Operational resilience – final rules and guidance

Prudential Regulation Authority (PRA), the Financial Conduct Authority (FCA), and the Bank of England (‘the Bank’), collectively “the supervisory authorities” have detailed their finalised rules and guidance for firms in respect of operational resilience in a number of documents published on 31 March 2021:

• PRA PS 6/21: Policy Statement on operational resilience
• PRA: SS1/21 Operational resilience: Impact tolerances for important business services
• PRA: Statement of Policy – Operational Resilience
• FCA: PS21/3 Building operational resilience

Additionally on 31 March the PRA also published SS2/21: Outsourcing and third-party risk management outlining expectations on firms for the management of outsourcing arrangements. These requirements must also be considered by firms in developing their operational resilience framework. We have published a separate article on this Supervisory Statement that can be found here.

The shared aim of the supervisory authorities is to ensure that firms can effectively anticipate, manage and recover from operational disruptions, including in severe but plausible scenarios. The publication of the policy and supervisory statements concludes a consultation period that began in December 2019 and was subsequently extended because of Covid-19. The requirements are largely as consulted upon; however, the supervisory authorities have taken on board feedback received from firms during the consultation period and have made some amendments as well as providing additional guidance and clarity. In this article we summarise the key requirements that are applicable to:

• UK Banks (including branches and subsidiaries);
• Building societies;
• Investment firms;
• Solvency II firms;
• Enhanced scope Senior Managers & Certification Regime (SM&CR) firms;
• Recognised Investment Exchanges (RIEs); and
• Firms and entities authorised under the Payment Services Regulations 2017 (PSRs 2017) and/or the Electronic Money Regulations 2011 (EMRs 2011).

Important business services

Further to feedback, the supervisory authorities have revised their definitions of Important Business Services to improve consistency and clarity for firms

The supervisory authorities have not introduced definitive lists or taxonomies for the identification of Important Business Services. Firms need to use their own judgement to identify important business services, based on factors such as financial impact and size and nature of the consumer base. However, the outcome of the policy is focused on the delivery of services to external end users, and firms must focus on building the operational resilience of these services.

Internal services, such as payroll, HR or other central shared services may underpin the provision of an important business service. These internal services should be identified as part of mapping and scenario testing exercises but are not included within the definition of important business services on a standalone basis.

Important business services need to be clearly identifiable as a separate service (e.g. accessing an online mortgage account) rather than a business line or collection of services (e.g. the provision of mortgages), and that firms should be able to recognise which of their customer base utilise a particular important business service.

Firms are expected to identify their important business services before 31 March 2022, after which these should be reviewed on an annual basis or whenever a material change occurs that impacts the business or operating market - to ensure that no emerging vulnerabilities are overlooked. Material changes would include:

• the firm beginning to carry out a new activity or ceasing to provide an existing activity;
• the firm outsourcing a service to a third-party provider; or
• changes to an existing service in terms of scale or potential impact.

Impact tolerances

The supervisory authorities have also revised their definitions of Impact tolerances:

Firms are required to express impact tolerances using a time-based metric, in the form of a maximum tolerable duration of disruption (e.g. 24 hours). They should also consider using additional metrics in conjunction with time-based metrics, for example percentage of customer base impacted.

The regulators require firms to ensure that important business services have the ability to remain within impact tolerances in severe but plausible scenarios, as early as possible and by 31 March 2025 at the latest.

Dual regulated firms may need to set two separate impact tolerances, where this is necessary to address the statutory objectives of both the FCA and PRA – i.e. one with reference to consumer harm and market integrity, and the other considering financial stability, safety and soundness and policyholder protection. These can be set at the same point, but firms should be able to justify suitability for the purposes of each authority if challenged on this decision.

Firms can focus on ensuring they remain within the more stringent of the two tolerances, and demonstrate:

• how they have considered the FCA’s and PRA’s objectives when setting each impact tolerance;
• how recovery and response arrangements are appropriate for each tolerance; and
• that scenario testing has been performed with each tolerance in mind.

Mapping, scenario testing and resilience requirements

Firms need to undertake a mapping exercise to identify and document the people, processes, technology, facilities and information (the ‘resources’) underpinning their important business services, determine any dependencies on operational assets across multiple business services and consider the lack of substitutability of a service.

The mapping process will help enable firms to identify, assess and implement contingency plans for critical resources relative to the provision of important business services. Mapping should be reviewed annually or in the event of a material change impacting the business, its important business services or its impact tolerances.

Once mapping has been undertaken, firms will have the basis to undertake a thorough assessment of their ability to remain within impact tolerances through scenario testing. This should cover a range of adverse scenarios, including severe but plausible disruptions. Firms could consider previous incidents or near misses within the organisation, across the financial sector and in other sectors and jurisdictions.

Firms must develop methodologies for mapping and scenario testing that are proportionate to the size and complexity of the firm and enable compliance with regulatory deadlines. A testing plan should include realistic assumptions and should evolve as the firm learns from previous testing. There will be a degree of variance in methodologies designed for scenario testing, but the Supervisory authorities expect firms to approach this in a consistent manner. They have also not ruled out the possibility of undertaking industry wide testing in the longer term.

If firms identify limitations in their ability to deliver important business services within relevant impact tolerances during severe but plausible scenarios, they should implement remediation plans to address these. In addition, the PRA is requiring firms to set resilience requirements for the resources that underpin the delivery of important business services – these might include capacity specifications and recovery time and point objectives.

Where an important business service is relevant to outsourced third party service providers, the service provider may carry out scenario testing on behalf of the firm, although the firm will remain responsible for scrutinising the quality and accuracy of the testing.

Scenario testing should be undertaken prudently on a regular basis or following improvements made in response to previous testing. Any material change impacting the business, its important business services or its impact tolerances would be considered a trigger for additional scenario testing.

By 31 March 2022, firms will need to have carried out a sufficient level of mapping and scenario testing to have identified important business services, set impact tolerances and to have identified any vulnerabilities in their operational resilience. Firms should then continue to perform mapping and scenario testing with a view to being able to remain within impact tolerances for each important business service as soon as reasonably practicable, and by 31 March 2025 at the latest.

Self-assessment

Firms will be required to compile a self-assessment document detailing how the firm complies FCA’s and PRA’s operational resilience requirements. The document does not need to be submitted to the authorities but should be made available upon request from 31 March 2022.

This document should set out important business services, impact tolerances, mapping, testing strategy, vulnerabilities, and remediation efforts. It should also document the methodologies used for identifying important business services and setting impact tolerances.

Governance

A firm’s Board or equivalent management body must approve the identified important business services and impact tolerances set and review these on a regular basis, together with the firm’s self-assessment. This will require the Board (or management body) to have an appropriate level of oversight of the methodologies utilised for identifying important business services and setting impact tolerances, as well as the supporting management information, adequate knowledge, skills and experience to provide challenge to the firms senior management and inform decisions that impact the firms operational resilience.

Firms must establish clear accountability for the management of operational resilience this may be achieved through using existing committees and roles or establishing new ones if necessary.

The PRA considers that assigning responsibility for oversight of operational resilience to the SMF24 is the proportionate method to create responsibility for operational resilience as opposed to creating a new function or taking an alternative approach to ensure accountability as responsibility over operational resilience may become unclear if is spread across various SMFs or bodies accountability may become unclear within the firm. Where firms do not have an individual performing the SMF24 under SM&CR, responsibility for oversight of operational resilience must be assigned to the most appropriate SMF.

Next Steps

Firms now have a significant period of just under 4 years to be able to stay within their impact tolerances. This consists of a 1-year implementation period and a 3-year transitional period.

During the 1-year implementation period which runs to 31 March 2022, firms will only need to carry out mapping and scenario testing to a degree necessary to accurately identify their important business services. Supervisory authorities expect the refinement of mapping and testing to increase over time.

Firms will not need to have performed scenario testing of every important business service by 31 March 2022, this can extend into the transitional period.

By 31 March 2025 firms must ensure that they are able to stay consistently within impact tolerances. However, it should be noted that this is a hard deadline and firms should make every effort to remain within defined impact tolerances before the end of the 3-year transitional period.

Get in touch

If you have questions or require assistance, please get in touch.

Contact us today