Operational resilience is becoming an increasingly familiar phrase circulating the UK financial services industry. UK regulators have issued plenty of guidance already – and more is expected as requirements continue to be refined.

Here’s a recap of the latest operational resilience requirements set out by the regulators for firms in the financial services industry.

What is Operational Resilience?

The term “operational resilience” is defined by the regulators – Bank of England, Prudential Regulation Authority (PRA), and Financial Conduct Authority (FCA) – as the ability to prevent, adapt and respond to, recover, and learn from operational disruption.

The operational resilience programme was initiated in 2018 when the regulators published a joint discussion paper on the subject. At the time, the regulators were concerned that firms were not sufficiently prepared to deal with fallout from a significant disruption like a cyberattack or large-scale technology change.

This paper was followed by several more papers that offer additional details and recommendations on how to achieve operational resilience in general. These papers also included specific guidance on outsourcing and third-party management.  This information is an especially critical part of achieving operational resilience since outsourcing exposes an organization to all of the vulnerabilities of every third party.

The threats identified in the original discussion paper continue to be relevant. Since then, regulators enacted the Digital Operations Resilience Act – DORA – which extends op res requirements to the information and communication technology (ICT) service providers that support those functions critical to a firm’s important business services. Organizations have until 2025 to comply with DORA.

Four Objectives of the Framework

Four Objectives of an Operational Resilience Framework  The regulators stipulate four main objectives for a framework promoting operational resilience:

  1. Minimise any harm to consumers.
  2. Ensure the safety and soundness of business services in organisations.
  3. Ensure financial stability across the market.
  4. Mitigate or minimise market disruption.

Complying with the Operational Resilience Framework

The rules for operational resilience are flexible so organisations can take the best approach for their own products and size of the company. That said, all financial services firms are required to:

  • Identify their important services that have a significant internal or external impact on the business.
  • Set impact tolerances for each important business service by quantifying the maximum amount of disruption that customers would be willing to take.
  • Map supporting resources to services to connect the people, processes, technology, facilities, and third parties with each business service.
  • Carry out scenario testing against services and resources to validate the confidence level on the resilience of business services.
  • Apply learnings from stress tests and actual experience to design corrective actions.
  • Establish a communication plan – internal and external – to follow when an event occurs.
  • Conduct an annual self-assessment for board sign-off.

Technology to Streamline Operational Resilience Compliance

Technology to Streamline Operational Resilience ComplianceSuccessfully complying with the above requirements for operational resilience takes a significant amount of information to be gathered, tracked, and analysed – especially for larger organisations.

Documenting critical business services, mapping accountabilities, and testing resilience can be time-consuming, disruptive, and expensive for organisations with complex business models and third-party relationships.

Technology that integrates risk management and compliance activities and data across the organisation is essential for streamlining processes, centralizing data, and providing clear visibility of the project status.  And that is very difficult – if not impossible — to achieve using multiple spreadsheets owned by different parts of the business.

For anyone working in a risk management-related role, get ready to review your existing systems and processes for managing operational risk with an eye toward improvements that support operational resilience. What improvements will be necessary to meet operational resilience requirements – and do you have the tools to get the job done?

For more about topics impacting FCA-regulated firms, download our e-book, Building Operational Resilience in Financial Services, and learn more about Riskonnect’s Operational Resilience software.