Operational resilience is becoming an increasingly familiar phrase circulating the UK financial services industry. UK regulators have issued plenty of guidance already – and more is expected as requirements continue to be refined.
Here’s a recap of the latest operational resilience requirements set out by the regulators for firms in the financial services industry.
What is Operational Resilience?
The term “operational resilience” is defined by the regulators – Bank of England, Prudential Regulation Authority (PRA), and Financial Conduct Authority (FCA) – as the ability to prevent, adapt and respond to, recover, and learn from operational disruption.
The operational resilience programme was initiated in 2018 when the regulators published a joint discussion paper on the subject. At the time, the regulators were concerned that firms were not sufficiently prepared to deal with fallout from a significant disruption like a cyberattack or large-scale technology change.
This operational resilience paper was followed by several more papers that offer additional details and recommendations on how to achieve operational resilience in general. These papers also included specific guidance on outsourcing and third-party management. This information is an especially critical part of achieving operational resilience since outsourcing exposes an organization to all of the vulnerabilities of every third party.
The threats identified in the original discussion paper continue to be relevant. Since then, organisations, of course, have had to cope with disruption on a different scale – a global health pandemic that continues to test the limits of operational resilience.
Four Objectives of an Operational Resilience Framework
The regulators stipulate four main objectives for a framework promoting operational resilience:
- Minimise any harm to consumers.
- Ensure the safety and soundness of business services in organisations.
- Ensure financial stability across the market.
- Mitigate or minimise market disruption.
Complying with the Operational Resilience Framework
The rules for operational resilience are flexible so organisations can take the best approach for their own products and size of the company. That said, all financial services firms are required to:
- Identify their important services that have a significant internal or external impact on the business.
- Set impact tolerances for each important business service by quantifying the maximum amount of disruption that customers would be willing to take.
- Map supporting resources to services to connect the people, processes, technology, facilities, and third parties with each business service.
- Carry out scenario testing against services and resources to validate the confidence level on the resilience of business services.
- Apply learnings from stress tests and actual experience to design corrective actions.
- Establish a communication plan – internal and external – to follow when an event occurs.
- Conduct an annual self-assessment for board sign-off.
Technology to Streamline Operational Resilience Compliance
Successfully complying with the above requirements for operational resilience takes a significant amount of information to be gathered, tracked, and analysed – especially for larger organisations.
Documenting critical business services, mapping accountabilities, and testing resilience can be time-consuming, disruptive, and expensive for organisations with complex business models and third-party relationships.
Technology that integrates risk management and compliance activities and data across the organisation is essential for streamlining processes, centralizing data, and providing clear visibility of the project status. And that is very difficult – if not impossible — to achieve using multiple spreadsheets owned by different parts of the business.
For anyone working in a risk management-related role, get ready to review your existing systems and processes for managing operational risk with an eye toward improvements that support operational resilience. What improvements will be necessary to meet operational resilience requirements – and do you have the tools to get the job done?