved in the provision of important business services, including their ability to deliver the firm’s important business services within the firm’s impact tolerances.

    Testing

    • Firms would benefit from further clarity on what the FCA expects on how or if firms should coordinate testing with their key suppliers. Moreover, we stated that it would be helpful to gain feedback on the feasibility of such a testing process and whether that in itself could harm the resiliency of the firms and the markets.

     

    • Firms should consider any potential issues (ie if there is a need to coordinate with third parties) when organising their testing schedule and consider how best to minimise disruption to other activities while still meeting the requirements.
    • The regulators expect that firms will identify what can be considered ‘severe but plausible’ scenarios (ie based on previous incidents or near misses).
    • However, the supervisory authorities also anticipate that this will be a common area for supervisory and firm discussion, including developing an understanding of how and why scenarios have been selected.

    Industry-wide tests

    Firms would benefit from further clarity on what the FCA expects on how or if firms should coordinate testing with their key suppliers. Moreover, it would be helpful to gain feedback on the feasibility of such a testing process and whether that in itself could harm the resiliency of the firms and the markets. For example, such testing may need to be scheduled and co-ordinated across industry. Due to the risk of failure involved and the resultant disruption, such an event should not take place without the involvement of the regulator.

     

    The FCA believe that the introduction of industry-wide tests could be helpful for some firms, and particularly smaller firms, this needs to be balanced against the cost and resources to develop and maintain these tests and will consider if these tests could be developed over the longer term as part of their supervisory approach.

    Testing methods

    We welcomed the fact that testing may consist of one or more of ‘paper-based, simulations or live-systems’ and that firms are able to decide the most appropriate mechanism(s) to satisfy themselves of their resiliency. We took from this that it would be permissible for firms to solely conduct more theoretical forms of testing. However, if theoretical scenario testing is not considered sufficient, it should be noted that using more realistic or live testing would likely introduce risks that regulatory authorities need to be alive to, and potentially involved in.

     

    The appropriate testing method will vary according to firm and that testing methods will also vary depending on the ‘severe but plausible’ scenarios identified by the firm in question.

    Self-assessment

    • We agreed that such a document will help boards locate, in one place, the resiliency assessment of the business on an ongoing basis and initiate discussion and decision-making.
    • We asked for clarification on the deadline for the date of the publication of the first document, and assumed this would be one year following the rules coming into effect.
    • We asked for clarity on the expectations for dual-regulated firms, assuming that only one self-assessment document would be needed to satisfy both regulators.

     

    • This requirement remains the same as articulated in the CP.
    • The earliest date a self-assessment document can be requested by the FCA is the 31 March 2022.

    • The PRA and FCA consider that firms should undertake bespoke self-assessments which reflect their individual important business services and scenario testing, although these can leverage the same work. The PRA indicate that firms would not necessarily need to produce two self-assessment documents as long as the requirements of both authorities are met.

     

    Transitional arrangements

    • We welcomed the proposed 3 year transitional arrangements to accommodate the significant change and time involved for firms to evidence mapping, reconsider tolerances and definitions of important business services as well as the time for board members to gain the necessary insights to make knowledgeable and informed decisions.
    • The transition arrangements remain largely the same, although the regulators have introduced more flexibility on their mapping and scenario testing requirements; by 31 March 2022 firms are not expected to have performed mapping and scenario testing to the full extent of sophistication within this time.

    International alignment

    • We indicated that it is important to try and achieve regulatory alignment across jurisdictions to alleviate any potential friction for international firms.
    • The regulators remain committed to ensuring supervisory coordination. Comparing their policy with the BCBS consultation, the supervisory authorities consider that there is alignment on the core principles despite some differences in terminology.
    • As long as the principles are aligned, the supervisory authorities consider that firms and their supervisors should be able to work effectively across borders.

    IA Operational Resilience workstreams

    The IA has a series of workstreams focused on helping members operationalise different elements of the regulator’s operational resilience requirements.

    From December 2019 to June 2020 we ran an Important Business Services Working Group. The Group looked at the processing of defining important business services and came up with a methodology that firms can adapt to suit their particular business model. The findings can be found here. Additionally, a more detailed overview of the Group's work, including the full operating model of the fictional firm used can be found here: Business Services.

    The Governance Working Group, supported by EY was convened over 2020 explore the necessary internal arrangements to support the implementation of operational resilience.  In February 2021 the group issued their guidance Effective Governance of Operational Resilience, representing the culmination of the discussions held on effective governance arrangements to oversee an operational resilience strategy.

    In September 2020, the Impact Tolerances Working Group was set up in conjunction with PwC, to help members address the challenges with setting impact tolerances and identifying suitable metrics to measure these. We will be publishing our output on this topic very soon.

    We will soon be launching our Scenario Testing Working Group with KPMG. This Group will be looking at the incoming requirement for firms to effectively test their ability to remain within their impact tolerances, during a severe but plausible scenario and assessing the most effective way to achieve this. Interested members should apply here.

     

    Find out more on the Operational Resilience Committee workplan here.

    Previous developments

    Consultation Paper

    The IA response to the Consultation Paper

    We submitted a response to the consultation paper in September 2020. As well as responding to the specific questions raised in the paper, we emphasised:

    • Resilience has been at the forefront of everyone’s thinking this year in ways we have never witnessed before. The UK regulators are entitled to feel justified in starting the conversation on this topic ahead of the crisis and bringing about progress within the financial services arena.
    • We are supportive of the proposed regulations and the overall objective of building a financial system better able to deal with disruptive events when they occur. As the Covid-19 pandemic demonstrated, the investment management industry has a high level of resiliency built upon many years of ‘business continuity’ planning and developments in part prompted by the earlier discussion paper.
    • Firms have benefitted from the regulator’s clear provision of notice and signposting of these changes, given the DP and the clear inclusion of the subject as an important priority in key communications with industry. 
    • The application of proportionality in the regulator’s thinking via the focus only on firms who are more likely to have an impact on other parties or market stability is a very welcome move. We do not necessarily agree that using a firms’ SM&CR status as a proxy for this is the most appropriate mechanism, but nevertheless welcome the principle.
    • The outcomes-based nature of the proposed regulations are also welcome as firms are best-placed to understand their own internal business models, products and customer types. Additionally, the proposed transitional arrangements allow firms time to make the necessary changes to achieve compliance with their impact tolerances. Such changes may be significant in size especially where IT change is needed, and so this additional time allowance is to be welcomed.
    • As the proposed regulations are not prescriptive, there is naturally a lack of explicitness in some areas. As we have shown, we are keen to continue to work with you on supporting our members by establishing best practices guidelines in areas such as the definition of investment-sector specific business services.
    • Finally, we do not agree with the draft requirement that time duration is always a measure within impact tolerances. We explain that there are areas where other metrics are more appropriate, and believe that if firms are able to demonstrate this, they should have the ability to choose another metric as the measurement.

    Discussion Paper

    The joint regulators issued a discussion paper in July 2018. In summary, the regulators believe that firms can achieve better operational resilience by focusing more on setting, monitoring and testing specific impact tolerances for key business services. These define how much disruption can be tolerated. Important concepts in the paper include:

    • focusing on the continuity of the most important business services as an essential component of managing operational resilience;
    • setting board-approved impact tolerances, which quantify the level of disruption that can be tolerated;
    • planning that assumes disruption will occur, as well as seeking to prevent it.

    Resources

    Regulatory Publications

    Member Meetings

    Presentations

    Blog Posts

    We have compiled a series of blog posts:

    ‘Severe but plausible’ - the regulators set out their operational resilience expectations looking at the publication of the PS.

    Operational resilience and effective governance – how prepared are you?

    Operational resilience through the COVID-19 lens - launching our updated Important Business Services guidance.

    Remotely Busy - Operational Resilience During COVID-19 looking at some of the key resiliency themes experienced by members during this health emergency.

     

    Webinars

    IA Members

    For full details of the IA's work plan on operational resilience and how the IA is supporting its members through the implementation of regulations in this important topic, click the 'go' button below to visit the members area.

    Contact

    For more information, please contact

    James King and Clara de Montfort

    Guidance document series
    Effective Governance of Operational Resilience

    Effective Governance of Operational Resilience

    Impact Tolerances

    Impact Tolerances Appetite for Disruption

    Last updated
    09/08/2021