On 29 March 2021 the supervisory authorities, consisting of the Bank of England (BOE), Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA), published their final policy and supervisory statements on operational resilience and the approach that they expect firms to take. The new requirements outlined within these statements are due to come into force on 31 March 2022.
Operational resilience refers to each firm’s ability to prevent operational disruptions occurring, adapt to any incidents that do occur, and to learn and evolve from both incidents and near misses. The scope of the new policies will be applicable to the any of the following firms which are authorised by one of the supervisory authorities: banks, building societies, designated investment firms, insurers, recognised investment exchanges (RIEs), enhanced scope senior managers and certification regime (SM&CR) firms, and entities authorised or registered under the Payment Services Regulations 2017 or the Electronic Money Regulations 2011.
A key part of the new requirements revolves around the need for firms to identify their important business services (IBS). The FCA defines IBS as any service provided to a client by, or on behalf of, the firm which, if disrupted, could cause intolerable levels of harm to any or more of the firm’s clients; or pose a risk to the soundness, stability, or resilience of the UK financial system or the orderly operation of the financial markets. Firms which are part of groups are required to identify group business services.
In addition to identifying IBS, Firms are also expected to identify impact tolerances for each IBS. Impact tolerances should relate to a single disruption as opposed to aggregating multiple disruptions and should assess the impact said disruption may have on any given IBS. Firms are mandated to assess each impact tolerance over time (but can apply additional metrics) and should illustrate the point at which further disruption would cause ‘intolerable harm’. Intolerable harm is defined by the FCA as something from which consumers cannot easily recover. Both IBS and impact tolerances must be identified at least annually and after any material change to the business.
In order to stay within each firm’s impact tolerances, firms are required to annually map the resources, people, technology, and facilities required to deliver each of its IBS. This process should assist in identifying vulnerabilities and enable firms to conduct scenario testing, which is also required under the rules.
Scenario testing refers to a firm’s ability to remain within its impact tolerances for each IBS in the event of a severe but plausible disruption to its operations. The disruptions tested are expected to vary in severity and duration, relevant to the firm’s risk profile.
The requirement for strong governance and responsibility is also outlined. Firms must ensure their governing body regularly reviews and approves operational resilience requirements, including a ‘self-assessment’ document outlining the firm’s operational resilience journey.
Firms are required by 31 March 2022 to have carried out mapping and scenario testing to the point at which they can accurately identify their IBS and set impact tolerances. This is intended to allow any vulnerabilities in operational resilience to be identified.
