Operational Resilience - An Introduction
The Story So Far
Operational Resilience is being positioned to sit alongside Financial Resilience as a main regulatory priority for Boards to focus on – it’s not going away.
The introduction of Operational Resilience is evolution not revolution – there is no need to reinvent the wheel and it may be regarded as a “wrapper” to bring existing Regulations and Frameworks together but viewed from a different perspective – that of the Customer.
"Our aim is to improve the ability of the financial services sector to absorb the impact of an unexpected event while continuing to perform its most important activities for the UK economy.”
Charlotte Gerken, Bank of England June 2017
"We define operational resilience as the ability of firms and FMIs and the financial sector as a whole to prevent, adapt, respond to, recover and learn from operational disruptions."
Megan Butler, UK FCA, December 2019
There are a number of new regulatory processes that firms must complete, which must be documented and evidenced in an annual Self-Assessment document.
Regulatory Expectation
Operational Resilience is a major focus of global regulators under the auspices of the BIS BCBS Operational Resilience Group (ORG). The UK regulators set out their proposals in Consultation papers published in December 2019 and all firms affected are now considering how to meet the new requirements (which were originally due to be published in 2H 2020 and take effect in 2H 2021).
Operational Resilience is an outcome and firms should leverage, to the extent possible, their existing frameworks (especially operational risk management) and tools to deliver the desired regulatory outcomes.
Consultation Papers Published in December 2019
In December 2019 the Bank of England (the Bank), Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) published a shared policy summary and co-ordinated consultation papers (CPs) on new requirements to strengthen operational resilience in the financial services sector.
Building the operational resilience of firms and Financial Market Infrastructures (FMIs) is a shared priority for the three supervisory authorities. The co-ordinated CPs build on the concepts set out in the operational resilience Discussion Paper published by the authorities last year, addressing many of the proposed policy changes based on the responses we received.
The policy proposals make it clear that firms and FMIs are expected to take ownership of their operational resilience and that they will need to prioritise plans and investment choices based on their impacts on the public interest.
If disruption occurs firms are expected to communicate clearly, for example providing customers with advice about alternative means of accessing the service.
Andrew Bailey, FCA Chief Executive, said: ‘It is in the public interest that a resilient financial system is able to supply the most important services with minimal interruption even during severe operational events. The proposed new requirements are aimed at achieving this outcome.
‘Disruptive events can have a high impact on consumers and businesses so firms and FMIs need to know where the risks to their service delivery lie and to make sure that they are prepared for any service disruption by testing their planned response.’
Sam Woods, CEO of the PRA and Deputy Governor for Prudential Regulation, said: ‘Operational resilience is a vital part of firms’ safety and soundness, and has become an important priority for the PRA. This consultation marks the next stage of integrating operational resilience into our regulatory framework. Alongside this, our proposals on outsourcing and the cloud will steer firms to be resilient in their adoption of new technologies.
The Regulatory Focus is Here to Stay
The Basel Committee on Banking Supervision is working on Operational Resilience for companies to maintain effective service levels following an IT disruption or other form of outage.
The UK PRA is a member of the BIS Working Group and the work is being conducted in concert with a long-expected update to the Basel Committee’s Principles for the Sound Management of Operational Risk (PSMOR) report.
UK FCA and PRA focus is likely to increase on identified sources of operational incidents where separate regulatory requirements already exist – cyber, change management, outsourcing and 3rd party vendors.
Regulatory expectation is this will not be a tick-box exercise but should be ‘real’ and embedded into the DNA of the firm.
The COVID-19 crisis is focusing additional regulatory attention on resilience and will only increase its importance.
Avoiding the Pitfalls
Below are some of the pitfalls and challenges we have identified which may derail the effective and efficient implementation of Operational Resilience:
Fragmentation and Duplication – avoid creating duplicative ‘Resilience Risk’ Functions, repeating the errors of conduct ‘risk’.
Failure to leverage the Operational Risk Management Framework – operational resilience is an outcome delivered through the ORM framework.
SMF24 (Chief Operations Officer) or SMF4 (Chief Risk Officer) working in isolation rather than in partnership to deliver Resilience.
‘Reinventing the wheel’ – failure to leverage existing frameworks and tools, including BCM, crisis management, vendor management, cyber security, information security and so forth.
‘Getting into the weeds!’ Avoid the temptation to introduce unnecessary complexity and granularity (especially in the mapping of resources to important business services.
Key Steps to Implement Operational Resilience
Important Considerations when Implementing
The below provides some insight into the important considerations to be taken into account when implementing Operational Resilience. We have additional detail and methodologies for each of these subjects we would be happy to discuss with you further.
Overall Framework/Key Steps
The UK Regulators propose firms:
Identify their important business services that if disrupted could cause harm to consumers or market integrity.
Identify and document the people, processes, technology, facilities and information that support a firm’s important business services (mapping).
Set impact tolerances for each important business service (ie thresholds for maximum tolerable disruption).
Test their ability to remain within their impact tolerances through a range of severe but plausible disruption scenarios
Conduct lessons learned exercises to identify, prioritise and invest in their ability to respond and recover from disruptions as effectively as possible.
Develop internal and external communications plans for when important business services are disrupted
Create a self-assessment document
Governance
Firms’ boards and senior management should be sufficiently engaged in setting effective standards for operational resilience. The board and senior management should have sufficient time to establish the business and risk strategies and the management of the main risks relevant to operational resilience. Firms should ensure that in meeting their responsibilities, board members and senior management have the knowledge, experience and skills necessary for the discharge of the responsibilities allocated to them
Senior Managers Regime
The SM&CR currently applies to banking firms and Insurers and will apply to FCA solo regulated firms from December 2019.Under the SM&CR, individuals that perform the Chief Operations Function (SMF24) are required to have responsibility for managing the internal operations or technology of the firm or of a part of the firm. This includes, but may not necessarily be limited to, responsibility for areas such as:
Business continuity
Cybersecurity
Information technology
Internal operations
Operational continuity, resilience and strategy
Outsourcing, procurement and vendor management
Management of services shared with other group members
Firms that have an individual performing the SMF24 function may find that responsibility for implementing the proposals falls within the scope of the SMF24’s responsibilities.
Board Expectation
Expectation that boards, or a firm’s equivalent management body, have appropriate management information available to them to inform decision making which has consequences for operational resilience.
To demonstrate appropriate and effective oversight of operational resilience within firms, it will be expected that boards, or a firm’s equivalent management body, should be able to evidence that they are satisfied that the firm is meeting its responsibilities in respect of operational resilience. This includes those aspects relating to the identification of important business services, mapping and setting impact tolerances, as well as the firm’s ability to remain within these tolerances.
Identify Important Business Services
At least once a year - identify important business services – ‘a business service’ is a service that a firm provides to an external end user.
‘Important’ is where its disruption could a) for PRA: pose a risk to the firm’s safety and soundness or financial stability or b) for FCA - cause intolerable levels of harm to consumers or market integrity.
An important business service will also have the following characteristics:
It should be clearly identifiable as a separate service, and not a collection of services. For example, withdrawal of cash at an ATM and the ability to check a balance online are 2 separate services, while the provision of packaged bank accounts is a collection of services.
The users of the service should be identifiable so that the impacts of disruption (through process, cyber security or technology failures) are clear. These may include retail consumers, business consumers or market participants.”
Set Impact Tolerances
Regulators expect the Impact Tolerances to be set with reference to the maximum tolerable duration for which the delivery of the important business service would be affected.
Firms must ensure they are able to remain within impact tolerance.
Impact tolerance describes the maximum tolerable level of disruption to an important business service, assuming disruption to the supporting systems and processes will occur. It is expressed by reference to specific outcomes and metrics, which should:
Always include the maximum tolerable duration
Could also include other considerations such as volume of disruption (for example, the number and types of consumers affected) or a measure of data integrity.
It is different from risk appetite because it assumes a risk has crystallised and may go beyond a firm’s RTO. It is also different to business impact analysis as it is determined with reference to the FCA’s public interest in reducing harm to consumers and market integrity.
Map Important Business Services end-to-end and identify Resources including Third Parties required to deliver them.
Firms need to identify and document the resources needed to deliver each of the firm’s important business services. Resources are categorised as: People, Processes, Technology, Facilities, Information & Third Parties.
By mapping resources to each important business service, firms can be assured that an important business service can remain within the impact tolerance it has set.
To have a complete view of their resilience, firms will need to identify and document the people, processes, technology, facilities and information necessary to deliver each of a firm’s important business services. Resources for important business services can potentially come from across business areas, entities and jurisdictions which gives need for a centralised identification for these inputs. By taking this approach, firms can be assured that an important business service can remain within the impact tolerance it has set.
We will expect firms to ensure mapping is complete, accurate, documented and signed-off at an appropriate level by management.
Mapping should allow firms to identify vulnerabilities and remedy these as appropriate
Design severe but plausible Scenarios to test vulnerabilities in the delivery of the Important Business Service.
Firms should test their ability to remain within their impact tolerances for each of their important business services in the event of a severe but plausible disruption of its operations.
In carrying out the scenario testing, firms should identify an appropriate range of adverse circumstances varying in nature, severity and duration relevant to its business and risk profile.
We propose that firms should test their ability to remain within their impact tolerances for each of their important business services in the event of a severe but plausible disruption of its operations. This enables them to be assured of the resilience of their important business services, and identify where they might need to act to increase their operational resilience. In carrying out the scenario testing, firms should identify an appropriate range of adverse circumstances varying in nature, severity and duration relevant to its business and risk profile. They should then consider the risks to delivery of the firm’s important business services in those circumstances.
We propose the following scenario factors as guidance for firms to consider when testing:
Corruption, deletion or manipulation of data critical to the delivery of important business services
Unavailability of facilities or key people
Unavailability of third-party services which are critical to the delivery of important business services
Disruption to other market participants
Loss or reduced provision of technology underpinning the delivery of important business services
Where Impact Tolerance is exceeded examine Lessons Learned from Stress Tests and actual incidents to design correcting actions.
In conjunction with developing testing plans, firms should conduct lessons learned exercises. This is important as continuous improvements to operational resilience require firms to learn from experience as their operations and technology changes and their approach matures over time. Deficiencies, whether identified through scenario testing or through practical experience, should be addressed as a matter of priority. Firms should prioritise actions to address the risks posed by each deficiency.
Ensure Internal and External Communication plans are in place to be followed when an event occurs
It is important that firms’ policies include prompt and meaningful communication arrangements for internal and external parties, including regulators, consumers and the media.
In our DP, we highlighted the important role that fast and effective communications can play in mitigating harm at times of operational disruption. It is important that firms’ policies include prompt and meaningful communication arrangements for internal and external parties, including regulators, consumers and the media.
We propose that firms should have internal and external communication strategies in place. This will help them to act quickly and effectively to reduce the harm caused by operational disruptions by providing clear, timely and relevant communications.
Firms’ internal communication plans should also include the escalation paths they would use to manage communications during an incident, and identify the appropriate decision makers. For example, the plan should address how to contact key individuals, operational staff suppliers and the appropriate regulators.
As part of their external communications plans, we expect firms to consider in advance of a disruption how they would provide important warnings or advice quickly to consumers and other stakeholders. This includes where there is no direct line of communication.
As guidance, we propose that firms should also use effective communication to gather information about the cause, extent and impact of operational incidents.
Annual Self-Assessment document to be signed off by the Board
Firms should create a self-assessment document which should include:
The firm’s important business services
The impact tolerances set for these important business services
The firm’s approach to mapping, including how the firm has identified its resources, and how it has used mapping to identify vulnerabilities and support scenario testing
The firm’s strategy for testing its ability to deliver important business services within impact tolerances.
An identification of the vulnerabilities that threaten the firm’s ability to deliver its important business services within impact tolerances, including the actions taken or planned, and justifications for their completion time
The firm’s lessons learned exercise
The methodologies used to undertake the above activities
Outsourcing and Third-Party Service Provision
We expect an operationally resilient firm to have a comprehensive understanding and mapping of the resources that support their business services. This includes those outsourced and third-party services over which the firm may not have direct control. We also expect firms to be able to identify and document the resources that support their important business services.
Our focus in this area is a continuation of work carried out previously, including a cross sector survey in 2017-18 through which we identified that:
Issues at third-parties, such as an IT failure at an important supplier, accounted for 15% of the operational incidents reported to the FCA. This demonstrates how increasingly important third parties are to firms and their consumers, and the need to manage them effectively to manage the risk of disruption.
IT changes caused 20% of the operational incidents reported to the FCA
Half of firms said that they do not maintain a comprehensive list of all third-parties with who they do business and who have access to their systems and data
26% of firms did not have a board approved information security strategy
Only 56% of firms said they could measure the effectiveness of their information asset controls