Operation resilience: what is it and why does it matter?

The Bank of England, PRA and FCA initially consulted¹ on operational resilience in December 2019 with the consultation closing, mid pandemic, in October 2020. The topic has become particularly pertinent in light of Covid-19 which, although an extreme scenario, brought to the fore the importance of regulated firms being able to continue to operate important business services during crisis situations.

The Bank of England, PRA and FCA published responses to the consultations together with final rules and guidance in March 2021². The new operational resilience rules were subject to a one-year implementation period which ended on 31 March 2022, followed by a three-year transitional period ending on 31 March 2025.

Which financial services firms are impacted?

A very wide range of firms are subject to the operational resilience requirements, including banks, building societies, designated investment firms, insurers, recognised investment exchanges, enhanced scope senior managers and certification regime firms, and entities authorised or registered under the Payment Services Regulations 2017 or the Electronic Money Regulations 2011 as well as financial market infrastructures firms (central counterparties, central securities depositories, recognised payment system operators and specified service providers).

We are now at the end of the implementation period – what should firms have done and what is left to do?

The central premise behind the operational resilience rules and guidance is the identification of important business services, which, if interrupted would cause intolerable harm to consumers and/or risk to market integrity.

Firms and FMIs should by now have “operationalised the policy framework”, that is to say:

• identified their important business services and set impact tolerances

• mapped their important business services and started scenario testing

• developed and put into effect a strategy or plan that sets out how they will comply with regulatory requirements and expectations.

When identifying their important business services, firms were expected to separate out important business services rather than grouping a collection of services as one single important business service, to facilitate a thorough analysis of how services might be affected.

Impact tolerances

Once firms had identified their important business services, they then needed to set impact tolerances in respect of those services.

An impact tolerance means the ‘maximum tolerable level of disruption’ to an important business service and marks the point at which further disruption to an important business service would cause ‘intolerable harm to any one or more of the firm’s clients or ‘pose a risk to the soundness, stability or resilience of the UK financial system or the orderly operation of the financial markets’.

Dual-regulated firms need to demonstrate how they have considered each of the FCA’s and PRA’s operational objectives when setting their impact tolerances. In practice, this means that they are required to set up to 2 clearly stated impact tolerances that are aligned with the dual sets of objectives. It may also be appropriate to set sub tolerances depending on the nature of the business. The key is to ensure that impact tolerances and any sub tolerances are clearly defined and recorded to enable the FCA and PRA to work collaboratively where appropriate to ensure that they can efficiently supervise against these.

A key consideration that firms also need to take account of in setting their impact tolerances is vulnerable customers. This category of customer will feature heavily in firms considering how much disruption could be tolerated as well as appropriate mechanisms to minimise harms arising for such individuals in the event of disruptions. The FCA has amended its guidance to make express reference to vulnerable consumers in the factors to consider when setting impact tolerances.

Firms were expected to remain within their impact tolerances as soon as reasonably practicable, and in any event no later than the end of the transition period (31 March 2025).

Mapping

The other key step, in order for firms to have a complete view of their operational resilience, was to undertake a process of ‘mapping’ whereby they identified and documented the people, processes, technology, facilities and information (resources) necessary to deliver each of a firm’s important business services. During the course of this process firms will have been expected to identify and address vulnerabilities with a view to ultimately ensuring that the firm’s business services can remain within the impact tolerances that the firm has set. Testing a firm’s ability to remain within its impact tolerances for each of its business services is a key step in the process. Such testing should include severe, but plausible, disruption to the operations of the regulated firm. The regulators indicated that their expectation of the steps to be taken by firms would be proportionate to the size of a firm and the context of the firm’s business.

In terms of updates to the mapping exercise conducted by a regulated firm, the mapping exercise should be updated if there is a ‘material change’ to the firm’s business, the important business services identified or the impact tolerances the firm has set. Such a review should be carried out, in any event, no later than one year after the firm last carried out the relevant assessment.

Firms should make sure that their mapping exercise has been signed-off by someone that is on the firm’s board (or equivalent management body).

As part of their implementation projects, firms may well have gained a better understanding of senior management accountability and responsibility for different areas of the business, as well as good visibility of the individuals responsible for specific capabilities. This may for example have included the size and strength of their teams, training/education and wider organisational HR matters such as employee attrition, hiring practices and succession planning.

Third Party providers

As part of the mapping process, regulated firms need to accurately capture and record relationships with third-party providers so as to satisfy themselves of that third party’s operational resilience. (In some circumstances mapping may need to be carried out beyond the direct third party to indirect third parties). It is therefore vital that firms work effectively with third party providers to facilitate testing, either by the firm itself or by the third party. If the third party is to carry out testing, then the regulated firm will need to satisfy itself of the particular scenarios and methodologies of the third party. However, ultimately the regulated firm will be responsible for the quality and accuracy of any testing carried out by the third party.

Next steps

The regulatory expectation is that by 31 March 2025 firms will have in place sound, effective and comprehensive strategies, processes and systems that enable them to address risks to their ability to remain within their impact tolerance for each important business service in the event of a severe but plausible disruption (or extreme disruption).

Firms may well in future be assisted in their mapping processes with third parties, as HM Treasury is planning to designate (when parliamentary time allows) certain third parties providing services to firms as “critical”. The financial regulators will then be able to exercise various powers in relation to those critical third parties, for example the power to request information directly from critical third parties on the resilience of their material services to firms, or their compliance with applicable requirements. The existence of this power will likely assist firms in managing their relationships with critical third parties.

¹ Joint Policy summary Building operational resilience: Impact tolerances for important business services (bankofengland.co.uk); PRA CP29/19; PRA CP30/19; 3 Bank of England Consultation Papers Bank of England Consultation papers: Operational Resilience of FMIs | Bank of England; FCA CP19/32; speech by Megan Butler FCA Executive Director The view from the regulator on Operational Resilience | FCA

² Joint covering document PS6/21 | CP29/19 | DP1/18 Operational Resilience: Impact tolerances for important business services | Bank of England; FCA PS21/3; PRA PS6/21; Bank of England policy on Operational Resilience of FMIs | Bank of England