Building Operational Resilience in Financial Services – Final Rules Published
The Financial Conduct Authority (FCA), in partnership with Prudential Regulation Authority (PRA) and the Bank of England (BoE), have now published their final rules for operational resilience. April 2021 sees the conclusion of some extensively detailed consultation spanning several years - and directly through a global pandemic.
Many continuity and resilience practitioners – and not only those in financial services – will have been keeping a close and curious eye on these developments as we collectively try to understand what this might mean for us as practitioners, but also for our clients, customers and organizations.
In early 2020, like many of my colleagues, I began to digest the 300 or so pages of the jointly released consultation papers. If you’ve read these types of regulatory statements in the past you will know just how challenging a read they are. As a result, I was left with as many questions as I had answers. As a result of this, I decided to write a 4-part blog on the BCI website entitled “Resilience Re-Wire” to help introduce myself to the topic and to share my thoughts with the community.
There will be more discussion, additional research and early insights from practical implementation yet to come in this space but below are highlighted the most important points to note from the new rules.
Core Themes
- Process and Dependency Mapping migrating focus from internal critical functions to the specific business services that impact an identifiable participant. How did you decide on those services?
- Impact Tolerances and the methods by which your organization deduces those tolerance thresholds.
- Threshold Testing against extreme but plausible events. What are your processes for providing that assurance?
- Third Party Risk Management focus to consider new and emerging technology risk such as cloud strategy, concentration risk against the major providers, the sub-outsourcing risk. For example, do you really know who is doing your work? This is in addition to the more regular challenges such as audit rights, pre contractual assessments etc.
What’s changed since the Consultation Papers?
A key piece of industry feedback to the FCA prior this publication (and one which prompted subsequent amendments to the previous consultation detail) included Flexibility on mapping and testing deadlines and the level of sophistication in which they are delivered. The original view was to implement all elements of the policy with a view to maturing/transitioning over 3-year period. This has been reworded to deliver on mapping but only to a level of sophistication sufficient to achieve policy outcomes. Testing is no longer against the same deadline but still to be achieved by 2025. The expectation is that there will be an ongoing maturity and investment journey.
Timelines
The FCA’s own publication confirms that their “rules and guidance will come into force on 31 March 2022” and “firms must be able to remain within their impact tolerances as soon as reasonably practicable, but no later than 3 years after the rules come into effect on 31 March 2022.”
What’s next?
Most financial services organizations have, by now, embarked on their own thinking and interpretation of these rules. It is highly likely that these approaches will vary from one organization to another and there is undoubtedly more learning to come from its implementation. Nevertheless, the four points above represent the core agenda items to get discussions going with your team and stakeholders.
In the U.K, financial services should by now be looking to have:
A) identified their “critical business services” (not just the critical functions that make up that service).
B) started to map those services from triggered transaction right through to the identifiable participant including people, technology, data, vendor touchpoints and dependencies etc.
C) defined what their organization’s tolerance level is to that service being impacted (working on the basis of that the impact has already occurred and not the risk of it occurring).
D) started to think about how the organization should plan to test these services (remember extreme but plausible scenarios) against those tolerances to provide top management assurance that:
- this is a true and accurate reflection of the organization’s tolerance for disruption of that service
- the organization has a good understanding of its own level of resilience
E) be able to explain clear and repeatable methods of how this framework was created, maintained and matured.
Of course, the final publication of the policy statement from the FCA and the enforcement date of 31 March 2022 gives everyone a clear deadline for the first phase of this requirement.
Equally, there is more to explore as an increasing number of continuity professionals begin to help their organizations unravel this new requirement, decide what they already have in place to leverage from and then identify the delta between that and the above. This will be different for everyone. Even for those not in financial services, the new rules can serve as a template to ensure key services are kept running to eliminate disruption to customers and suppliers. Indeed, some non-financial services organizations which have good reporting processes already in operation (such as the wide capturing of near misses which will help organizations set realistic impact tolerances) will also help provide guidance to some financial services organizations who are at the start of their journey to adopt the new rules.
The BCI is perfectly placed to centre itself in the midst of this learning so we can collectively grow and learn as a professional community. The BCI will be offering opportunities for members to engage with other practitioners where they will have the opportunity to learn from experts in the field, as well as share their own stories about the implementation of the rules in their own organization.