Lewis Silkin – Operation Resilience: what is it and why does it matter?
The Bank of England, PRA and FCA initially consulted1 on operational resilience in December 2019 with the consultation closing, mid-pandemic, in October 2020. The topic became particularly relevant in light of Covid-19 which, although an extreme scenario, highlighted the importance for regulated companies to be able to continue to operate important commercial services in a crisis situation.
The Bank of England, PRA and FCA published responses to consultations and final rules and guidance in March 20212. The new operational resilience rules were subject to a one-year implementation period ending March 31, 2022, followed by a three-year transition period ending March 31, 2025.
Which financial services companies are affected?
A very wide range of businesses are subject to operational resilience requirements, including banks, building societies, designated investment firms, insurers, recognized investment exchanges, broad-scope senior executives and companies in the certification scheme, and entities authorized or registered under the Payment Services Regulations 2017. or the Electronic Money Regulations 2011 as well as financial market infrastructure companies (central counterparties, central securities depositories, recognized payment system operators and specified service providers).
We are now at the end of the implementation period – what should companies have done and what remains to be done?
The central premise of operational resilience rules and guidance is the identification of significant business services that, if interrupted, would cause intolerable harm to consumers and/or risk to market integrity.
Firms and MFIs should now have “operationalised the policy framework”, i.e.:
- identified their important business services and defined impact tolerances
- mapped their important business services and started scenario testing
- developed and implemented a strategy or plan that defines how they will comply with regulatory requirements and expectations.
When identifying their important business services, companies should separate important business services rather than grouping a set of services into one important business service, to facilitate a thorough analysis of how the services might be affected.
Once companies had identified their important business services, they then had to set impact tolerances for those services.
An impact tolerance refers to the “maximum tolerable level of disruption” to a significant business service and marks the point at which further disruption to a significant business service would cause “intolerable harm to one or more customers of the business or” pose a risk to the soundness, stability or resilience of the UK financial system or the proper functioning of financial markets”.
Dual-regulated companies must demonstrate how they have considered each of the FCA’s and PRA’s operational objectives when setting their impact tolerances. In practice, this means that they are required to set up to 2 clearly stated impact tolerances aligned with the dual set of objectives. It may also be appropriate to define sub-tolerances depending on the nature of the activity. The key is to ensure that impact tolerances and any sub-tolerances are clearly defined and recorded to enable the FCA and PRA to work collaboratively, where appropriate, to ensure they can effectively monitor them.
Vulnerable customers are a key consideration that organizations should also take into account when setting their impact tolerances. This category of customers will figure prominently in businesses given the degree of disruption that can be tolerated as well as appropriate mechanisms to minimize harm to these individuals in the event of disruptions. The FCA has amended its guidelines to make specific reference to vulnerable consumers in the factors to consider when setting impact tolerances.
Companies had to meet their impact tolerances as soon as reasonably possible and, in any event, no later than the end of the transition period (March 31, 2025).
The other key step, for companies to have a complete view of their operational resilience, was to undertake a “mapping” process whereby they identified and documented people, processes, technology, facilities and information (resources ) necessary to provide each of the important commercial services of an enterprise. During this process, companies will be expected to identify and fix vulnerabilities with a view to ultimately ensuring that the company’s business services can remain within the impact tolerances that the company has settled down. Testing a company’s ability to stay within its impact tolerances for each of its business services is a key step in the process. These tests should include a serious but plausible disruption to the operations of the regulated firm. Regulators have indicated that their expectations for action by companies will be commensurate with the size of a company and the context of the company’s business.
With respect to updates to the mapping exercise carried out by a regulated company, the mapping exercise must be updated in the event of a “material change” in the activities of the company, the significant business services identified or the impact tolerances that the company has set. Such a review should be carried out, in any case, no later than one year after the company has carried out the last relevant assessment.
Companies should ensure that their mapping exercise has been signed off by someone on the company’s board of directors (or equivalent governing body).
Through their implementation projects, companies may have gained a better understanding of senior management accountability and responsibility for different areas of the business, as well as good visibility of who is responsible for specific abilities. This can, for example, include the size and strength of their teams, training/education, and broader organizational HR issues such as employee attrition, hiring practices, and succession planning.
Third party providers
As part of the mapping process, regulated companies must accurately capture and record relationships with third party vendors to ensure that third party’s operational resilience. (In some circumstances, mapping may need to be done beyond the direct third party to indirect third parties). It is therefore essential that companies work effectively with third-party providers to facilitate testing, either by the company itself or by the third party. If the third party is to perform testing, then the regulated firm will need to ascertain the third party’s particular scenarios and methodologies. However, ultimately, the regulated company will be responsible for the quality and accuracy of any testing performed by the third party.
The regulations expect that by March 31, 2025, companies will have in place robust, effective and comprehensive strategies, processes and systems that enable them to address risks to their ability to remain in business. the limits of their impact tolerance for each major business service in the event of a severe crisis. but plausible disturbance (or extreme disturbance).
Businesses may well be assisted in their mapping processes with third parties in the future, as HM Treasury plans to designate (when parliamentary time permits) certain third parties providing business services as ‘critical’. Financial regulators will then be able to exercise various powers with respect to these critical third parties, for example the power to directly request information from critical third parties on the resilience of their material business services, or their compliance with applicable requirements. Having this power will likely help companies manage their relationships with critical third parties.
1 Summary of Joint Policy Building Operational Resilience: Impact Tolerances for Significant Business Services (bankofengland.co.uk); ARP CP29/19; PRA CP30/19; 3 Bank of England Consultation Papers Bank of England Consultation Papers: Operational Resilience of MFIs | Bank of England; CAF CP19/32; Speech by Megan Butler FCA Executive Director The Regulator’s View on Operational Resilience | CIF
2 PS6/21 Common Cover Document | CP29/19 | DP1/18 Operational Resilience: Impact Tolerances for Significant Business Services | Bank of England; FCA PS21/3; PRA PS6/21; Bank of England policy on operational resilience of MFIs | bank of england