Operational Resilience has been and should continue to remain a key priority for Internal Audit as firms work towards meeting regulatory expectations set by the FCA, PRA and Bank of England. Firms need to demonstrate that important business services can operate within their impact tolerance by no later than 31 March 2025 and Internal Audit should play a key role in supporting and assuring progress over the transition period.
Focus should continue to be placed on the evolution of service mapping and scenario testing, relationships with third parties and how firms plan to embed and maintain Operational Resilience outcomes post-2025. This includes how resilience has been embedded within the risk and control environment, the effectiveness of management information (MI) reported to the Board (and sub-committees) and how operating models have been set up for long term success. Specifically, we are seeing firms re-evaluate organisational structures and operating models to enable capability groups to come together effectively to support the resilience and response capabilities of the firm. These focus areas are set out in the publication below.
Internal Audit should be mindful of the regulatory deadline during annual planning exercises and consider timelines for (1) audit scheduling and (2) development of management action plans. It is important to provide timely assessments to enable firms to incorporate and act on audit feedback. Any vulnerabilities that may impact the ability to meet regulatory requirements require prompt attention so that remediation plans can be developed and/ or accelerated where needed.
Firms in-scope of the Digital Operational Resilience Act (DORA) mandated by the European Union (EU) will also need to consider how the UK regulation interacts with the European framework. The DORA is EU-wide legislation that impacts financial service firms and ICT service providers to the FS industry with full application required by 17 January 2025. Whilst areas of the UK regulation are aligned with the DORA’s objectives, Internal Audit will also need to consider and be prepared to assess and support firms as expectations on resilience standards are increased. Internal Audit teams will have no regret in determining how their organisation will be impacted by the DORA, and how it differs from other, similar, resilience regulations and guidance to ensure that they can adequately check and challenge plans and programmes.
For more information on DORA, please visit:
The Digital Operational Resilience Act: navigating the technical standards
The Digital Operational Resilience Act (DORA): the legal implications
The first key regulatory deadline has now passed as of 31 March 2022. Operational Resilience should remain a key priority and an area of focus for Internal Audit.
Firms need to demonstrate that a full assessment of their Operational Resilience has been completed, vulnerabilities have been identified, and there is a focus on the remediation activities to complete in order to demonstrate that important business services can operate within their impact tolerance by no later than 31 March 2025.
Amongst the broader suite of activity required to continue on the Operational Resilience journey, the following areas are likely to be key areas of focus and challenge for Boards and Senior Management over the next three years:
By holding both broad and deep organisational knowledge and a range of skillsets, Internal Audit functions can play a leading role in supporting firms to meet Operational Resilience expectations and continue to build confidence for the future. Internal Audit, as the third line of defence, has a role in providing independent, objective assurance that an organisations risk management, governance, and internal control environment are operating effectively, and Operational Resilience is no exception to this.
To date, Internal Audit has focussed on challenging management’s approach to Operational Resilience and to assess “readiness” against regulatory requirements. However, Internal Audit’s focus on Operational Resilience should continue to evolve, but certainly not in a manner which reduces continued involvement; If anything, a greater emphasis may be prudent over the coming three years, as many of the bigger challenges remain to be overcome.
Internal Audit will also be one of the best sources for the identification of vulnerabilities and required improvement activity, as a result of their historic work over key risk areas throughout the organisation. However, we have seen little evidence to date of previous Internal Audit findings being incorporated into Operational Resilience planning and vulnerability assessments.
The regulators are already playing an active hand in terms of direct engagement with Internal Audit functions, and we expect to see this continue over the remainder of the three-year transition period. The PRA recently confirmed in their Operational Resilience: Next steps on the PRA’s Supervisory roadmap − speech in April 2022 that Operational Resilience remains one of the regulators’ highest supervisory priorities currently.
The Deloitte Financial Services Internal Audit practice has worked with in-house Internal Audit functions across the sector, providing guidance and support at each stage of Operational Resilience Framework development both during the consultation stage and as firms finalise their approach in line with the policy statements.
The team has built up the skills and experience, backed by industry wide insight, to be able to support any in-house Internal Audit needs. We provide subject matter and methodology training, specialist input and benchmarking to support work delivered by in-house teams and outsourced Internal Audit reviews.
For more of our views on Operational Resilience, emerging regulatory approaches and the hot topics Internal Audit should be considering in the coming year, you can consult the following resources:
Preparing for the ‘next normal’ - Build modified resilient operations | Deloitte UK
Operational Resilience and COVID-19: Internal Audit Planning Considerations | Deloitte UK
Operational Resilience: 2021 Hot Topics for IT Internal Audit | Deloitte UK
Building resilience in Internal Audit | Deloitte UK
Resilience Reimagined | Deloitte UK