Operational Resilience: Practical Steps for Building an Operationally Resilient Firm
On 29th March 2021, The Bank of England (BoE), Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) – collectively the ‘supervisory authorities’ – published their policy and supervisory statements aimed at strengthening the UK financial system’s ability to withstand impact from operational disruption.
The focus of this paper is not a detailed decomposition of the supervisory statements, other than to remark that there are no unexpected changes to the anticipated approach set out during the consultation process (although there will be some devil in the detail as the industry starts to implement).
The focus is instead to provide you – UK regulated firms and financial market infrastructure providers – with a clear roadmap of the activities that you will now need to navigate in order to meet the requirements.
Operational resilience requires firms to adopt a mindset of disruption being inevitable. The assumption is that business disruption and failures will occur, and as a result there is an ongoing need to assess the firm’s ability to respond, recover and take proactive action to ensure that its important business services remain resilient.
Characteristics of an operationally resilient firm are one in which:
Prioritises the things that matter: by understanding the services it delivers to an external end user or participant and determining which are the most important.
Sets clear standards for operational resilience: by defining the maximum level of disruption to an important business service that can occur before intolerable harm manifests.
Invests to build resilience: by testing its ability to remain within its impact tolerances and identifying where vulnerabilities need to be addressed.
When identifying and prioritising those services – business services – which are most important, the supervisory authorities propose that firms should examine the impact of their disruption. Testing the firm’s ability to remain resilient against an appropriate and proportionate set of plausible disruption scenarios should enable boards and senior management to make prioritisation and investment decisions.
Now that the long-anticipated regulatory policy and supervisory statements have been published, we explore the key activities UK regulated firms and financial market infrastructure providers should be fully focused on.
1. Setup the change programme for success
Resilience is not a new topic. However, taking a business service-led approach to resilience will be new for many firms and necessitate a change in how they think about their business architecture and the outcomes they deliver to their consumers.
Firms need to develop an operational resilience strategy which utilises existing capabilities and is approved by the board with SMF 24 accountability; aimed at removing organisational silos, promoting cross-functional responsibility and a culture of resilience practices within the fabric of the firm.
2. Identify and prioritise business services
Fundamental to the supervisory authorities’ objectives for operational resilience is the approach and methodology taken to identify important business services that are specific to the firms’ own context and then monitored on an ongoing basis.
The supervisory authorities have deliberately steered away from providing a prescribed taxonomy, but instead offer four key considerations for when identifying and prioritising business services;
- Harm to customers and markets,
- Harm to financial stability,
- Harm to firm safety and soundness,
- Service substitutability.
By now firms should have started this process to identify and prioritise business services to a sufficiently granular level so that an impact tolerance can be applied and tested.
For dual-regulated firms the paper indicates that a business service may only be important for one regulator if it does not meet definitions for both PRA and FCA, therefore, these firms should separately consider the definitions under each regulator. This analysis may also help to reduce the risk of unnecessary effort associated with applying and testing impact tolerances where it is not required:
Important business service means a service provided by a firm, or by another person on behalf of the firm, to one or more clients of the firm which, if disrupted, could: (1) cause intolerable levels of harm to any one or more of the firm’s clients; or (2) pose a risk to the soundness, stability or resilience of the UK financial system or the orderly operation of the financial markets.
Important business service means a service provided by a firm, or by another person on behalf of the firm, to another person which, if disrupted, could pose a risk to: (1) (where the firm is an O-SII/where the firm is a relevant Solvency II firm) the stability of the UK financial system; (2) the firm’s safety and soundness; or (3) (for Solvency II firms) an appropriate degree of protection for those who are or may become the firm’s policyholders.
3. Build and maintain the dependency map for each important business service
To understand the possible threats to resilience, firms are required to capture the key resources and dependencies which contribute to the provision of each important business service. This should include facilities, people, processes, systems, data and third parties at an appropriate level of detail.
Mapping needs to be maintained close to real time and reflect any changes to how important business services are delivered. Mapping is designed to highlight vulnerabilities in how important business services are delivered such as single points of failure, concentration risk and limited substitutability of resources.
Many firms have taken a ‘customer value stream approach’ to mapping which requires a detailed focus on the stage within the important business service which if disrupted would cause intolerable harm rather than simply an inconvenience. This approach enables the firm to focus resources on the activities which really matter from a resilience perspective.
4. Set impact tolerances and scenario test
Firms are required to assess how disruption may impact end users of the business service and propose corresponding impact tolerances i.e. the amount of disruption that can be tolerated before intolerable harm manifests. Firms are required to develop a methodology for setting impact tolerance statements for each important business service, using time/duration-based metrics, covering the objectives of both the PRA (financial stability and firm safety and soundness) and separately the objectives of the FCA (consumer harm and market integrity).
For the avoidance of doubt, this means that dual-regulated firms will need to create separate impact tolerances for both the PRA and the FCA where applicable. These impact tolerances may be the same or they may differ, where they differ it is acceptable to concentrate on the most stringent impact tolerance provided the firm can demonstrate that both the PRA and FCA objectives have been considered.
Scenario testing then assesses the firm’s ability to manage service delivery within impact tolerances across a range of plausible disruption scenarios. In carrying out scenario testing, the firm must identify an appropriate and proportionate range of adverse circumstances, severity and duration relevant to its business and risk profile.
5. Assign owners within the organisation who are responsible for the end-to-end resilience of each important business service
Firms will need to identify appropriate owners for each important business service who are responsible for the following:
- Hold an end-to-end understanding of and provide oversight over the processes, people, technology, data, third parties and facilities relevant to the business service.
- Set appropriate impact tolerance statements for the business service and establish governance to periodically review and update this.
- Test the service performance against the set of impact tolerances and establish a process to do so annually.
- Identify all stakeholders required to support the business service and establish a RACI and supporting SLAs with internal and external service providers.
- Establish a forum to discuss the effectiveness of the control environment as well as strategic and operational risks and issues which relate to the business service. The owner should be able to prioritise and fund remediation activities as and when required.
- Define and implement appropriate management information across the end-to-end business service.
- Develop and embed a plan to maintain the service during times of disruption by developing and leveraging response and recovery plans and embedding effective crisis communications both internally and externally.
6. Define the operating model and invest appropriately to enhance and maintain resilience
The firm should develop and embed a set of capabilities to deliver operational resilience on an ongoing basis, leveraging, supplementing and enhancing existing resilience capabilities and risk management frameworks where appropriate. The operating model should enable the firm to prioritise the things that matter; prioritise those activities that, if disrupted, would be detrimental to customers, market integrity or otherwise pose a risk to the stability of the UK financial sector or the firm’s safety and soundness.
Firms should embed ongoing resilience procedures to monitor the resilience profile. This includes incident management procedures, communication plans and training. Investment should be made available to enhance the control framework where required.
Lastly, a key feature of the operating model and a responsibility of the business service owner is the requirement to produce an annual self-assessment which should be made available to the regulators when required. The self-assessment should focus on:
- Ongoing evaluation of business services identification methodology.
- Review of the approach to prioritising important business services.
- Ongoing evaluation of impact tolerances.
- Review of the firm’s approach to mapping important business services.
- Ongoing evaluation of testing scenarios.
- Business as usual governance of operational resilience.
- Implementation of resilience procedures and ongoing review of procedures (including RACI)
- Training delivered to impacted people and teams in line with newly embedded resilience procedures and any future changes.
- Investment and remediation to close out vulnerabilities identified that threaten the firm’s ability to deliver its important business services.
Firms should apply the principle of proportionality to the assessment based on their scale and risk profile. The assessment should be reviewed and approved by the firm’s board or equivalent management body regularly.
The regulatory policy set out a clear timeline which includes an initial implementation period to 31 March 2022, followed by a period of ‘reasonable time’ to demonstrate that firms can remain within their impact tolerances for important business services in severe but plausible scenarios.
Through the work we are doing across the industry, GDFM is well positioned to support you to deliver these requirements in a way which is proportionate and delivers broader organisational value. Please get in touch if you would like to know more.