On 5 December, the UK’s financial regulators, the Bank of England (BoE), Prudential Regulation Authority (PRA), and Financial Conduct Authority (FCA), published a series of consultation papers (CPs) on their proposed approach to operational resilience in the financial sector.
This initiative from UK regulators comes after significant public scrutiny of IT failures, and breaches arising from cyber-crime in the financial sector. In October, the UK Parliament’s Treasury Committee urged regulators to develop a more explicit framework to push financial sector firms to enhance their operational resilience. This consultation takes an important step towards this.
The proposed approach to operational resilience
The consultations follow a discussion paper issued by UK regulators in July 2018, which indicated their overall approach to operational resilience in financial services. In our recent paper Time to Flourish: A practical guide to enhancing operational resilience we identified five key themes arising from this framework that firms should take note of:
- Business services: firms should adopt a business services view. This will focus time, eﬀort and resources on what is important to their customers, consumers more generally and the sector as a whole.
- Impact categories: business services should be prioritised by their relative importance to three main considerations: financial stability, viability of the firm, and harm done to customers or other market participants. They should also be mapped to their supporting operational dependencies, including technology systems and hosting facilities.
- Impact tolerances: firms should express their tolerated threshold for harm, financial loss or to avoid a systemic event caused by severe but plausible disruptions to important business services and set an objective to ensure that threshold is not breached. These are not just time-based but clear business statements of outcome-based objectives.
- Communications: firms should think through how to manage prompt and meaningful communications during a disruption, including ensuring the necessary capacity to do so, to maintain conﬁdence in the organisation and reduce harm caused.
- Scenario testing: once tolerances for disruption are established, they should be tested against dynamic scenarios to prove they can be met.
The approach proposed in the December 2019 CPs confirms the original framework from the 2018 discussion paper (as described above) and further refines it.
The CPs also reveal a number of important practical aspects of how the operational resilience framework is likely to be implemented, most notably:
- That the implementation period will be relatively short: the regulators foresee finalising and implementing the framework by mid-2021. After that point they expect to give firms up to three years to identify their important business services, set appropriate impact tolerances and meet them to the satisfaction of supervisors (who will have the power to challenge firms’ decisions in every step of that process).
- That firms’ boards and senior management will have to be closely involved: the CPs specify further the expected role of the board in complying with the operational resilience framework. The board is meant to sign-off the identification of important business services, set impact tolerances for those services and is also expected to review and approve the firm’s operational resilience self-assessment (discussed further below). And where firms have a Chief Operations Function (SMF24), it will be expected to hold overall responsibility for implementing operational resilience policies and reporting to the board.
- That the expectation on firms with regards to operational resilience varies by regulator: the regulators have coordinated their efforts but published different CPs in order to describe their respective supervisory approaches. The PRA, for instance, is primarily concerned with disruptions that could threaten a firm’s viability, while the FCA is more concerned with disruptions that could cause harm to consumers. This variation derives from the specific objectives that each regulator has, but nevertheless they still focus on the same principles for resilience. This approach, however, will mean that firms that are dual-regulated by the PRA and FCA can expect to have to set two differently-expressed impact tolerances for some of the important business services they identify.
Beyond these three observations, a number of other changes and refinements stand out to us as noteworthy in the CPs:
The definition of important business services, previously loosely defined throughout the DP, is refined. It is now defined as ‘a service provided by a firm or FMI to an external end user or participant where a disruption to the provision of the service could cause intolerable harm to consumers or market participants; harm market integrity; threaten policyholder protection; safety and soundness; or financial stability.’ These business services should be mapped, and boards and senior management will be expected to prioritise the operational resilience of these over other business services. The CPs do not provide specific lists or taxonomies of important business services, but examples and frameworks for firms to think through (and that will provide a basis for supervisors to review) are given.
The approach to impact tolerances is refined. The definition of an impact tolerance is now described as the ‘maximum tolerable level of disruption to an important business service, including the maximum tolerable duration of a disruption.’ The specific inclusion of a time metric is an important amendment to the definition that should allow firms to define and measure their impact tolerance more clearly and consistently. The ‘duration’ of a disruption is also described as both a point by which harm needs to be reduced to a tolerable level, as well as elapsed time (which could compress or increase depending on when a disruption occurs). As mentioned above, dual-regulated firms may have up to two impact tolerances for each important business service, and in some circumstances it may be appropriate for firms to focus on the impact tolerance which has the shortest duration when prioritising actions. Additionally, all firms and FMIs will have to take into account any tolerances set by the Financial Policy Committee when setting their own impact tolerances.
Detail on how firms are expected to map the systems and processes that support their business services is given. A firm will have to identify and document the necessary people, processes, technology, facilities and information required to deliver each of its important business services. This should then be used to identify and remedy vulnerabilities, and test a firm’s ability to remain within impact tolerances. The CPs are clear that this mapping does not need to be exhaustive, but should be done to the level of detail that is needed to achieve the outcomes of the framework. Importantly, the mapping and testing will have to include third parties used to deliver those business services (the PRA also published a CP on outsourcing and third party risk management (here) alongside the operational resilience CPs).
More detail on severe but plausible scenarios and scenario testing is provided. ‘Severity’ is the result of an evaluation by boards and senior management who, having identified scenarios that would cause them to exceed their impact tolerances, should judge whether failing to remain within impact tolerance in those scenarios is acceptable. This implies the need for scenario testing, which must identify an appropriate range of adverse circumstances of varying nature, severity and duration relevant to a firm’s business and risk profile and to consider the risks to delivery of the firm or FMI’s important business services in those circumstances.
The development of internal and external communications planning for when important business services are disrupted is re-emphasised. The supervisory authorities re-iterate the importance of ‘prompt and meaningful communication arrangements for internal and external parties’ in mitigating harm, a point that also figures prominently in the Treasury Committee’s report on IT Failures in the Financial Services Sector (here). These arrangements should include escalation paths and address how key individuals can be contacted (for example when emails are not working).
Actions to strengthen operational resilience are further specified. The regulators are clear in their CPs that impact tolerances should be used by firms as an investment planning tool. This means that an understanding of a firm’s business services, vulnerabilities and impact tolerances should guide initiatives to replace outdated infrastructure, address key person dependencies, or be able to communicate with all affected parties.
The regulators ask firms to conduct regular self-assessments of their compliance with operational resilience requirements. These self-assessment need to be reviewed and approved by the board. This will require firms to document how they have identified their important business services and set the impact tolerances for each of them. It should also include a summary of the vulnerabilities to the delivery of the identified business services, and an outline of the scenario testing performed to assess whether the impact tolerances can be met.
The CPs from the regulators are open for comment until 3 April 2020 and should be finalised mid-2021. As mentioned above, the three-year timescale that the regulators envision for firms to implement the framework fully is shorter than many in the industry had expected. This reflects the high priority that regulators have given to strengthening operational resilience in the financial sector.
This will likely mean that firms will have relatively little time to prepare for their compliance with an entirely new supervisory framework, assuming that the regulators do not extend the deadline when they finalise the framework.
To hear more about our views on the UK regulatory approach to operational resilience, you can listen to our Regulated Radio podcast How can finance be more operationally resilient? from December.
You can also read our recently published paper On the Frontier: Operational resilience and the evolution of the European banking sector for our view of why overcoming the operational resilience challenge will be a critical part of how the banking sector makes a successful and secure digital transition, and how cross-industry and cross-border collaborative efforts will be a key ingredient in achieving that outcome.