A key new concept introduced by the Consultation Papers on Operational Resilience proposed by UK Regulators in December 2019, and further clarified in the Policy Statements in March 2021, is the setting of impact tolerance thresholds. A number of approaches and methodologies have emerged in the run up to the supervisory framework being finalised and it is now confirmed that firms will face a 12-month implementation timeline to be completed by 31 March 2022, with up to a further 3 years to be able to demonstrate they can operate within their impact tolerances, remediating and closing vulnerabilities were required to enable this.
Those that have read the Policy Statements will have seen there has been more time and flexibility afforded over required activities during the initial 12 month implementation period, in that mapping and scenario testing need to have been performed sufficiently to enable identification of vulnerabilities in their Important Business Services (“IBSs”), with defining impact tolerance statements for each IBS still being within the 12 month implementation deadline. However, as the regulators jointly expect a strategy or plan setting out how the firm will comply with the requirement to be in effect by 31 March 2022, firms will still need to perform these activities in sufficient detail to understand what needs remediating and/or adding (e.g. greater substitutability) to bring them back within their impact tolerances.
As a result, firms now need to think carefully about the approach for constructing their impact tolerance statements. The statements should be used as assessment criteria for scenario testing and to help frame investment decisions around operational resilience. One of the main considerations for firms is achieving the balance between qualitative vs quantitative (judgement vs data) analysis to help determine intolerable harm and tolerance thresholds.
The approach to setting impact tolerances runs the risk of getting lost in reams of data trying to find the perfect answer. However, we should remind ourselves throughout the Operational Resilience programme that the regulators’ intentions are for a well-considered response to disruptions. Determining when, and how deeply, data analysis is used can be the key to keeping this phase of the programme on track and within a sensible level of time and energy.
Looking at this through a simple, but methodical approach has its benefits and we recommend breaking this down into 4 key steps, with the aim of using judgement to better guide the data needed:
1. Tell the impact story
It is difficult to understand what impact is tolerable without firstly understanding what impact could look like and how it might change as a disruption to an IBS becomes more severe (e.g. it becomes prolonged and/or more widespread). Telling a simple ‘impact story’ can help identify who or what is impacted, where or when impact changes, understand the ‘what if’ should we breach desired recovery objectives and service level agreements; and help to build consensus on what intolerable impact looks like. This can be done through workshops, and should aim to describe the following four stages of increasing severity:
- The immediate impact at the point of disruption when the IBS is not available;
- The impact at the point by which the firm will ideally recover the service by (e.g. in line with SLAs or recovery time objectives), expecting that this would be inconvenient, but not causing significant harm or other impacts;
- What the impact would be if the firm didn’t meet their desired recovery objective or SLA, and how the nature of impact would change (e.g. from inconvenience evolving to harm) as the disruption becomes more severe (e.g. goes on longer, becomes more widespread and affects specific activities e.g. those needed by customers to go about daily life, the firm starts to breach regulatory requirements, confidence in the firm is increasingly damaged, material supply of products or services to the industry are increasingly unavailable). Impact should be considered against customers, the safety and soundness of the firm and stability of the financial system or orderly operation of financial markets; and
- What would characterise the point of intolerable impact, i.e. the point at which the customer harm caused is so acute, long lasting or widespread that it cannot be easily remedied, or a risk is now posed to firm’s safety and soundness and / or financial system / market stability has crystallised (e.g. customers defaulting, material movements in market pricing, availability of products from the industry being impacted, wind-down plan thresholds breached).
Understanding how an increasingly severe disruption affects customers, the financial system or markets and the firm itself enables the identification of impacts that might have otherwise been missed. Key to this is engaging different perspectives in the conversation, including those from client services teams in addition to operations and technology teams. The rationale for why the business service was considered important in the first place will also support this analysis.
2. Identify and gather relevant information and data
Through developing the impact story, firms will identify information or data needed to validate, refine and ultimately complete the story. This may include volumes of transactions, timeframes, or customer types which help underpin the rationale for why the impact changes (e.g. inconvenience to harm to intolerable harm).
Additionally, firms can have varying levels of impact to their customer base and the market itself based on their size and breath of services. The firm’s customer base consists of a diverse group of individuals or institutions with different needs. This might mean an expedited rate at which harm can be reached for a subset of these customers. Identifying the size and profile of the most vulnerable customers will help assess how quickly harm will be felt and intolerable harm reached, in what way and how broadly. Similarly, if the firm has a significant share of the market, data that will help understand historical or theoretic impacts on markets and participants will inform how harm is being caused and how quickly.
These data points should be logged and followed up with appropriate subject matter experts before being incorporated back into the overall impact narrative developed in step 1. Some of these may have already surfaced when the business service was identified as being important in the first place. The data points will help form the basis for the tolerance threshold described in Step 3 below.
3. Set the impact tolerance threshold
The completed impact story should be used to determine the impact tolerance threshold. Where this lies will be based on the impact descriptions, but setting the threshold too close to the point of intolerable impact may indicate the firm is willing to accept significant harm; conversely setting the threshold too close to the desired recovery point could result in in Firms focus on existing resilience arrangements, rather than creating alternative options, adapting how the service is delivered to increase flexibility or innovating to improve resilience. Firms should judge where between those two points the threshold should lie so that there is an appropriate ‘buffer’ before intolerable impacts are caused. This placing of the tolerance threshold between these two points (desired recovery and intolerable harm) is a practical approach designed to safeguard the firm, its customers and market participants, and the financial system by ensuring operational resilience capabilities are sufficient to avoid intolerable impact.
4. Develop outcome-based objectives
The final step should be the development of an impact tolerance statement. These statements should be concise and expressed as an objective of what needs to be achieved in a disruption. The statement must include a time-based component and, where relevant, other metrics (e.g. complete a percentage of transactions within a specified timeframe). Expressing an impact tolerance in this way will act as a clearly measurable success criteria for scenario testing, as well guide response actions in a live event. Once drafted, the statements will require Board approval.
The regulators have made clear that impact tolerance statements should show an appropriate level of resilience in the face of severe but plausible scenarios (or in the case of Financial Market Infrastructure, extreme but plausible). It has also been made clear the onus is on the firms, not the regulators, to set these impact tolerance statements, and these should be tailored by each individual firm. In instances where the firm is dual regulated, two impact tolerance statements per IBS will need to be provided, which may be different to meet the requirements of both the FCA and the PRA. That said, firms should understand the full context of existing regulatory work as they undertake this analysis. The Financial Policy Committee’s (FPC) 2019 ‘pilot’ cyber risk stress test set an important benchmark for how the most systemically-important firms should think about impact tolerances using the financial market stability lens, in terms of the scenario and stress levels used but also the impact tolerance expected by the FPC. This should be given careful consideration by firms even if they were not involved in the pilot exercise. In addition, these new impact tolerances should not replace existing resilience regulatory requirements, e.g. central counterparties being required to have their ‘critical business functions’ recoverable within two hours (Article 17(6) of RTS 153/2013) but seen as complimentary requirements.
The Policy Statements in this area have not diverged much from the Consultation Papers, and work already done well on impact tolerance statements will remain valid. The one area that does require further consideration is the increased effect on intolerable harm if a single event causes multiple IBSs to be disrupted. This might be from the failure of a shared resource or a widely impacting external event. However, if multiple IBSs are affected, there is no additional requirement to set further impact tolerance statements per individual IBS, but consideration of which IBSs could be exposed to a single event, multiple and possibly simultaneous disruption occurrence and how this aggregated impact might make these IBSs’ individual impact tolerance thresholds more acute. This is likely to be very relevant for central counterparties.
Firms have some key steps ahead to meet the initial regulatory requirements by 31 March 2022. Following identification of important business services, the focus needs to shift to definition of impact tolerance statements. It is critical that the impact tolerance statements are adequately defined to support scenario stress testing, identify operational gaps to be remediated and further inform investment decisions. For more insight, please visit our dedicated website and please look out for ‘Time to Thrive’, our updated edition of our 2019 publication ‘Time to Flourish’, which will be published soon.