Regulating for operational resilience
Reading Time 2 mins
Our Associate Director for Solutions and Partnerships, Simon Bartlett opens up the first in a series of articles exploring the impact of incoming regulation for Financial Services firms.
A lot has happened since December 2019, when three of the UK financial service regulators (PRA, FCA and Bank of England) published their consultation papers on the need for firms to be able to demonstrate operational resilience.
They defined operational resilience as: the ability of firms, financial market infrastructure and the financial sector to prevent, adapt, respond to, recover, and learn from operational disruption. With COVID-19 and the associated impacts on firms continuing to unfold, there has been a significant, albeit sobering learning opportunity.
The end of the consultation period has been extended to October 2020, with a view that firms comply with the new regulations by the end of 2021. At a high level, the regulators are asking firms to:
1. Identify their important business services (those where disruption would cause customer or consumer harm, impact the viability of the firm, or impact the soundness, stability, or resilience of the UK financial system).
2. Set tolerances for each the important business services (within which harm is avoided)
3. Map their important business services (processes, systems, key people, locations, and data)
4. Carry out regular testing of key business services based on severe but plausible scenarios (to assume that key business services have been disruptive and test the firm’s ability to remain within tolerance as well recovery and communication plans)
5. Incorporate learnings to drive continual improvements to a firm’s operational resilience
6. Embed a culture of operational resilience
With regulators paying particular attention to third-party arrangements such as outsourcing or delivery of services using cloud computing, these will also need to be addressed within the operational resilience programme.
Overall, the financial sector has held up well throughout the Covid-19 crisis after the initial scramble to effectively deliver services via remote working. However, there will be lessons learned; including the importance of operational resilience, that the regulator will want firms to have taken on board once the dust has settled.
The major considerations firms should now be making as many are going through their annual budgeting process, is to ensure that operational resilience is a prioritised and funded part of your change plan up to and into next year as resilience shifts from an adjacent, annual discussion to a mindset fully embedded in service design.