Skip to main content

Operational Resilience: The opportunity for Internal Audit to support Operational Resilience implementation

September 2023 Update

Operational Resilience has been and should continue to remain a key priority for Internal Audit as firms work towards meeting regulatory expectations set by the FCA, PRA and Bank of England. Firms need to demonstrate that important business services can operate within their impact tolerance by no later than 31 March 2025 and Internal Audit should play a key role in supporting and assuring progress over the transition period.

Focus should continue to be placed on the evolution of service mapping and scenario testing, relationships with third parties and how firms plan to embed and maintain Operational Resilience outcomes post-2025. This includes how resilience has been embedded within the risk and control environment, the effectiveness of management information (MI) reported to the Board (and sub-committees) and how operating models have been set up for long term success. Specifically, we are seeing firms re-evaluate organisational structures and operating models to enable capability groups to come together effectively to support the resilience and response capabilities of the firm. These focus areas are set out in the publication below.

Internal Audit should be mindful of the regulatory deadline during annual planning exercises and consider timelines for (1) audit scheduling and (2) development of management action plans. It is important to provide timely assessments to enable firms to incorporate and act on audit feedback. Any vulnerabilities that may impact the ability to meet regulatory requirements require prompt attention so that remediation plans can be developed and/ or accelerated where needed.

Firms in-scope of the Digital Operational Resilience Act (DORA) mandated by the European Union (EU) will also need to consider how the UK regulation interacts with the European framework. The DORA is EU-wide legislation that impacts financial service firms and ICT service providers to the FS industry with full application required by 17 January 2025. Whilst areas of the UK regulation are aligned with the DORA’s objectives, Internal Audit will also need to consider and be prepared to assess and support firms as expectations on resilience standards are increased. Internal Audit teams will have no regret in determining how their organisation will be impacted by the DORA, and how it differs from other, similar, resilience regulations and guidance to ensure that they can adequately check and challenge plans and programmes.

For more information on DORA, please visit:

The Digital Operational Resilience Act: navigating the technical standards

The EU Digital Operational Resilience Act (DORA) is here: what are its strategic implications for the Boards of FS firms?

The Digital Operational Resilience Act (DORA): the legal implications

 

June 2022 Blog

The first key regulatory deadline has now passed as of 31 March 2022. Operational Resilience should remain a key priority and an area of focus for Internal Audit.

Firms need to demonstrate that a full assessment of their Operational Resilience has been completed, vulnerabilities have been identified, and there is a focus on the remediation activities to complete in order to demonstrate that important business services can operate within their impact tolerance by no later than 31 March 2025.

Amongst the broader suite of activity required to continue on the Operational Resilience journey, the following areas are likely to be key areas of focus and challenge for Boards and Senior Management over the next three years:

  1. Scenario Stress Testing - Testing is likely to be the area of the core Operational Resilience regulation which continues to evolve throughout the period up to 31 March 2025, as Firm’s gain experience in the stress testing necessary, and the regulators react to the approach being followed.
  2. Third Party Risk Management – Third party dependencies pose a significant threat to a firm's Operational Resilience. Visibility, oversight, and assurance is imperative to adequately understand and manage the risks posed by third party and outsourced arrangements (including technology giants and those responsible for providing IT services). Boards and senior management cannot outsource their ultimate accountability and responsibility for their Operational Resilience and therefore need to gain assurance over the risks posed by the web of third and fourth parties in the service chain, especially when the service being provided is critical for providing a firm’s important business service.
  3. Transition to BAU – As firms look to build longevity in their Operational Resilience framework and capabilities, embedding Operational Resilience across the organisation will transform meeting the current policy requirements and expectations into sustainable BAU activity.

The role of Internal Audit

By holding both broad and deep organisational knowledge and a range of skillsets, Internal Audit functions can play a leading role in supporting firms to meet Operational Resilience expectations and continue to build confidence for the future. Internal Audit, as the third line of defence, has a role in providing independent, objective assurance that an organisations risk management, governance, and internal control environment are operating effectively, and Operational Resilience is no exception to this.

To date, Internal Audit has focussed on challenging management’s approach to Operational Resilience and to assess “readiness” against regulatory requirements. However, Internal Audit’s focus on Operational Resilience should continue to evolve, but certainly not in a manner which reduces continued involvement; If anything, a greater emphasis may be prudent over the coming three years, as many of the bigger challenges remain to be overcome.

Internal Audit will also be one of the best sources for the identification of vulnerabilities and required improvement activity, as a result of their historic work over key risk areas throughout the organisation. However, we have seen little evidence to date of previous Internal Audit findings being incorporated into Operational Resilience planning and vulnerability assessments.

The regulators are already playing an active hand in terms of direct engagement with Internal Audit functions, and we expect to see this continue over the remainder of the three-year transition period. The PRA recently confirmed in their Operational Resilience: Next steps on the PRA’s Supervisory roadmap − speech in April 2022 that Operational Resilience remains one of the regulators’ highest supervisory priorities currently.


Other resources

The Deloitte Financial Services Internal Audit practice has worked with in-house Internal Audit functions across the sector, providing guidance and support at each stage of Operational Resilience Framework development both during the consultation stage and as firms finalise their approach in line with the policy statements.

The team has built up the skills and experience, backed by industry wide insight, to be able to support any in-house Internal Audit needs. We provide subject matter and methodology training, specialist input and benchmarking to support work delivered by in-house teams and outsourced Internal Audit reviews.

For more of our views on Operational Resilience, emerging regulatory approaches and the hot topics Internal Audit should be considering in the coming year, you can consult the following resources:

Preparing for the ‘next normal’ - Build modified resilient operations | Deloitte UK

Operational Resilience and COVID-19: Internal Audit Planning Considerations | Deloitte UK

Operational Resilience: 2021 Hot Topics for IT Internal Audit | Deloitte UK

Building resilience in Internal Audit | Deloitte UK

Resilience Reimagined | Deloitte UK

Resilience by Design | Deloitte UK

Time to Thrive | Deloitte UK