As UK FS firms begin the three-year transition period for operational resilience, maintaining the momentum built during the first year will be critical. Firms face a number of challenges in building and embedding their resilience over the next three years. This will often require significant investment and operating model change. This blog explores several areas that should be addressed in the transition period in order to meet supervisory expectations.
We have also published a Regulated Radio podcast on the same topic. You can find it here.
Target audience: CROs, COOs, and Operational Resilience teams in UK-based financial services firms that are in-scope for the operational resilience policy
The recently published PRA and FCA Business Plans demonstrate that operational resilience is now a top UK supervisory priority, increasingly comparable to financial resilience in terms of regulatory resources and the supervisory scrutiny firms can expect to receive. This trend is also rapidly catching-on in other jurisdictions around the world.
Since the publication of the operational resilience policy statements (PS21/3andPS6/21) in March 2021, firms have been busy mobilising resources and launching large scale implementation programmes to address the new requirements in time for the first regulatory milestone. By 31 March 2022 firms were expected to identify and map their Important Business Services (IBS), set Impact Tolerances (ITLs), commence scenario stress testing programmes to identify vulnerabilities, produce self-assessments, and ensure appropriate governance arrangements are in place.
While the past 12 months have been very demanding, the resilience journey is only just beginning. The three-year ‘transition period’ for the policy runs until 31 March 2025, and the actions that firms take in that time will be critical to their success. Their focus must now shift to addressing the initial operational vulnerabilities identified, expanding the depth and breadth of mapping and testing to detect and address additional vulnerabilities, and embedding operational resilience into the whole operating model to withstand severe but plausible disruptions.
No firm should wait until the end of the transition period in 2025 to do most of this work. UK supervisors will expect to see early progress being made and evidence of firms ‘closing the gap’ on identified vulnerabilities as the transition period goes on.
Internationally, operational resilience policies in other jurisdictions are rapidly coming along. The EU’s Digital Operational Resilience Act (DORA) is being finalised by legislators after a provisional political agreement in May. Cross-border FS firms will have to consider their group-wide approach to operational resilience, factoring in different timetables and requirements where they operate.
Based on supervisory feedback and other regulatory developments since the 31 March implementation deadline, and our work with firms across the sector, there are a number of key components of the operational resilience framework where we believe firms need to take urgent action during the transition period:
Next steps on IBS and mapping: FS firms that are in the scope of the UK policy should revisit decisions made during the implementation period on IBS selection and definition, taking into account feedback from supervisors. Initial observations from the Prudential Regulation Authority (PRA) pointed out significant disparity among firms in the granularity of IBS identified (e.g., identifying “Payments” as a single IBS vs. breaking this down)(1). The UK framework deliberately leaves room for interpretation on IBS definition, but firms still need to ensure that the IBS selections they have made are robust and allow them to set meaningful impact tolerances for their disruption.
The PRA has also recently noted that IBS mapping needs to become ‘rapidly more sophisticated’ in order to allow firms to more clearly identify their operational vulnerabilities and concentration risks as well as develop accurate scenario stress testing. Mapping needs to be updated regularly as operating models change, including for broader regulatory and strategic change, and must also be presented in a way that enables senior stakeholders to make operational and strategic decisions around resilience.
Prepare for supervisory scrutiny of impact tolerances: Firms need to ensure that the ITLs that have been set for disruption to their IBS are justifiable. They should be based on a consistent methodology and guided by supervisory objectives – customer harm, market integrity, safety and soundness and (where relevant) financial stability. Firms should also ensure that they are using the right mix of quantitative and qualitative metrics to deliver meaningful and accurate ITLs. In a recent speech, the PRA’s Duncan Mackinnon, remarked that supervisors have seen a wide variance in ITLs among different firms providing the same service (he gives the example of safety and soundless ITLs for CHAPS payments, ranging from two days to two weeks) and notes that supervisors will likely seek more consistency.(2)
Many firms are conducting sector benchmarking exercises to validate their ITLs, and these will be helpful, but we believe these should only be used as a reference. Firms must have tailored views for each ITL based on their own operating model. We expect varying levels of maturity in the sector over the next few years as firms reach internal consensus on how ITLs should be calibrated to reflect their unique resilience transition journey.
Develop scenario testing: The creation of advanced scenario testing exercises and testing methodologies will be a key deliverable for FS firms during the transition period. Levels of sophistication will vary by type of firm and the importance of the IBS they are testing. It will be crucial for firms to show supervisors that their scenarios are sufficiently ‘severe but plausible’ and one way that they can do this is to test their IBS to the point of failure with increasingly severe scenarios.
Firms will also need to adjust these programmes during the transition period as supervisors give more guidance, either publicly or bilaterally. Recent comments from the PRA have indicated that they expect firms to include data integrity and disruption to third party providers among the scenarios they use, as well as scenarios that involve disruptions in multiple parts of the organisation simultaneously. The PRA has also indicated that paper-based exercises are unlikely to be sufficient for the testing of ‘high impact’ IBS in systemic firms.
Embedding operational resilience in the organisation: FS firms need to move beyond treating operational resilience as a one-off compliance exercise and embed it as a critical ongoing function. To do this, operational resilience teams should integrate more closely with other resilience-related functions, including units focusing on cyber risk, operational risk, business continuity, and recovery and resolution, leveraging their capabilities where possible. Opportunities to do this include using work already done for operational continuity in resolution to enhance the quality of IBS mapping. Embedding also means building ‘resilience through change’ by ensuring that operational resilience concerns are given sufficient weight when designing major IT change programmes, and that the effect of the change on the firm’s ability to meet its ITLs is fully thought through.
Supervisors will also expect to see evidence that operational resilience considerations are increasingly driving investment decisions made by Boards and senior management, and decisions around the design of new operating models. The self-assessment, an ongoing annual exercise put in place by the operational resilience framework, will be an important platform for firms to show that they have successfully embedded this work across the organisation. Boards, who must sign-off on the self-assessment, should ensure that it reflects the latest view of the firm’s vulnerabilities and the seriousness of their intent to address them.
Consider international regulatory developments: There is considerable convergence around the principles of FS operational resilience in key jurisdictions. This is especially the case for banking groups, given the Basel Committee’s 2021 Principles on Operational Resilience, which are closely aligned with the UK domestic framework. FS firms operating internationally will, nevertheless, still have different detailed requirements to meet in different jurisdictions and will face substantial divergence in the timing of these requirements coming into force. This complexity means that cross-border groups need to make significant design decisions early-on about how they structure their operational resilience work and how this affects their target operating model. As we discussed in our 2021 blog on international regulatory alignment, there are enough similarities between emerging frameworks for firms to undertake many resilience activities group wide. To reconcile more challenging areas of potentially conflicting requirements, early interaction with supervisors to understand their likely expectations will be crucial. The European Central Bank’s approach to supervising operational resilience will be important for any bank operating in the Eurozone to watch in 2022, given that they will need to implement the DORA and the BCBS Principles in parallel.
In our experience, the firms that have made the most progress during the UK implementation period have been the ones who have embraced the operational resilience ‘mindset shift’ at the Board and senior management level – accepting that severe but plausible disruptions will happen, and that building resilience requires significant investment up front. We have also seen better preparedness for implementation in firms whose operational resilience programmes are strongly embedded into the organisation, have consistent engagement with IBS owners, and strong working relationships with other resilience-related teams. Additionally, firms that have built in a periodic review and refresh cycle into their operational resilience programmes have been able to prioritise ongoing activities, sustain momentum and keep the operational resilience ‘living and breathing’ across their organisation after the implementation deadline.
Firms must recognise that the purpose of the new regime is not to demonstrate how resilient they are, but for them to proactively assess where they may have resilience gaps and look to address them as soon as ‘reasonably practical’ and no later than 31 March 2025.
The next three years will be a busy time, and firms need to act early to address vulnerabilities where they exist, instil the operational resilience mindset throughout the organisation, and adjust their operating models to support resilience where it is necessary. Significant, multi-year efforts remain for most firms, especially in how they engage with third party providers that underpin the delivery of IBS and to build robust scenario testing programmes that can demonstrate the progress they make in enhancing their resilience over the next three years.
For more insights on what firms can do during the operational resilience transition period, you can listen to our Regulated Radio podcast with Deloitte UK Financial Services Partners, Sarah Black and Suchitra Nair.
______________________________________
Endnotes
1. David Bailey, Operational Resilience: Next steps on the PRA’s supervisory roadmap, April 2022
2. Duncan Mackinnon, What will operational resilience look like going forward? An overview of the supervisory regulatory position, May 2022
The focus must now shift to addressing the initial operational vulnerabilities identified, expanding the depth and breadth of mapping and testing to detect and address additional vulnerabilities, and embedding operational resilience into the whole operating model to withstand severe but plausible disruptions.