Why Firms Need to Push-On to Meet the Regulators’ Requirements
In March 2021, the PRA and FCA published policy statements on Operational Resilience which are effective from 31 March 2022, with a further three years for embedding up to 31 March 2025. The policies define Operational Resilience as “the ability of firms and the financial sector as a whole to prevent, adapt, respond to, recover and learn from operational disruptions and an outcome where there is an expectation on firms to be forward looking and making decisions today that help prevent harm tomorrow”.
Financial institutions have spent considerable sums identifying, and mapping Important Business Services to people, assets and business processes. But there is a view in some quarters that the necessary changes to systems have been enacted for the sake of adherence rather than committing to continual assessment and improvement.
David Bailey, Executive Director of the Bank of England in typically understated language warned that, “there is still distance to travel to a point where firms across the sector reach the level of operational resilience we expect to see.”
Early assessment of firms by the Bank of England have elicited mixed results. It found that firms had made ‘positive progress’ identifying Important Business Services. It was less impressed with the setting of Impact Tolerances. It found that some firms had identified an impact tolerance for customer harm or market integrity but did not include one for safety & soundness. An even higher number did not include an Impact Tolerance for financial stability. The Bank has warned firms that they will need to ‘justify their judgements.’ For mapping and testing activities, firms have relied on existing frameworks and tools. The Bank of England has warned that significant further work is required in the next three years for firms to embed fully-coherent mapping and testing frameworks.
Current toolsets are not natively capable of continuous testing, showing where investment is required and where change needs to happen. Some firms are taking an approach that aims to repurpose existing tools such as business continuity, business intelligence and even Excel. Such an approach is likely to be suboptimal. It will increase the risk of non-compliance and will inevitably cost significantly more in the long term. In short, PS6/21 and 21/3 are not business continuity or monitoring stipulations in the “traditional” sense. The regulators’ requirements describe a continuous cycle of appraisal and re-appraisal of all business services and resources including estates, people-based processes as well as data-based systems that they are reliant on.
During the three year transition phase, the regulators have signaled that monitoring and enforcement activities will progressively tighten. According to BCS Accenture and ghost-factory.de, this will drive change in three areas: Firstly, the Important Business Services identified will not be static, they will change and evolve as the firm, the market and customers evolve. Secondly, operational resilience dashboards will need regular enhancement. Thirdly, incident reporting mechanisms and their alignment to Impact Tolerances will need to take into account the PRA’s ‘Operational Resilience Incident Reporting’ consultation paper. More generally, regulators underlined the need to embed a culture of continuous improvement and the frameworks and tools that can enable it.
When the policy statements were announced, Corporater decided that rather than expanding or repurposing existing solutions, it would build a market-ready Operational Resilience solution that was flexible enough to meet the needs of firms, now and in the future. It’s aimed at comprehensively supporting the advancement of firms’ operational resilience capability to 2025.
“We very much designed the solution with the policy statements in mind and at the heart of what we’ve done and therefore have approached it from a top-down perspective of focusing on meeting the requirements of what the policy statements are trying to address,” said Mark Limpkin, Corporater’s UK Head of Consulting.
Corporater’s solution is built to reflect a hierarchy, with important business services topmost, followed by the underlying processes and down to underlying resources. Important Business Services are rated against two concepts: Vulnerability (how likely it is that a business service will experience disruption based on underlying resource threats) and Recoverability (whether or not a business service can continue to operate inside the defined Impact Tolerances).
Corporater’s Operational Resilience solution enables firms to action across six steps (identify, map, assess, test, invest, and communicate). With this framework, companies can proactively comply with existing and new policies as they emerge — not because they have to, but because Operational Resilience is clearly imperative in the sector.