Following a year that saw firms’ operational resilience arrangements put to the test, the FCA, the PRA and the Bank of England published their long-awaited final rules and guidance on operational resilience on 29 March 2021, alongside an additional paper published by the PRA on outsourcing and third party risk management.
It is clear that the FCA, the PRA and the Bank of England continue to hold the view that operational resilience is at least as important as financial resilience, with the global pandemic only having served to reinforce this message. As firms implement the new rules and guidance and begin scenario testing in the coming months, boards and senior managers will be expected to identify their firm’s operational resilience vulnerabilities and drive improvement where weaknesses are found. This topic is a strategic priority for the regulators and one where they have shown their willingness to use their supervisory and, in more serious cases, enforcement powers to address potential and crystallised risks. As a result, the regulators will expect firms to respond to these latest publications with a sense of urgency in order to embed best practice in this area.
Which firms will the new rules and guidance apply to?
The new rules and guidance relating to operational resilience and outsourcing will apply to a broad range of firms including banks, building societies, designated investment firms, insurance firms, e-money and payment services firms. Firms that are dual regulated face the complexity of applying both the FCA and PRA’s rules, including the potential requirement to set different impact tolerances to comply with the regulators’ different drivers.
What do the new rules and guidance entail?
Important business services, impact tolerances and mapping
The FCA and the PRA will require firms to identify and set “impact tolerances” for each of their “important business services”.
- An “important business service” is defined as a service provided by a firm, or by another person on behalf of the firm, to one or more clients which, if disrupted, could: (i) cause intolerable levels of harm to any one or more of the firm’s clients, or (ii) pose a risk to the soundness, stability or resilience of the UK financial system, or the orderly operation of the financial markets. There are a range of factors that firms must consider in order to identify what constitute important business services in this context, including the nature and size of their client base, the time criticality for clients in receiving a service, the sensitivity of data held, the potential impact that a failure of the service might have on the UK financial system and its resilience, the firm’s soundness and stability and its reputation, whether disruption to the service could amount to a breach of a legal or regulatory obligation and the level of inherent conduct and market risk involved. Firms must identify and keep under review the people, processes, technology, facilities and information necessary to deliver each of its important business services.
- Firms are responsible for setting “impact tolerances” for each “important business service” which is the term used by the regulators to mean the maximum tolerable level of disruption to an important business service, as measured by a length of time in addition to any other relevant metrics, reflecting the point at which any further disruption to the important business service could cause intolerable harm to any one or more of the firm’s clients or pose a risk to the soundness, stability or resilience of the UK financial system or the orderly operation of the financial markets. Firms are required to consider similar factors to those listed above in relation to important business services when assessing what the appropriate impact tolerances for are and this assessment should be kept under review.
Firms must take steps to ensure that they can remain within the impact tolerances they set for each important business service in the event of “a severe but plausible disruption to its operations”. The FCA and the PRA have expressly stated that they expect firms to notify them if they fail to meet an impact tolerance, pursuant to Principle 11 and Fundamental Rule 7.
Processes, systems and controls
Firms must have in place “sound, effective and comprehensive strategies, processes and systems” to enable them to comply with the new rules relating to operational resilience, which must be “comprehensive” but “proportionate to the nature, scale and complexity of the firm’s services”. Firms are also required to produce a self-assessment document which shows how they meet the operational resilience requirements and which is to be made available to the regulator on request. Boards, or the firm’s management body, should review and approve the self-assessment document regularly. The regulators expect the self-assessment document to show a firm’s “resilience journey”.
Testing and “lessons learned”
The regulators’ requirements also require firms to develop, maintain and execute plans to test their abilities to remain within impact tolerances for important business services in the event of a severe but plausible disruption of its operations. Firms are also required to conduct a formal “lessons learned exercise” following any testing or an actual operational disruption and must also take any necessary steps to improve their ability to effectively respond to and recover from future operational disruptions.
- Governance is key to the success of the board’s operational resilience strategy - boards must ensure they have appropriate management information to inform decisions which have consequences for operational resilience. As set out in more detail below when considering the practical points and the role of Boards, firms should establish clear accountability for the management of operational resilience, using existing committees and roles or establishing new ones if necessary.
- The FCA’s proposed Handbook section on communications SYSC 15A.8 aims to provide high-level requirements and guidance for firms and the FCA’s Principle 7 applies also to operational resilience communications. Firms must maintain an internal and external communication strategy to act quickly to reduce the anticipated harm caused by operational disruptions. Further, firms should be mindful of the communication needs of vulnerable customers, and should consider how they would provide important warnings or advice quickly to consumers and other stakeholders where there is no direct line of communication – see proposed SYSC15A.8.2G
- The regulators are clear that, when a firm is using a third-party provider in the provision of important business services, it should work effectively with that provider to set and remain within impact tolerances. Likewise, with mapping, the regulators expect firms to be responsible for accurately mapping any relationship outsourced to an external third party. If a firm outsources to a third party, it still needs to be able to understand the potential vulnerabilities by mapping where those vulnerabilities occur, whether they sit with the third party or beyond. If firms are unable to obtain sufficient information from the third party to satisfy them that they can operate within tolerance, then they should review and where necessary change their arrangements. By actively capturing and maintaining relationships with third-party providers, the regulators expect firms to satisfy themselves of that third party’s resilience. The level of assurance firms receive from third party suppliers should be proportionate to the size and complexity of the firm, and reflect the materiality and risk of the outsourcing/third party arrangement. Ultimately, the requirements to set and remain within impact tolerances remain the responsibility of the firm, regardless of whether it uses external parties for the provision of important business services.
Five key practical points
We highlight below five key practical points from the recently published policy documents:
The role of Boards and senior management is central to the regulators’ operational resilience policy.
Boards are accountable for, and should approve, the identification of their firm’s important business services, impact tolerances and self-assessment. As with any regulatory change project, firms need to ensure that they have appropriate governance to oversee the project, senior management engagement and oversight and that they have a robust audit trail of steps taken to implement the new requirements. The ability of firms to deliver on regulators’ requirements depends on appropriate reporting and accountability throughout the firm. Where limitations are identified, leadership from firms’ board and senior management is essential to prioritise the investment and cultural change required to improve operational resilience. Firms may arrive at different impact tolerances for similar business services as a result of differences in the nature and scale of their client bases. The regulators emphasise that, rather than look for definitions or examples from other firms, it is important that boards and senior management take the lead and make judgements in the selection of their own important business services and the formulation of their own strategy detailing how they will comply with regulators’ requirements. Boards will need to work with senior management to set impact tolerances that are appropriate for their organisation. Further, board chairs must ensure that the board has adequate knowledge, skills and experience to provide constructive challenge in relation to choice of important business services and impact tolerances, and that the board articulates and maintains a culture of risk awareness and ethical behaviour for the organisation which drives the firm’s operational resilience. Note that, where applicable, the SMF24 (Chief Operations) role includes responsibility for the firm’s operational resilience.
Internal services are not within scope.
The supervisory authorities have clarified that internal services such as human resources, payroll systems, should not be included in the definition of important business services as the operational resilience policy is focused on requiring firms to prioritise the work to build the operational resilience of important business services that deliver specific outcomes or services to external end users. If all internal services were defined as important business services on a standalone basis, this would expand coverage of the policy too far, and could reduce focus on the most important external services. The regulators regard internal services as “enablers” of important business services rather than falling within the scope of important business services per se.
PRA/FCA dual-regulated firms can focus on the more stringent tolerance.
If the same business services is defined by a PRA/FCA dual-regulated firm as an important business service under both PRA and FCA rules, the firm should have separate impact tolerances and must be able to show how they have considered each of the PRA/FCA objectives when setting these (the impact tolerances may be the same or they may differ). However, the UK regulators expect that the work done to meet the requirements of one regulator should be leveraged to meet those of the other, and they encourage firms not to duplicate work. The final policy sets out three conditions which, if met, will allow firms to concentrate their efforts on ensuring they can remain within the more stringent tolerance. It should be noted that the final paper amends the definitions of impact tolerances to align the PRA and FCA definitions as “the maximum tolerable level of disruption to an important business service or an important group business service as measured by a length of time in addition to any other relevant metrics.”
Firms can expect to be challenged if their scenarios are insufficiently severe/plausible.
Firms are required to identify the “severe but plausible” scenarios and to take action to ensure that they remain within their impact tolerances in those scenarios. The regulators expect firms to consider previous actual incidents or “near misses” within the firm, across the financial sector and in other sectors and jurisdictions, to build these scenarios, and they are expected to evolve as the firm learns from the scenario testing process. The nature and severity of scenarios appropriate for firms to use will vary according to size, complexity and the firm’s importance to the financial system. However, if the firm chooses a scenario that is insufficiently severe, regulators warn that they may view this as boards and senior management possibly taking inappropriate risks with the running of their businesses. The supervisory authorities expect this will be a common area for supervisory discussion – supervisors will ask how firms have selected their scenarios and why. Best practice in this regard is expected to develop over time.
Operational Resilience policies complement existing regulatory framework.
The PRA’s Statement of Policy on Operational Resilience, one of the suite of documents published on 29 March 2021, clarifies how the PRA’s operational resilience policy affects its approach to four key areas of the regulatory framework, namely governance, operational risk management, business continuity planning and the management of outsourced relationships. The PRA’s operational resilience policy will complement existing policies and relevant international guidelines, and is not intended to conflict with them. Firms should ensure that what they put in place in relation to operational resilience does not just “tick the boxes” for initial compliance purposes, but will actually work in practice given that most of the requirements will need to be reviewed on an almost continuous basis in order to ensure that they remain fit for purpose.
When will the new rules and guidance come into force?
The regulators’ new rules relating to operational resilience will come into force on 31 March 2022. Firms and FMIs must identify their important business services and set impact tolerances by 31 March 2022. Despite feedback requesting flexibility in relation to mapping and testing beyond that 12 month deadline, the regulators have emphasised that they do expect firms and FMIs to have mapped their important business services and started their programme of scenario testing by March 2022, while acknowledging that both mapping and scenario testing are ongoing processes and that firms’ approach to both will evolve and become more sophisticated over time. From March 2022, firms must work to ensure that they have comprehensive strategies, sound processes and effective systems that enable them to address risks to their ability to remain within their impact tolerance for each important business service, in the event of a severe but plausible disruption.
Firms must be able to remain within their impact tolerances (as defined in the new rules) as soon as reasonably practicable, but no later than 31 March 2025, ie. within 3 years of the “in force” date.
Firms are expected to comply with the PRA’s new expectations in relation to outsourcing and management of third party risk from 31 March 2022. In particular, firms should take steps to ensure that outsourcing arrangements that they enter into on or after 31 March 2021 meet these expectations by 31 March 2022. Firms should seek to review and, where necessary, update legacy outsourcing agreements entered into before 31 March 2021 at the “first appropriate contractual renewal or revision point” in order to meet the PRA’s expectations as soon as possible on or after 31 March 2022.