Over recent years firms in the Investment Management and Wealth (‘IM&W’) sector have been focused on meeting implementation deadlines for new prudential and operational resilience requirements. For many firms, the frameworks and processes that have been established to meet these two requirements operate in silo. Now we are in the second year of the Investment Firms Prudential Regime (‘IFPR’) and the Operational Resilience rules set out in Policy Statement 21/3 (‘PS21/3’), some firms have started to assess how best to integrate, embed and optimise overlapping processes to realise efficiencies, reduce costs and enhance overall financial and operational resilience. However, this opportunity for integration has not been considered by many firms and the associated benefits are not being realised.
The FCA highlighted both operational and financial resilience as sector priorities in its 2023 Asset Management Supervision Strategy letter and the regulatory landscape continues to develop (such as the recent Discussion Paper on critical third parties). This blog will highlight areas of overlap between the two sets of requirements and take you through some or our key observations and considerations for firms.
Operational resilience focuses ‘on how businesses can prevent, adapt, respond to, recover and learn from operational disruptions’ (PS21/3, page 52). The FCA’s Operational Resilience rules require in-scope firms to:
By building operational resilience, the potential to cause harm to customers and the market or to impact firm viability from the unavailability of important business services can be reduced and the ability of the firm to respond to and recover from disruptions can be increased. Further information on implementing operational resilience requirements can be found here.
Operational risk ‘refers to the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events’ (PS21/3, page 53). It is often the most material risk exposure for IM&W firms and is a key element of risk management frameworks. The FCA sets out in its Finalised Guidance 20/1 that it expects all firms to assess the risk of harm, which includes any operational risk exposure. For firms subject to the FCA’s MIFIDPRU rules, the Internal Capital Adequacy and Risk Assessment (‘ICARA’) process is used as part of the wider Operational Risk Management Framework to ensure adequate resources to mitigate the risk of harm, including those that may arise from operational risk events. This typically includes an assessment of:
By conducting a robust ICARA process, a firm is able to show that it has adequate financial and non-financial resources to reduce the likelihood of operational losses from occurring and, in the event of disruption, limit the potential to cause harm to customers, the market and the firm itself. Further ICARA observations and considerations can be found here.
The focus of many firms has been on meeting the initial implementation deadlines set by the FCA for the new prudential and resilience requirements. In many cases, this has led to work on risk and resilience being performed separately with little cross-over. Whilst some separation between processes is required to meet the specificities of each set of requirements, there is scope for firms to align and integrate various aspects of operational risk and resilience activities to deliver more robust and efficient output.
Where we have supported IM&W firms in reviewing existing arrangements, we have observed firms recognising areas of common risk (such as, third-party outsourcing) across their different assessments but missing opportunities to align and integrate the key underlying processes:
Having met the regulator’s initial implementation deadlines, firms should now seek to leverage the opportunities to identify any key areas of potential overlap or duplication between their ICARA process and operational resilience arrangements. In a time of margin pressure and increased external threats, the embedding and optimisation of these overlapping processes can help firms enhance their overall financial and operational resilience in an efficient manner that could also reduce costs.
In support of this, we will also seek to explore the alignment of prudential, operational and cyber resilience requirements during our next IM&W Prudential roundtable in September. Feel free to get in contact with any member of our IM&W Prudential team if you would like to participate in this discussion or require any further support in this area.