UK regulators have set a March 2022 target for financial services organizations to set business continuity impact tolerances and comply with third-party vendor risk management requirements to ensure customers are protected from disruptions.
Operational resilience is officially a front-and-center mandate for banks, insurers and other financial institutions in the UK, with implications for the rest of the global financial system. The Bank of England’s Prudential Regulation Authority (PRA), working with the Financial Conduct Authority, set a March 31, 2022 deadline to show how prepared organizations across the financial market infrastructure (FMI) are able to monitor their vendors and outsourcing partners as well as tolerate and respond to business disruptions, whether due to IT challenges, cybersecurity breaches, or other events.
The need for operational resilience in the UK’s financial sector has been highlighted by numerous disruptive events experienced by firms and FMIs throughout the industry.
Each regulated financial firm will be required to identify important business services and define how a disruptive event could impact customers and its broader financial stability, and how long it would take to resume normal service. They also must comply with the PRA’s supervisory statement on outsourcing and third-party risk management. The goal is to ensure “end-to-end resilience” particularly in the context of Brexit.
BoE’s operational resilience stance has a global impact
While the requirements apply directly to financial institutions and services firms operating in the UK, including branches of overseas banks and insurers, the impact has already been felt globally. Financial institutions and services firms – and the third-parties and outsourcers who support them – are being prompted to evaluate their operational resilience capabilities and the full risk management lifecycle of their third-party relationships.
Simply stated, operational resilience and third-party risk management are about understanding the critical services an organization provides to its clients, understanding the dependencies and impact tolerances on internal assets and resources as well as those from all types of vendors, and ensuring they have fully considered and adequately prepared for severe but plausible disruption scenarios.
The latest policy statements from the UK supervisory authorities bring added clarity to consultation papers developed and evolved over the past few years and help to define a very specific set of activities all types of financial firms should initiate or accelerate now. Today, financial institutions and services firms should be well into the process of business continuity activities including service definition, dependency mapping, vulnerability assessments, impact tolerance definition, scenario definition, and plan development and testing, all inclusive of critical third parties.
Nonetheless, many firms are scrambling to get started
While the concepts of prioritization and proportionality brought forth in the policy statements mean that not everything has to be fully evaluated and thoroughly tested by the initial deadline, just getting the basics completed will be effort enough for almost every organization. Fortunately, the UK supervisory authorities recognize the challenge, and are not requiring financial services firms to have conducted their initial self-assessment until 31 March 2022. A 12-month window is tight but can be achievable with the right approach.
Setting an operational resilience strategy for financial services
If you’re considering how to make these efforts manageable, a best practice is to begin building a foundation of information in a way that is organized and sustainable, and can be continuously evolved, as you guide your firm through the entire program of activities.
Flexible and agile platforms, such as our SAI360 solution for integrated GRC, can be used in the process of defining your risk and resilience program at the outset, rather than bringing in software tools after-the-fact. The result can be a dramatically more efficient approach, and a catalyst for breaking through disparate silos of risk and resilience initiatives that have challenged all types of organizations.
- Statement of Policy: Operational resilience (March 2021)
- Outsourcing and third-party risk management (PS7/21|CP30/19)
- Defining the Future of Operational Resilience by Paul Johns, EVP SAI360, in Risk & Compliance Magazine
- Your Operational Resilience Program and the Impact of Impending Regulations, a discussion with GRC Pundit Michael Rasmussen and Paul Johns, SAI360
- The Operational Resilience Handbook: 5 Obstacles when Complying with Upcoming Regulations and How to Overcome Them