Bank and FCA

The Bank of England (BoE) and the Financial Conduct Authority (FCA) have released a Discussion Paper (DP) on operational resilience, introducing enhanced expectations for Boards and senior management. The DP emphasises incident recovery – using the concept of "impact tolerance" – and highlights the regulators’ focus on the ability of firms and FMIs (collectively “firms”) to resume critical business services. The DP is of primary interest to CROs, COOs, CISOs, heads of operational resilience or cyber risk and Board members at financial services firms regulated by the BoE, FCA or Prudential Regulation Authority (PRA).

The DP gives a very important indication of how the thinking of UK regulators has evolved on matters such as cyber risk. It takes a broad view of the kind of incidents firms may face, and accepts that some disruptions are inevitable. In effect, if implemented, this approach asks firms to prepare for and demonstrate their resilience to a much larger range of operational scenarios, including ones that may arise in third parties that they outsource any systems or processes to. 

This approach will push firms to prioritise and invest in areas that allow them to recover their business services after a severe disruption, and also to continue to improve the capabilities that help them maintain continuity of service through more minor incidents. For some firms this may become a significant factor in how they evaluate decisions about systems’ enhancement and replacement.

Impact tolerance is an important concept in the DP. In essence, it is an upper limit for the impact to business services that a firm is prepared to tolerate as a result of a ”severe but plausible” operational disruption. It is expected to be set by the Boards and senior management of firms and expressed as a set of specific metrics on the duration, volume or nature of a disruption. This is a more advanced approach than recovery time objectives (RTOs) and one that takes into account the severity of a disruption and the number of customers or stakeholders affected. In practice firms may decide to adopt a “twin-track” approach to operational resilience. First, while continuing to prevent minor disruptions is important, firms should accept that minor disruptions will happen. Our view is that in such circumstances the regulators expect greater focus on planning for maintaining continuity of business services. Second, by applying concepts such as impact tolerance (similar to the concepts of Maximum Acceptable Outage and maximum Period of Tolerable Disruption defined in ISO 22301), the regulators believe firms will be able to make better informed decisions on investment in resilience and, more importantly, be able to prioritise the recovery of the most important business systems in more severe scenarios.

THE SUPERVISORY APPROACH TO OPERATIONAL RESILIENCE

In publishing the DP, the BoE and FCA have emphasised a number of key messages, which summarise the approach they envision:

  1. Operational resilience is best managed by focusing on the delivery of business services, rather than on systems and processes. This includes an expectation that firms should prioritise their most important business services and be able to identify the systems and processes that support them, whether internally to the organisation or if outsourced to a third party.
  2. The UK Financial Policy Committee (FPC) intends to set its own impact tolerance for operational disruptions to "vital services" that the financial system provides to the economy. The FPC’s intention is to avoid disruptions that would cause “material economic impact”. The practical implication of this is likely to be a more prescriptive supervisory approach to impact tolerance for larger or systemically important firms.
  3. Boards and senior management need to take more direct responsibility for the operational resilience of their firms and should be central to the process of setting impact tolerances and identifying which business services are prioritised. The DP notes a range of existing regulatory powers supporting this outcome, including the introduction of a Senior Management Function for internal operations and technology (SMF 24).
  4. Firms should focus on improving communications during disruptions, particularly those affecting the customer-oriented services they provide. Noting recent high-profile disruptions in the financial services sector, the DP highlights the growing role supervisors could play in assessing the speed and effectiveness of both external and internal communications plans that firms have in place to respond to operational failures.
  5. Firms will need to articulate impact tolerances for their business services based on clear metrics and outcomes, setting a target for how they expect to recover from a severe but plausible disruption. These impact tolerances will be relevant to the systems supporting business services, including any systems that are maintained or provided by third parties. The DP does recognise, however, that firms may sometimes not be able to meet these recovery expectations in the event of an extreme disruption scenario.
  6. Supervisors will assess the operational resilience of firms using a number of tools, including through the use of stress tests, as announced by the FPC in its June Financial Stability Report. The DP also notes that supervisors will assess the impact tolerances set by firms, request changes be made to them, and may consider setting their own impact tolerances where they deem necessary.

WHAT TO EXPECT NEXT

It is important to note that the DP does not put in place any immediate rule changes or new supervisory procedures, but is rather meant to solicit feedback from the industry on how upcoming rules should be designed and implemented.

Nevertheless, these messages represent an important initial step in what we expect to be an area of significant supervisory activity on the part of the UK authorities in the coming months. The FPC has committed to providing further detail on its 2019 cyber risk stress-testing programme by Q4 2018, and the BoE and FCA will spend this time analysing feedback received and further developing the concepts in this paper.

For impact tolerance, in particular, we see a number of critical decisions that the authorities must make as they put this concept into practice; namely, how prescriptive the FPC wishes to be in setting impact tolerances for systemically-important firms; and, identifying the type of “severe but plausible” scenarios that they will expect firms to plan to be able to recover from.

Feedback on the DP is encouraged by the BoE and FCA, who are particularly interested in hearing more about existing metrics that firms use to benchmark their recovery from operational disruptions. The DP is open for comment until 5 October 2018.

 

 

David Strachan blog photo

David Strachan - Head of EMEA Centre for Regulatory Strategy

David is Head of Deloitte’s EMEA Centre for Regulatory Strategy. He focuses on the impact of regulatory changes - both individual and in aggregate - on the strategies and business/operating models of financial services firms. David joined Deloitte after 12 years at the FSA, where in his last role, Director of Financial Stability, he worked on the division of the FSA into the PRA and the FCA.

Email | LinkedIn

Rick

Rick Cudworth - Crisis and Resilience Partner

Rick has over 25 years’ industry-leading experience in Crisis Management and Resilience. He has been interim Group Head of Resilience for two global banks has supported and facilitated executive leadership in responding to crisis events. He is a recognised industry leader in his field and Chair of the British Institution Technical Committee for Continuity and Resilience.

Email | LinkedIn

William

William McLeod-Scott - Partner, Financial Services

William is a Risk Advisory Partner who specialises in Crisis Management, Contingency Planning, Exercises/ Simulations and is a Deloitte crisis leader. A Financial Services specialist who has led the development and testing of Recovery and Resolution playbooks in the UK and US across a range of areas from Board Governance, Bail–in strategy, Operational Continuity to Operational Resilience. He has supported executive leadership preparing for and when responding to crisis events. He has over 20 years’ experience in Financial Services primarily in retail and investment banks with a keen understanding of the international regulatory environment in the UK, Europe and the US.

Email 

Scott Martin

Scott Martin - Senior Manager, EMEA Centre for Regulatory Strategy

Scott is a Senior Manager in the Centre for Regulatory Strategy advising on international banking regulation, with a particular focus on bank capital, strategy, cyber risk and public policy-making processes. Before joining Deloitte in 2015, he worked in Brussels as an EU regulatory strategist advising a number of global systemically important banks and other financial institutions. He is a graduate of the London School of Economics and previously spent a number of years working as a political advisor to Canada’s Minister of Finance and Minister of Foreign Affairs.

Email | LinkedIn

Comments

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.