Operational resilience is becoming an increasingly familiar phrase circulating UK financial services after the disruption of 2020. As we round the corner to 2021, here’s a recap of the latest requirements set out by the regulators for firms in the financial services industry.
What is Operational Resilience?
The term “operational resilience” is defined by the regulators – Bank of England, Prudential Regulation Authority (PRA), and Financial Conduct Authority (FCA) – as the ability to prevent, adapt and respond to, recover, and learn from operational disruption.
The programme was initiated in 2018 when the regulators published a joint discussion paper on the subject, which at the time expressed concern that firms were not sufficiently prepared to deal with the consequences of significant disruption in the form of cyberattacks and large-scale technological change.
This paper was followed by several consultation papers that outline in detail an overarching approach to operational resilience, as well as specific guidance on outsourcing and third-party management – a key part of operational resilience given the vulnerabilities inherent in outsourcing key services.
The threats identified in the original discussion paper continue to be relevant; however, 2020 has shifted the focus to organisations’ ability to cope with disruption on a different scale – a global health pandemic that continues to test the limits of business resilience.
The Four Main Objectives of an Operational Resilience Framework
The regulators stipulate four main objectives for a framework promoting operational resilience:
- Minimise any harm to consumers.
- Ensure the safety and soundness of business services in organisations.
- Ensure financial stability across the market.
- Mitigate or minimise market disruption.
Complying with the Framework
The rules are flexible so organisations can take a proportionate approach to reflect their products and size, but all financial services firms will be required to:
- Identify their important business services that have significant systemic internal or external impact.
- Set impact tolerances for each important business service by quantifying the maximum acceptable level of disruption from the customers’ point of view.
- Map resources to services to connect supporting people, processes, technology, facilities, and third parties.
- Carry out scenario testing against services and resources to validate the confidence level on the resilience of business services.
- Apply learnings from stress tests and actual experience to design corrective actions.
- Establish a communication plan – internal and external – to follow when an event occurs.
- Conduct an annual self-assessment for board sign-off.
Organisations will be expected to meet requirements by the end of 2021.
Technology to Streamline Compliance
Successfully complying with the above requirements takes a significant amount of information to be gathered, tracked, and analysed – especially for larger organisations. Documenting critical business services, mapping accountabilities, and testing resilience can be time-consuming, disruptive, and expensive for organisations with complex business models and third-party relationships. Technology that integrates activities and data across the disciplines of governance, risk, and compliance is essential for streamlining processes, centralizing data, and providing clear visibility of the project status. And that is very difficult – if not impossible — to achieve with multiple spreadsheets owned by different parts of the business.
For anyone working in a risk management-related role, expect the new year to bring significant focus on reviewing existing systems and processes with an eye toward improvements that support operational resilience.