The finalisation of the UK supervisory approach to operational resilience re-confirms the regulators’ bold agenda and underlines the urgent need for firms to move quickly from planning to action and implementation.
The UK’s financial regulators, the Bank of England (BoE), Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA), have published their Policy and Supervisory Statements finalising their approach to operational resilience for financial services firms.
You can find the regulators’ joint covering document summarising the overall supervisory approach taken [here], PRA Statement [here], the FCA Statement [here], and the Statements from the BoE on its approach to operational resilience for financial market infrastructures (FMIs) [here].
In parallel, the PRA has also published its final Supervisory Statement on Outsourcing and third party risk management that you can find [here].
This represents the culmination of almost three years of policymaking by UK regulators, following the 2018 BoE Discussion Paper and 2019 Consultation Papers (CPs), and re-confirms the central importance that they see operational resilience having in the overall resilience of the financial sector going forward. These publications give firms in the financial sector the basis on which they can now proceed with plans to assess their current state of operational resilience, and invest in addressing the vulnerabilities they identify, in what will be a relatively short period of time.
Key takeaways from the final framework
Overall, the final operational resilience framework set out by the Supervisory Statements does not depart significantly from the December 2019 CPs. Most notable to us is that the following aspects of the framework remain in place:
- The relatively short implementation period: despite significant pushback from the industry, the regulators have maintained their proposed timeline and given firms a 12 month implementation period for initial work, followed by a three year transition period, by the end of which they expect firms to have carried out necessary remediations so that they meet the impact tolerances they have set for their important business services (IBS).
- The close involvement of boards and senior management: the onus continues to be placed squarely on a firm’s senior leadership to ensure its operational resilience. The Supervisory Statements confirm that the board will have to sign-off on the identification of IBS and impact tolerances for those services and is required to review and approve the firm’s operational resilience self-assessment. The Statements provide guidance on what the self-assessment should cover, but avoid being prescriptive or providing a template. The Statements also affirm the responsibility of a firm’s SMF24 for the overall delivery of its operational resilience strategy.
- The focus on IBS and impact tolerances: unsurprisingly, the regulators have not veered from the ‘shift in mindset’ approach of the overall framework design that asks firms to identify their most IBS and then to focus on their resilience by setting impact tolerances that articulate the maximum tolerable interruption of those services when faced with a ‘severe but plausible’ disruption scenario. Whilst the focus is on the resilience (or continuity) of those services to the external user under ‘severe but plausible’ scenarios, they have emphasised that they expect a continuing focus on the prevention of such disruptions. They have also reconfirmed that substitution and recovery are both valid operational resilience considerations, and re-enforced the importance of communications and communications planning.
- The ‘three lenses’ for impact and harm caused by an operational disruption: the regulators continue to be clear firms should evaluate the impact and harm caused by an operational disruption in three ways: potential impact on the functioning of the market or overall financial stability (for large firms only); the potential impact on an individual firm’s viability; and the potential harm caused to consumers. These three lenses give firms a number of dimensions to consider, through both quantitative and qualitative metrics, when assessing the impact and harm that could be caused by a disruption to their IBS and the impact tolerances that they will consequently need to set.
- The need for robust resilience testing methods to emerge: the operational resilience framework is predicated on the need for firms to demonstrate to their supervisors that their resilience falls within the impact tolerances that they have set, and as a result, methods of testing the resilience of services to severe but plausible disruptions will be needed. The regulators are not prescriptive about what kinds of tests should be conducted, but are keen to see the sector develop innovative ways of simulating disruptions and demonstrating resilience.
Although the final framework is very similar to the one consulted on in 2019, the regulators have made a number of smaller changes, clarifications and observations including amendments to align the frameworks set forth in parallel by all three better. Most notable to us in their Statements today:
- Proportionality: the regulators stress that their approach to the proportional application of this framework is to be non-prescriptive in most areas to allow for firms to design an approach that suits their circumstances – for instance, the regulators have declined to create a template for firms’ self-assessments of their operational resilience. They have, however, made a number of related clarifications, including that all firms subject to the framework will be expected to have at least one IBS, and that small and medium-sized firms will be exempted from having to assess the impact of their IBS on financial stability and set impact tolerances based on this lens.
- Work during the implementation timeline: while the regulators have maintained their original one + three year approach, they have clarified that, for the one year implementation period ending on 31 March 2022, firms will only be expected to conduct mapping and testing insofar as it is necessary to identify IBS, identify vulnerabilities and set appropriate impact tolerances. The regulators are clear that firms should not wait until the end of the three year transition period ending 31 March 2025 in order to show that they have addressed vulnerabilities, but to do so as soon as it is ‘reasonably practical’.
- Identifying IBS: further clarification is made to the definition of IBS, particularly with the PRA updating its definition to include ‘a service provided by a firm, or by another person on behalf of a firm.’ The regulators maintain that it would be inappropriate for them to publish a list of common IBS that must be identified by firms, stating that this should be tailored to each firm’s specific circumstances. They do, however, clarify that internal shared services (e.g. HR, Finance) should not be included and that IBS should focus on external services delivered to end-users.
- Setting impact tolerances: the regulators have clarified that while impact tolerances should have a time-based metric for the resumption of services, they can be expressed as a combination of time and non-time-based metrics such as the volume disrupted. The regulators also clarify that dual-regulated firms may, at times, need to set different impact tolerances for IBS given the different objectives of the PRA and FCA, but that it is acceptable for firms to focus on the most stringent impact tolerance provided that they can show that they have taken into account the objectives of the regulators involved. The PRA’s Statement accepts that ‘rapid technological change’ may mean that firms can suddenly no longer stay within their impact tolerance, but in such scenarios it expects firms to implement a remediation plan promptly to enhance their resilience in the face of that change.
- Mapping and third parties: responding to industry feedback on the level of detail and extent of mapping required, the regulators have clarified that the granularity of mapping should be to a level that allows the firm to identify vulnerabilities to its delivery of IBS and for meaningful testing to be carried out. They have also clarified that mapping should be iterative and reviewed at least annually, and more frequently when there is a substantial change to a firm’s operations. On third-party outsourcing, the regulators underline that a firm is responsible for functions that it outsources and that any potential vulnerability arising from a third party relationship should be accounted for in the mapping and scenario testing conducted.
- Severe but plausible scenarios: the regulators have declined to define more clearly what a ‘severe but plausible’ or ‘extreme but plausible’ (in the case of FMIs) scenario should constitute, but have said that this will be a common topic of supervisory discussion during the implementation and transition periods and that they expect industry-wide standards to emerge. They have repeated that firms should use internal data on near-misses and experiences in other FS firms, other industries and other jurisdictions to inform their scenario design. In practice, this is likely to be an area where supervisors challenge firms to enhance the severity of the scenarios used over time.
- Frequency of testing: the regulators have clarified that the requirement to test ‘regularly’ does not mean that testing must be carried out for all IBS on an annual basis. They do, however, stress that testing should occur more frequently where the operations of a firm change in such a way that materially alters the mapping that is carried out for each IBS. As a result, the most recent testing exercise a firm has run for an IBS should accurately reflect the operating model delivering that service and the potential vulnerabilities that consequently exist.
- International coordination: the regulators noted a number of consultation responses highlighting international regulatory compatibility and coordination as authorities around the world adopt new operational resilience frameworks. The UK regulators make clear that, while local requirements will not be perfectly aligned, they believe there is strong alignment in the core principles and mindset between emerging frameworks, and particularly between the UK framework and the Basel Committee on Banking Supervision’s draft principles for operational resilience. As a result, they commit to working closely with their international regulatory counterparts and also state that they believe that international firms will be able to ‘work effectively across borders’ in the area of operational resilience.
Next steps for financial services firms
As mentioned, the regulators have not altered their proposed implementation timetable and have kept the one year initial implementation period (that will end on 31 March 2022) and the subsequent three-year period for firms to be fully compliant with the framework, including meeting the impact tolerances they have set (ending on 31 March 2025).
It is clear that their experience with COVID-19 in the last year has only underscored UK regulators’ desire to see the sector improve its resilience to unexpected operational stressors. In her ‘Dear CEO’ letter on 2021 supervisory priorities, Sarah Breeden, Executive Director for UK Deposit Takers Supervision at the PRA, confirmed that enhancing the operational resilience of the financial sector is now a top strategic priority for UK regulators, alongside more traditional areas of focus such as financial resilience.
In our view, financial services firms need to respond to the publication of the operational resilience Supervisory Statements by carrying out their work based on the following five step approach:
- Identification: identify the IBS according to the principles of impact and harm set out in the new framework. This will be a crucial task for every in-scope firm as it will identify those areas that must subsequently be the focus of work to enhance the firm’s resilience.
- Mapping: map out the processes, assets and systems that IBS rely on to function keeping in mind the regulators’ guidance that this mapping will be iterative, but should initially be granular enough to identify vulnerabilities, substitutions and run meaningful tests.
- Impact tolerances: set impact tolerances for the IBS. Firms will have to think particularly carefully about the level at which these tolerances are set and how doing so will meet the expectations and objectives of the different financial regulators involved. In our experience, this has been one of the most challenging tasks for firms that have acted early and it is one that supervisors are likely to scrutinise closely in the next year.
- Testing: undertake scenario stress testing to demonstrate that the resilience of each IBS remains within the impact tolerances set. Whilst not part of the regulatory requirements, we suggest firms should consider stress testing changes to how an IBS is delivered as part of their change management process. Firms should also be particularly alert to opportunities for cross-industry collaboration and the emergence of industry best practice in this area.
- Self-assessment: conduct, draft and sign-off on the regulatory self-assessment required by the new framework.
All of these steps will have to be completed in some form before the end of the one year implementation period (ending 31 March 2022) in order to allow for firms to focus on building up their resilience during the subsequent transition period. As a result, those firms that have not begun this work should do so immediately, and those that have can move from planning to action now that the final policy has been published by the regulators.
Firms should expect significant scrutiny and follow-up from UK supervisors during the implementation and transition periods as they will be keen to ensure that the sector is on track to put in place the new framework according to the timeline they have set.
More of our insights on how firms can build operational resilience
For more of our views on emerging regulatory approaches to operational resilience and how we think financial services firms can take the initiative to improve their resilience you can consult:
Our Resilience Reimagined portal with our latest insights on operational resilience, including our most recent articles and blogs on specific themes such as managing operational resilience during COVID-19.
Our Resilience Without Borders report on the development of international approaches to operational resilience in financial services. This report looks at emerging regulatory requirements in the UK, US and EU and considers what the gaps and similarities between the jurisdictions will mean for firms operating across borders.