The Bank of England (BoE) and the Financial Conduct Authority (FCA) have released a Discussion Paper (DP) on operational resilience, introducing enhanced expectations for Boards and senior management. The DP emphasises incident recovery – using the concept of "impact tolerance" – and highlights the regulators’ focus on the ability of firms and FMIs (collectively “firms”) to resume critical business services. The DP is of primary interest to CROs, COOs, CISOs, heads of operational resilience or cyber risk and Board members at financial services firms regulated by the BoE, FCA or Prudential Regulation Authority (PRA).
The DP gives a very important indication of how the thinking of UK regulators has evolved on matters such as cyber risk. It takes a broad view of the kind of incidents firms may face, and accepts that some disruptions are inevitable. In effect, if implemented, this approach asks firms to prepare for and demonstrate their resilience to a much larger range of operational scenarios, including ones that may arise in third parties that they outsource any systems or processes to.
This approach will push firms to prioritise and invest in areas that allow them to recover their business services after a severe disruption, and also to continue to improve the capabilities that help them maintain continuity of service through more minor incidents. For some firms this may become a significant factor in how they evaluate decisions about systems’ enhancement and replacement.
Impact tolerance is an important concept in the DP. In essence, it is an upper limit for the impact to business services that a firm is prepared to tolerate as a result of a ”severe but plausible” operational disruption. It is expected to be set by the Boards and senior management of firms and expressed as a set of specific metrics on the duration, volume or nature of a disruption. This is a more advanced approach than recovery time objectives (RTOs) and one that takes into account the severity of a disruption and the number of customers or stakeholders affected. In practice firms may decide to adopt a “twin-track” approach to operational resilience. First, while continuing to prevent minor disruptions is important, firms should accept that minor disruptions will happen. Our view is that in such circumstances the regulators expect greater focus on planning for maintaining continuity of business services. Second, by applying concepts such as impact tolerance (similar to the concepts of Maximum Acceptable Outage and maximum Period of Tolerable Disruption defined in ISO 22301), the regulators believe firms will be able to make better informed decisions on investment in resilience and, more importantly, be able to prioritise the recovery of the most important business systems in more severe scenarios.
THE SUPERVISORY APPROACH TO OPERATIONAL RESILIENCE
In publishing the DP, the BoE and FCA have emphasised a number of key messages, which summarise the approach they envision:
- Operational resilience is best managed by focusing on the delivery of business services, rather than on systems and processes. This includes an expectation that firms should prioritise their most important business services and be able to identify the systems and processes that support them, whether internally to the organisation or if outsourced to a third party.
- The UK Financial Policy Committee (FPC) intends to set its own impact tolerance for operational disruptions to "vital services" that the financial system provides to the economy. The FPC’s intention is to avoid disruptions that would cause “material economic impact”. The practical implication of this is likely to be a more prescriptive supervisory approach to impact tolerance for larger or systemically important firms.
- Boards and senior management need to take more direct responsibility for the operational resilience of their firms and should be central to the process of setting impact tolerances and identifying which business services are prioritised. The DP notes a range of existing regulatory powers supporting this outcome, including the introduction of a Senior Management Function for internal operations and technology (SMF 24).
- Firms should focus on improving communications during disruptions, particularly those affecting the customer-oriented services they provide. Noting recent high-profile disruptions in the financial services sector, the DP highlights the growing role supervisors could play in assessing the speed and effectiveness of both external and internal communications plans that firms have in place to respond to operational failures.
- Firms will need to articulate impact tolerances for their business services based on clear metrics and outcomes, setting a target for how they expect to recover from a severe but plausible disruption. These impact tolerances will be relevant to the systems supporting business services, including any systems that are maintained or provided by third parties. The DP does recognise, however, that firms may sometimes not be able to meet these recovery expectations in the event of an extreme disruption scenario.
- Supervisors will assess the operational resilience of firms using a number of tools, including through the use of stress tests, as announced by the FPC in its June Financial Stability Report. The DP also notes that supervisors will assess the impact tolerances set by firms, request changes be made to them, and may consider setting their own impact tolerances where they deem necessary.
WHAT TO EXPECT NEXT
It is important to note that the DP does not put in place any immediate rule changes or new supervisory procedures, but is rather meant to solicit feedback from the industry on how upcoming rules should be designed and implemented.
Nevertheless, these messages represent an important initial step in what we expect to be an area of significant supervisory activity on the part of the UK authorities in the coming months. The FPC has committed to providing further detail on its 2019 cyber risk stress-testing programme by Q4 2018, and the BoE and FCA will spend this time analysing feedback received and further developing the concepts in this paper.
For impact tolerance, in particular, we see a number of critical decisions that the authorities must make as they put this concept into practice; namely, how prescriptive the FPC wishes to be in setting impact tolerances for systemically-important firms; and, identifying the type of “severe but plausible” scenarios that they will expect firms to plan to be able to recover from.
Feedback on the DP is encouraged by the BoE and FCA, who are particularly interested in hearing more about existing metrics that firms use to benchmark their recovery from operational disruptions. The DP is open for comment until 5 October 2018.