The Financial Conduct Authority (FCA) defines operational resilience as “the ability of firms, financial market infrastructures and the financial sector as a whole to prevent, adapt and respond to, and recover and learn from operational disruption”.
Ensuring the operational resilience of the financial sector is crucial for consumers, firms and the broader financial markets. Significant operational disruptions and the unavailability of important business services have the potential to cause wide-reaching harm to consumers. It also threatens broader market integrity by limiting a firm’s ability to supply goods and services, thus slowing the pace of economic activities.
Covid-19 offered a pertinent reminder of the severe and plausible events that institutions are required to navigate, exposing a lack of operational resiliency and business continuity planning across the sector. As a result, in March 2021, the FCA put forward proposed changes to how firms approach their operational resilience in an attempt to mitigate the negative impacts of similar disruptions in the future.
The proposals were developed in partnership with the Bank of England and the Prudential Regulation Authority (PRA) and apply to the following financial services organizations:
- Building Societies
- PRA-designated investment firms
- Recognized Investment Exchanges
- Enhanced scope SM&CR firms
- Entities authorized and registered under the Payment Services Regulations 2017 or Electronic Money Regulations 2011
FCA Operational Resilience Requirements
The FCA’s Operational Resilience framework covers all risks to the provision of key business services and the continuity of such services in the event of a disruption. The regulation poses four primary requirements:
Identify important business services
Under the FCA’s Operational Resilience Framework, financial institutions are required to identify important business services which, if disrupted, could cause “intolerable” harm to the consumers of the firm’s services or risk market integrity. This requires institutions to determine the aspects of the value chain that are critical to delivery. More specifically, the FCA defines important business services as “those provided by a firm, or by another person on behalf of the firm, to one or more clients of the firm which, if disrupted, could:
- Cause intolerable levels of harm to one or more of the firm’s clients; or
- Pose a risk to the soundness, stability or resilience of the UK financial system or the orderly operation of financial markets.”
Once the important business services have been identified, institutions are required to set impact tolerances to quantify the point at which disruption would cause intolerable harm to consumers and the broader financial market. These must be reviewed at least once per year or at any point at which there is a material change to the firm’s business or its operating market.
The FCA defines intolerable harm as those that consumers cannot easily recover. In order to practically quantify intolerable harm, firms may wish to consider various factors including, but not limited to; the number and type of consumers affected, the potential financial loss to consumers, financial loss to the firm or reputational damage that could harm consumers or the resilience of the UK financial system.
Mapping and scenario testing
In order to obtain a holistic understanding of resilience, in-scope firms must identify and document the people, processes, technology, facilities and information necessary to deliver important business services:
- People – identify the personnel responsible for implementing and monitoring relevant controls to support the provision of important business services. Moreover, firms are required to understand and document overall senior management accountability.
- Processes – define the structured set of activities that are designed to deliver outputs in an organization.
- Technology – the underlying systems and architecture that support the provision of critical services.
- Facilities – office locations, printing facilities, mailing, credit card production / statements / client communications.
- Information – any data, feeds or material that is required by a firm to deliver a service.
The process of mapping, forces firms to proactively identify and address vulnerabilities to ensure that important services can remain within the pre-defined impact tolerances. This also extends to third-party dependencies, with the FCA expecting firms to map any outsourced relationships to understand the potential vulnerabilities, and whether they sit with the third party or within the in-scope institution.
Communications, governance and self-assessment
Organizations are required to produce internal and external communications strategies to reduce the harm caused by operational disruptions. A robust internal communications strategy will define escalation paths that a firm would use to manage communications during an incident as well as identify appropriate decision-makers. External communications strategies should detail how firms intend to provide warnings and advice to relevant stakeholders in the event of a disruption, including where there is no direct line of communication.
The FCA also requires firms to compile a self-assessment document to illustrate how they meet the operational resilience requirements. While this document will not need to be submitted directly to the FCA, it will need to be made available upon request. The documentation should be reviewed and approved by the Board or management body on a regular basis.
How can firms best cope with the new requirements?
The deadline for firms to identify their important business services and set impact tolerances was the 31st of March 2022. By this date, firms were also required to have carried out mapping and testing to a necessary degree of sophistication to identify vulnerabilities in their overall operational resilience.
The FCA’s transitional arrangements require firms to perform mapping and testing as soon as possible after the 31st of March 2022, and by no later than the 31st of March, 2025. Within this time frame, firms must ensure they are able to remain within the impact tolerances for each important business service.
The challenges of adapting to new and comprehensive requirements have been made clear by in-scope firms, with eleven institutions responding to the FCA’s proposals stressing concerns of occasions where rigorous scenario testing could affect business-as-usual operations. This is because resources required for testing may take resources away from other required tasks. The FCA recognizes the added burden on institutions and strongly advises “necessary investments” to enable them to operate consistently within their impact tolerances, encouraging firms to consider how best to minimize disruption to other activities while meeting the new requirements.
Technology, a necessary investment?
Leveraging new, emerging technologies enable institutions to embed processes and controls quickly while alleviating the burden on human capital. Digitizing vulnerability testing and business continuity plans can greatly enhance the way institutions respond to disruptions. SAI360’s Operational Risk Module enables firms to improve the efficiency and effectiveness of their operational resilience planning through automated testing, tracking and monitoring of issues.
Accurately identify and assess risk
SAI360 allows organizations to perform top-down and bottom-up assessments with consolidation techniques to summarise the risk profile for an organization or its important business services. Impact and likelihood scales enable firms to proactively mitigate risks with relevant controls and automated, configurable workflows that assign with triggers – emails, escalations, management sign-off and reports – to ensure resolution stays on track.
Continuous risk monitoring
Technology – such as that offered by SAI360 – enables firms to monitor risk on an ongoing basis, providing real-time status reports of risk programs with configurable reports and dashboards. This ensures consistency and efficiency in data gathering and promotes effective follow-up on action plans to manage the ongoing risk profile of the business
Simplify reporting and documentation
The FCA’s Operational Resilience Framework requires firms to make their self-assessment documentation available upon request. SAI360’s software enables instant report generation, removing the burden of producing manual reports while ensuring the recurring status and regulatory reports can be managed within one system. The software also allows firms to track communications and approvals from senior leadership in line with FCA document review requirements.