Financial Services Compliance Blog - Thistle Initiatives

Operational resilience

Written by Thistle Initiatives - Compliance consultancy | Nov 22, 2022 10:36:56 AM

What is Operational Resilience?

Author, Lorraine Mouat, Head of Payment Services

What is Operational Resilience?

At the end of 2019, the PRA and FCA publicised a joint Consultation Paper on Operational Resilience, just as the world stepped into the most challenging events in recent times. The outbreak of the Covid-19 pandemic, for most financial services firms, brought a number of unanticipated changes to the operational and regulatory landscape in which they operate. This, along with the complexity of Brexit, brought the perfect storm – a new ‘normal’ and an uncertain financial future for many.

But it was exactly this kind of scenario that the FCA had anticipated when seeking to enhance firms’ Operational Resilience. Such a severe but plausible event is what the FCA wants firms to consider; how do firms prevent, adapt, respond to, recover from, and learn from operational disruption?

In March 2021, the FCA and the PRA in conjunction with the Bank of England (BoE) (the UK regulators) published their final policy and supervisory statements on Operational Resilience. This requires firms to identify their most important ‘end-to-end’ services, which the UK regulators have labelled ‘important business services’ and protect these from disruption.

To strengthen operational resilience, firms are required to mitigate for the impacts of future incidents by building a framework that incorporates tolerances for internal and external triggers as a fundamental means of allowing the firm to efficiently and sustainably respond to risks whilst pursuing opportunities.

What are the deadlines for implementation?

By 31 March 2022, firms should already have:

  • Identified their Important Business Services (IBS), which if disrupted could cause intolerable harm to consumers, the firm, markets, and the financial system;
  • Set impact tolerances for the maximum tolerable disruption to services;
  • Carried out mapping of their value chains, and tested to identify vulnerabilities;
  • Conducted ‘lessons learned’ exercises to help respond and recover effectively from disruption;
  • Developed internal and external communication plans; and
  • Prepared a self-assessment document, to be approved by the Board.

In doing so, firms should adopt a cross-functional approach, underpinning their implementation plan with effective governance and senior management accountability, roles, and responsibilities. This, along with a robust risk management framework and supporting policies and procedures, will ensure the successful implementation of a resilient-centric culture.

The next major compliance checkpoint is on 31 March 2025. By then, firms should have carried out scenario testing and continued to build their Operational Resilience framework in line with the regulators’ expectations. By that time, your firm will have to provide assurance that it can remain resilient to any disruption to its IBS, and within pre-defined impact tolerances. Testing needs to be an iterative process, considering all critical resources and dependencies, both internal and external.

Operational Resilience or Business Continuity?

You would be forgiven for thinking that Operational Resilience and Business Continuity are one and the same thing. Whilst Operational Resilience includes many of the same disciplines as Business Continuity, the latter is more internally focused and deals with plans for specific scenarios, including the actions you’ll take to help minimise such disruption. It is about immediate crisis response. Operational Resilience on the other hand is more outcomes focused. It is centered on adapting and enhancing your overall resilience end-to-end. In summary, Operational Resilience moves the dial of Business Continuity from ‘if’ to ‘when’.

How can we help you?

If you’ve not yet begun your journey on the road to Operational Resilience, then now’s the time to start. Like most regulatory change projects, implementing an effective and appropriate framework requires expert and experienced resource. We can work with you and help you take positive steps in understanding the unique challenges and opportunities within your business. With a proven track record of supporting financial services firms in demonstrating and enhancing Operational Resilience, we can help you build on existing operational arrangements and provide the right level of assurance to your Board and to the regulators.

If you’d like to know more about how we can help you with your Operational Resilience arrangements, or any other regulatory compliance issues, our specialist team is here to help.

Contact us today on 0207 436 0630 or email info@thistleinitiatives.co.uk.