Operational resilience: the final countdown is on for the new UK regime
Published on 22nd Feb 2022
The go-live date for the new rules approaches on 31 March: what does the Financial Conduct Authority expect from firms?
During the Covid-19 pandemic, operational resilience – the ability of firms and the financial sector to prevent, adapt, respond to, recover and learn from operational disruptions – has been brought into even sharper focus. Before the pandemic, new rules had already been proposed on operational resilience. These rules are now set to take effect on 31 March 2022.
What are the drivers behind the new regime?
Some argued that firms were already required to take responsibility for large aspects of their operational resilience under the existing regulatory framework, through a combination of the Financial Conduct Authority's (FCA) Principles for Businesses and high-level rules on having adequate systems and controls, as well as specific requirements covering business continuity planning and outsourcing.
However, in the FCA's experience, in part based on public disruptive failures of certain businesses' services, the existing regime has not been sufficient to ensure firms across the regulated sector had in place adequate operational resilience measures to identify potential weak links in their arrangements and to mitigate those potential weak-nesses before they crystallised. To be operationally resilient, firms must plan to be able to continue providing the services most relied on by customers and markets during severe but plausible disruption scenarios.
Who is impacted?
These changes affect a wide range of firms: banks, building societies, designated investment firms, insurers, enhanced scope firms under the Senior Managers and Certification Regime (SMCR), UK recognised investment exchanges, electronic money institutions, payment institutions, and registered account information service providers.
What is expected of firms from 31 March?
In short, firms are expected to have identified all of their important customer-facing business services and mapping every input which goes to providing such services (be it people, a process, a piece of technology, or services supplied by third parties). Firms also need to have set "impact tolerances" for each "important business service". An impact tolerance is the level at which disruption to the important business service becomes intolerable, which according to the FCA is "harm from which consumers cannot easily recover", that is "much more severe than inconvenience or harm". An impact tolerance, for example, could be the amount of time an important business service is unavailable, or the level of reduced capacity in providing an important business service. Firms are expected to have scenario tested their operational resilience framework (to a severe but plausible standard, including scenarios that are likely to tip a business beyond its impact tolerances) and to make adjustments accordingly.
The final pieces of the jigsaw are putting in place mitigating steps to prevent a breach of impact tolerances, drafting a workable communications plan, and bringing everything together in a self-assessment document. All of this then needs to be signed off by the board.
Firms will have three years to put measures in place to ensure they do not breach their impact tolerances, and the FCA has high expectations of firms during the transitional period. But, from 31 March 2022, firms must comply with the first policy milestone: identification of important business services, setting impact tolerances, and carrying out mapping and scenario testing. The FCA will expect the self-assessment document, showing how the firm meets the operational resilience requirements, to be available from this date.
How much work does the FCA expect firms to do before 31 March 2022?
The FCA is clear that this is a proportionate regime rather than a "one size fits all" approach.
However, in terms of identifying important business services, the regulator is looking for a "sufficient, distinct rationale, including metrics" (FCA, Prudential Regulation Authority (PRA) and Bank of England webinar, 27 January 2022) – there are marks for "showing your working" here. Firms can document their analysis using a tool, application, or database, and this record should be made available to the firm's supervisor on request.
Identifying the resources necessary for the delivery of important business services should be achievable by firms, and there is further guidance on identifying these resources in the FCA's Policy Statement on "Building Operational Resilience" (PS21/3, March 2021). However, the methodology and assumptions adopted by firms, and how the mapping exercise is documented, remain open to interpretation (as no templates are available) and are, therefore, more likely to be open to challenge by regulators, particularly if the mapping is very high level.
The proportionate approach can be seen in the requirement to carry out mapping and scenario testing to the "level of sophistication necessary", which may give firms some flexibility. However, by "level of sophistication", the FCA means "the breadth and level of detail sufficient to achieve the policy outcomes of appropriately identifying important business services, setting impact tolerances and identifying vulnerabilities". Since this is not a clear, defined standard, firms should take care in determining how much weight they place on relying on the proportional application of the rules.
The role of boards and senior management
The regulator has stressed the importance of boards and senior management understanding the risks to their businesses, together with the need for effective challenge at board and senior management level.
Boards and senior management must establish clear lines of responsibility for management of operational resilience in line with their obligations under the SMCR. They must ensure they achieve clear delegation of responsibilities where an important business service is supported by a wide range of people and systems. Irrespective of firm size or complexity, it must be clear which individuals are responsible.
Firms should expect regulators to challenge decisions taken by boards and senior management, and their under-standing of the firm's strategies, processes and systems in place to ensure compliance.
Osborne Clarke comment
Firms ought to be well advanced already in their mapping and scenario testing at this point. The sector will be keeping a close eye on regulators' expectations as these continue to evolve, together with further developments layering detail on the operational resilience rules. We are expecting a publication from the FCA, PRA and Bank of England this year on oversight of critical third parties, as well as a consultation paper from the PRA in the first half of this year around operational resilience reporting.
However, given the relatively imprecise requirements set out by the FCA and the fact that the self-assessment will form the basis of the FCA's understanding of each business's implementation of the regime, senior management should take reasonable steps to ensure they have adequately set out all of their thinking.
The FCA recognises that "compliance will take time and investment" – firms should take care not to underestimate either!