Skip to main content

ICARA and Operational Resilience synergies – taking the next step to embed key requirements efficiently and effectively

Over recent years firms in the Investment Management and Wealth (‘IM&W’) sector have been focused on meeting implementation deadlines for new prudential and operational resilience requirements. For many firms, the frameworks and processes that have been established to meet these two requirements operate in silo. Now we are in the second year of the Investment Firms Prudential Regime (‘IFPR’) and the Operational Resilience rules set out in Policy Statement 21/3 (‘PS21/3’), some firms have started to assess how best to integrate, embed and optimise overlapping processes to realise efficiencies, reduce costs and enhance overall financial and operational resilience. However, this opportunity for integration has not been considered by many firms and the associated benefits are not being realised.

The FCA highlighted both operational and financial resilience as sector priorities in its 2023 Asset Management Supervision Strategy letter and the regulatory landscape continues to develop (such as the recent Discussion Paper on critical third parties). This blog will highlight areas of overlap between the two sets of requirements and take you through some or our key observations and considerations for firms.

What is the difference between operational resilience and operational risk?

Operational resilience focuses ‘on how businesses can prevent, adapt, respond to, recover and learn from operational disruptions’ (PS21/3, page 52). The FCA’s Operational Resilience rules require in-scope firms to:

  • identify important business services;
  • assess potential vulnerabilities and dependencies though important business services mapping;
  • set impact tolerances for each important business service; and
  • conduct scenario stress testing to assess the firm’s ability to remain within impact tolerances.

By building operational resilience, the potential to cause harm to customers and the market or to impact firm viability from the unavailability of important business services can be reduced and the ability of the firm to respond to and recover from disruptions can be increased. Further information on implementing operational resilience requirements can be found here.

Operational risk ‘refers to the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events’ (PS21/3, page 53). It is often the most material risk exposure for IM&W firms and is a key element of risk management frameworks. The FCA sets out in its Finalised Guidance 20/1 that it expects all firms to assess the risk of harm, which includes any operational risk exposure. For firms subject to the FCA’s MIFIDPRU rules, the Internal Capital Adequacy and Risk Assessment (‘ICARA’) process is used as part of the wider Operational Risk Management Framework to ensure adequate resources to mitigate the risk of harm, including those that may arise from operational risk events. This typically includes an assessment of:

  • the firm’s business model and strategy to identify key risks, potential harms and areas of vulnerability;
  • key controls and mitgants;
  • the firm’s operational risk exposure in relation to the firm’s risk appetite;
  • the required levels of financial and non-financial resources; and
  • stress testing, reverse stress testing and wind-down planning.

By conducting a robust ICARA process, a firm is able to show that it has adequate financial and non-financial resources to reduce the likelihood of operational losses from occurring and, in the event of disruption, limit the potential to cause harm to customers, the market and the firm itself. Further ICARA observations and considerations can be found here.

Key considerations for embedding and optimising

The focus of many firms has been on meeting the initial implementation deadlines set by the FCA for the new prudential and resilience requirements. In many cases, this has led to work on risk and resilience being performed separately with little cross-over. Whilst some separation between processes is required to meet the specificities of each set of requirements, there is scope for firms to align and integrate various aspects of operational risk and resilience activities to deliver more robust and efficient output.

Where we have supported IM&W firms in reviewing existing arrangements, we have observed firms recognising areas of common risk (such as, third-party outsourcing) across their different assessments but missing opportunities to align and integrate the key underlying processes:

  • Identification of harms: Business model analysis and the identification of the potential to cause harm is a central element of the ICARA process. Harms are considered through the ICARA process in relation to customers, the market and the firm itself. Viewing harms through these three lenses is aligned with the operational resilience requirements and both sets of regulations have the ultimate FCA objective of reducing harm. However, many firms are considering harms in isolation which runs the risk of inconsistencies and gaps between the potential harms identified under the ICARA process and from an operational resilience perspective. Greater consistency would also enable a more holistic approach for the effective management of these harms.
  • Assessment of non-financial resources and areas of vulnerability: Key systems and controls are typically identified during the ICARA process to assess the adequacy of non-financial resources; whilst important business services are mapped to technology, third parties, processes, people, information and facilities as part of resilience assessments. However, we have observed misalignment at some firms between the identification of vulnerabilities in the ICARA process compared to important business services mapping. This misalignment could ultimately undermine the completeness and credibility of key ICARA and operational resilience assessments.
  • Capital and liquidity assessments: We have observed that the assessment of financial resources required to mitigate the potential to cause harm from operational risk often does not include consideration of any identified vulnerabilities or gaps in operational resilience that have been identified through separate processes. For example, the assessment of critical third parties is not always aligned between ICARA and operational resilience programmes. This could result in gaps in a firm’s assessment of capital and liquidity requirements.
  • Calibration of risk appetite and impact tolerance statements: The concept of risk appetite is not new to firms, but many have not yet considered how to integrate impact tolerance statements into their existing risk appetite frameworks. Whilst impact tolerance and risk appetite statements have crucial distinctions (for example, an impact tolerance statement refers to the amount of impact that is acceptable before irredeemable harm is caused and is set based on the fact one or more risks have already materialised), there is still a degree of overlap. The alignment of a firm’s stated impact tolerance and point of intolerable harm for an important business service outage with the pre-existing operational risk appetite and monitoring indicators is an area that has not been considered in detail by many firms.
  • Stress testing: There is a clear requirement within the FCA’s prudential and operational resilience requirements to conduct stress testing, yet many firms have not considered the application of lessons learned from financial stress testing (such as the calibration of scenario severity or viability of management/recovery actions) to their operational resilience assessments.
  • Wind-down planning: Firms across the sector sometimes struggle with identifying the point of non-viability, which is a foundational piece to wind-down planning. We have observed an inconsistent use of Board-agreed impact tolerances and points of intolerable harm when firms have set reverse stress test and wind-down scenarios/triggers. We have also observed firms failing to consider how their operational resilience and important business services could be impacted during a wind-down scenario. Similarly, many firms have not considered within their wind-down planning any existing stressed exit planning for key third-party outsource providers.

Next steps

Having met the regulator’s initial implementation deadlines, firms should now seek to leverage the opportunities to identify any key areas of potential overlap or duplication between their ICARA process and operational resilience arrangements. In a time of margin pressure and increased external threats, the embedding and optimisation of these overlapping processes can help firms enhance their overall financial and operational resilience in an efficient manner that could also reduce costs.

In support of this, we will also seek to explore the alignment of prudential, operational and cyber resilience requirements during our next IM&W Prudential roundtable in September. Feel free to get in contact with any member of our IM&W Prudential team if you would like to participate in this discussion or require any further support in this area.