New UK Regulation on Operational Resilience: What’s Next for Organisations?

After 3 years of consultations, the Bank of England, the Financial Conduct Authority (FCA), and the Prudential Regulation Authority (PRA) have jointly issued their final policy statement on Operational Resilience.

Whilst most firms have already launched Operational Resilience programmes in line with objectives set out in consultation papers, this marks the official start of the implementation period and the clock is now ticking for firms to demonstrate they meet the new requirements.

Two new regulatory deadlines have been introduced, in 2022 and 2025:

Wavestone has identified and analysed 7 key notable changes or clarified positions between the original consultation and the policy statements released on March 29 2021. This article explores what these changes mean in practice for organisations.

1. Important Business Services

Maintaining up-to-date IBS is not about repeating the full process every year

Before March 2022, firms are requested to identify their Important Business Services. Although that was discussed in the consultation paper, the regulators want to emphasise that this does not mean that the full process must be repeated every year. The requirement is to keep the IBS up to date following any major change to the business or market. For example, a firm launching a new service, outsourcing part of their operations or modifying existing services must ensure that these changes are reflected into their IBS mapping.

Critical internal processes/services are not Important Business Services

Important Business Services (IBS) are described as services that, if they were to be disrupted, would cause irreparable harm to one or more of the firm’s clients or pose a danger to the UK financial system or market.

In this new iteration, the PRA and FCA respectively introduced the concept of internal services and internal processes to cater for those services and processes which are critical to the delivery of IBS but cannot be considered IBS themselves. However, they will have to be thoroughly considered when creating the mapping of IBS dependencies. Examples include processes like employee payroll or settlements, and services usually shared centrally such as HR functions or IT support.

In other words, IBS must be externally facing and consider services that firms provide to their customers.

2. Impact Tolerance

“Time” is now a mandatory metric for impact tolerance

Regulators made it clear that firms must define a maximum amount of time during which an IBS may be disrupted without causing intolerable harm to the customer or market. They’re highly recommending adding other types of metrics but have given flexibility to firms to choose the most relevant combinations of metrics for them, as long as time is included.

Dual-regulated firms should leverage the work done to demonstrate they meet impact tolerance requirements from both regulators

Firms that are dual-regulated face the complexity of addressing both PRA and FCA rules, including setting separate impact tolerances to comply with the regulators’ different objectives (i.e. one for addressing potential harm to consumers; and another based on objectives to mitigate harm to financial stability, safety and soundness, and policyholder protection). The regulators have confirmed that firms will need to demonstrate that they have considered each of the PRA and FCA’s objectives when setting their impact tolerances.

Following concerns raised by firms during the consultation phase, the regulators have clarified that work done to meet the objectives of one regulator “should be leveraged” to meet those of the other. However, they have set out that firms choosing to concentrate their efforts in ensuring they can remain within the more stringent tolerance must:

Consider both PRA and FCA objectives when setting impact tolerances
Ensure recovery and response arrangements are appropriate for both the shorter and longer impact tolerance
Build comprehensive scenario testing that considers plausible disruptions for both recovery horizons and not only the shorter tolerance.

In addition, large firms can and should acknowledge that some business entities face more stringent requirements due to the nature of the business they do, local regulation, etc. It is recommended to allow lower impact tolerances for that entity given Group approval

3. Testing

Firms can define their own scenario testing frequency

Regulators have opted to give firms more flexibility in how they handle operational resilience strategies. Until March 2022, the only requirement is to ensure that mapping and scenario testing allow to get a comprehensive overview of IBS and impact tolerances, as well as of their vulnerabilities.

Firms then have until March 2025 to complete scenario testing to the point that they can provide an assessment of their ability to stay within the specified impact tolerances for each IBS.

Finally, scenario testing does not have to be performed on a yearly basis. Scenario testing is required at least when significant changes to the business or services occur, as well as when improvements have been made after previous tests revealed vulnerabilities. Firms must therefore establish their own testing frequency, even when nothing unusual occurs.

Firms should involve third parties in their testing efforts

Even though testing is the firm’s duty, third parties should be involved for this part of the operational resilience plan. The firm and its third-party partners should collaborate closely during the entire process, from mapping to testing. Furthermore, if companies deem it necessary, testing may be done by third parties.

This is closely aligned with global regulatory trends in response to firms’ increasingly complex third- party environments and heavy cloud infrastructure. We can indeed see more stringent requirements being put on the management of third (and fourth) party dependencies by the PRA itself through the Outsourcing and Third-Party Risk Management Supervisory Statement, and by the European Union with DORA. Both introduce specific instructions for management accountability of third-party risk, monitoring of providers, pre-contract due diligence and exit strategies.

Building realistic severe but plausible testing scenarios may involve planning for disruption of multiple Important Business Services at once

The risk of multiple disruptions affecting a single service should not have any impact on how organisations set their impact tolerances. The scenario for this exercise should be focused on the event of a single disruption.

However, it may also happen that multiple IBS are disrupted at the same time. It might be the case if for example, a cyber-attack hits a group on a large scale. For that reason, firms are required to consider substitutability of each service and get a notion of which services are dependent on the same processes. It means that testing plans for such scenarios must include all IBS that will be affected at the same time.

Final thoughts

The spirit of the regulation has not changed since the consultation papers were published: proportionality and flexibility are still at the centre of the requirements, which are not very prescriptive when compared, for example, to some of the requirements brought in by DORA in the EU. UK regulators acknowledge that firms know their business and context better than anyone else. For that reason, flexibility is offered on a lot of topics around granularity, frequency and scope to help organisations focus efforts on what really matters depending on their industry or situation.

More importantly, now that clarity has been provided on the requirements, firms need to move away from strategic and conceptual design and think of how operational resilience will be maintained and managed going forward. This means setting up the right governance model and using robust management information to provide transparency for senior management to understand their end-to-end operational environment and respond more quickly to threats and vulnerabilities. This can be accelerated through tooling but still requires a considerable effort in identifying and remediating gaps in data quality.

Roxane Bohin

Most firms will now have a strategy in place and a programme initiated to identify IBS, scenarios and mapping. In the lead up to the first regulatory deadline next March, Wavestone can help clients see more clearly through the flexibility provided by the regulator and validate that their methodology and outcomes are in alignment with the regulators’ objectives. We can also help clients set up for the long term with governance models, training and culture, management information and tooling strategies.