Following the FCA’s recent operational resilience webinar, it’s clear that many regulated firms are working hard to meet the requirements ahead of the first operational resilience deadline of 31 March 2022. Efforts in this space are primarily focused on identifying important business services, setting impact tolerances, and conducting mapping and scenario testing to the required level of sophistication. But with less than two months left to finalise plans, there is plenty more work left to do, both in anticipation of the first deadline, and beyond.
Although compliance will take time, particularly on-going compliance after 31 March 2022, the FCA recognises that operational disruptions are inevitable and that a firm’s readiness to withstand disruptions determines important outcomes for both the firm and its customers. It’s against this backdrop that the FCA are requiring firms to invest in and bolster their operational resilience now to withstand future operational threats. The FCA also recognises that threats are both increasing and evolving, fuelled in part by Covid-19 uncertainty and the prevalence of cyber-attacks. Firms must therefore ensure that they comply with the new rules in a meaningful way to guard against both the unknown and the unexpected.
For a reminder of the impending rules, check out our previous articles on the framework itself and our operational resilience checklist for both regulated firms and their vendors.
What is required by 31 March 2022?
Firms must have:
- Identified their important business services:
- These are a firm’s key services to its customers.
- From here, firms should be able to map out the processes on which its important business services are dependent to assess where disruption may impact upon its important business services.
- Set impact tolerances in respect of each important business service:
- This is the point at which the level of disruption to an important business service would cause intolerable harm to consumers or risk to market integrity.
- Conducted mapping and scenario testing to a level of sophistication that enables firms to have identified their important business services, set impact tolerances and identified any vulnerabilities in their operational resilience:
- The FCA expects firms’ thinking and progress to be at the advanced stages at this point in readiness for the first deadline.
- Conducted lessons learned exercises.
- Developed their internal and external communications plans.
- Undertaken and documented a self-assessment:
- This should provide a snapshot of the firm’s operational resilience at a particular point of time.
- The FCA and PRA can request to see a firm’s self-assessment from 31 March 2022.
- This must also be approved by a firm’s Board or governing body and must be regularly reviewed as part of a firm’s ongoing compliance.
After the 31 March 2022 deadline, firms will enter a transitional period in which they must continue mapping and scenario testing to ensure that they are able to remain within their impact tolerances by no later than 31 March 2025.
Key observations from the FCA
The FCA conducted a survey of select firms to gather data on, and analyse, their progress in respect of the new operational resilience rules. Below are some of its key observations:
- Good progress has been made overall in terms of firms complying with the requirements under the new rules, with some firms using the UK’s operational resilience framework as a baseline to bolster their global operational resilience.
- Firms are making most progress in the area of identifying their important business services.
- The FCA expects firms to outline why it determines such services important, based on distinct reasoning (such as consumer research or additional metrics) that is not duplicated across multiple important business services.
- The FCA also outlined firms incorrectly identifying their internal functions as important business services (such as payroll). Though important business services may depend on the performance of these functions, these functions are not themselves provided to external customers and therefore do not constitute important business services. However, such functions will still be relevant to the firm’s mapping exercise.
- Firms are still in the process of developing their impact tolerances however insights into this area were more limited.
- The FCA encouraged a change in the way firms are approaching their impact tolerances such that focus is shifted away from how to remedy a breach of impact tolerances and towards building in resilience to avoid a breach occurring in the first place (e.g. by investing in technology, processes, people etc.).
- Firms should also prioritise assessing the effect of harm on consumers and markets, rather than the effect on the firm itself. In this regard, firms should consider the point at which harm affects customers / vulnerable customers, and set impact tolerances accordingly. They should avoid conflating impact tolerances with inward-looking recovery metrics (such as recovery time objectives) based on a firm’s risk appetite which do not consider external harms that may arise.
- As with the identification of important business services, firms should have a clear rationale justifying its impact tolerances with adequate Board oversight. This includes justifying why it considers intolerable harm would arise at the point the impact tolerance is breached, but not before.
- Firms have reported challenges in grappling with the level of granularity required with respect to mapping. The correct level will ultimately vary from firm to firm but can be conducted proportionately to the size and nature of the firm, focusing on the outcomes that mapping is intended to achieve.
- Difficulties can also arise in relation to firms gaining a full understanding of operational resilience in their supply chains, particularly where outsourced arrangements involve sub-outsourcing to “fourth” or “fifth” party providers. However, firms are still required to work effectively with their third party providers to understand their supply chain and outsourced arrangements. Our previous article covering operational resilience and outsourcing aims to assist firms in this scenario.
- Firms’ Boards are expected to evidence that they are satisfied that the firm is meeting its operational resilience responsibilities and approve, and regularly review, its self-assessment document.
- The FCA highlighted that cyber security is a key pillar of operational resilience and that it would be prudent for firms to account for instances of cyber-attack within their remit of ‘severe but plausible’ scenarios, given the likely possibility of such attacks occurring.
What this means for regulated firms?
Whilst the FCA’s observations show that progress is being made on the identification of important business services, there is still more work required to ensure impact tolerances are set and mapping and scenario testing is conducted to the required level of sophistication. Where firms fail to comply with the rules, we would expect the FCA to use its existing powers to force firms to act. This means for firms caught under the regime, they should be working hard to meet (and sufficiently prepared for) the initial 31 March 2022 deadline.
If you want to discuss your operational resilience, particularly in light of the 31 March 2022 deadline, please contact Martin Cook or Brandon Wong, or your usual Burges Salmon contact.