10 key considerations for Operational Resilience – with less than 2 months to go
With the clock ticking to the ‘go-live 1’ deadline of 31 March, firms are ramping up their efforts to meet regulatory expectations for the first major milestone of their operational resilience transformations.
But with just 2 months to go, what exactly are the expectations – and concerns – from regulators? And how ready is your firm to meet them?
We got an extra insight into regulatory thinking on 27 January at the FCA’s webinar session, with representatives from the PRA and Bank of England – and transformation is an apt word.
Many firms at first thought operational resilience was just a new term for business continuity and disaster recovery, but have come to realise that they need to go through a major pivot in that thinking. Understanding their important business services and setting appropriate impact tolerances, on the way to becoming operationally resilient, has required a significant change in perspective.
Firms have needed to shift from a functional, silo-based view of the organisation to one that truly considers the end-to-end ecosystem of processes, people, facilities, data, third parties and technology – working in concert to deliver business services reliably. Firms have also had to move away from their traditional approach of focusing on the impacts to their own business from disruption, to a more detailed consideration of the impact these events could have on customers and markets. And that’s before the significant remediation work needed to close gaps in resilience – which this exercise seems to be inevitably uncovering.
Firms should have determined their important business services by now, and have set appropriate impact tolerances. They should have commenced the mapping exercise required for each IBS (expecting that first drafts will improve over time), and have the right governance structures in place to oversee their operational resilience frameworks end-to-end. They should also be finalising their early testing and be well on the way to a first version of their self-assessment document, which regulators could begin asking to see from as early as 1 April.
Most firms have already made significant progress. But a worrying number have not – and there is devil in the detail. In our work with firms, and in comments we’ve heard from regulators, there are some consistent themes and gaps that are worth thinking through and filling in.
10 key questions to be asking today
Have you picked the right services and the right impact tolerances?
Choosing which services are important and setting associated impact tolerances is harder than was first expected, and there is wide variance in what firms have chosen.
Many firms seem to have fallen into the trap of being too focused on the impact of an event on themselves, rather than customers or the financial markets in which they operate. They need to be mindful of customer impact first (especially vulnerable customers), impact on markets and consumer confidence, and only then impact on their own business.
Many are also including business functions as standalone business services, rather than seeing them as simply enablers, to the delivery of an IBS that cuts across the whole enterprise.
Have you got the right thresholds, and the right contingency plans?
Firms need to be careful in the way they view their impact tolerance thresholds. Importantly, they should realise that at the point of breach of an IT, intolerable harm is already happening, and firms should plan and invest through the cycle to avoid any breach.
They should also be thinking about customers’ and markets’ access to alternative providers in setting their ITs.
Can you show ALL your workings?
In deciding what their IBSs are, and setting ITs, firms must show their thinking, and demonstrate why the approach taken and conclusions reached are reasonable.
Regulators want to see firms looking not just at the impact tolerance itself, but also at the rate at which intolerable harm accrues – not just at what is happening at the point the IT is breached, but also what could happen both before and after this notional threshold is reached.
Is Op Res embedded in your governance structures?
Within governance arrangements, boards shouldn’t lose sight of their twin responsibilities – yes in holding senior managers to account for complying with operational resilience requirements, but also in approving the self-assessment document itself and ensuring that operational resilience frameworks are reviewed regularly and up to date at all times.
Are you thinking about risk widely enough?
In determining the scenarios they’ll use to stress-test their impact tolerances, firms should think about the full range of things that could go wrong. This includes third party reliability and concentration risk, as well as exposures to cyber-attack. Regulators have made clear they’ll be surprised if firms do not include these threats in the suite of scenarios they consider.
Are you a small company hoping for regulatory leniency?
Small companies, while able to address the requirements with proportionality in mind, nonetheless also retain the ability to do intolerable harm when things go wrong – and are in scope for that reason. This means that such firms will still have to identify their IBSs, set ITs, do the mapping, run scenario tests, invest to remediate where necessary and make appropriate external disclosure of their self-assessment that is ready to go when needed.
Realising the considerable cost and disruption that complying may cause, regulators have given extra time for enhancing the sophistication of mapping and scenario testing IBSs, but have not backed off the need for all in scope firms to comply fully, regardless of size.
Have you got the right data (including from 3rd parties), and data analysis resources?
Many firms have struggled with obtaining the data they need to demonstrate resilience across the value chain, within their extended enterprise, especially from the third parties they rely on.
We mentioned concentration risk above, and we can expect current regulatory thinking on resilience standards for third parties to translate into additional policy measures that are likely to be announced later in 2022. But the onus is on firms now to obtain the data they need, and to include it in the mapping of their IBSs and in their self-assessment.
In our recent blog we commented on some of the practical challenges faced, and the solutions firms could adopt. Of note, regulators have reminded us that not having the necessary data from third parties is a red flag that the firm may not be operationally resilient. Firms should seek data and map along the value chain as far as is appropriate – given the need to remain within the relevant IT. This may mean obtaining such information from suppliers further down the chain, not just those they deal with directly.
Regulators will continue to demand, gather and analyse data regarding the IBSs chosen by firms and the ITs they have set – and are likely to use it for benchmarking purposes over time and calibration of firms relative to their peers. Accurate data is going to stand firms in good stead.
Are you ready for self-assessment?
Regulators have not specified a format for the self-assessment document that firms must prepare. Nonetheless, they have made comments that give pointers. The first thing they have reiterated is that the self-assessment document must have been approved by the Board and ready by 31 March 2022. They consider the document to be a point in time snapshot that should iterate through the next three years and beyond – reflecting continuous improvement and sophistication in firms’ resilience arrangements.
They have suggested the ORSA as a useful comparator when thinking about what is appropriate in terms of detail and explanatory narrative. Perhaps one could argue that by doing the work, a firm’s self-assessment should have been built along the way, and this may be true for some. But for those who have left the process of stitching the component parts of the self-assessment together to the end of their process, the effort required will not be trivial, especially when considering that – like the ORSA – it should be easily understandable to a relatively non-expert reader.
The self-assessment document should be available on request, however regulators have not said when they will ask to see it, beyond saying that any breach of an IT is likely to trigger such a request. Breaches themselves should be flagged to regulators through the normal communication channels in place for each firm (such as through the Supervisor). We would expect that any visit from a regulator would quite likely include a request to see the self-assessment, especially given that Operational Resilience is such a hot topic.
Are you meeting expectations of BOTH regulators?
If a firm is dual regulated, it must meet the expectations of both regulators. IBSs should be chosen, and above all ITs should be set, that reflect not only the objectives of the FCA for consumers, but also the financial markets objectives of the PRA.
In thinking about their ITs, firms should also develop thresholds and create scenarios that align with a point where they could suffer financial difficulty, and thereby threaten the PRA’s objectives. Their ITs, scenarios and wider Operational Resilience frameworks should align with other supervisory levers such as Recovery and Resolution plans, if they have them.
Are you about to come into scope?
Some firms currently out of scope will come into scope during the three-year transition period post 1 April 2022, when there will be a need to undertake the effort and investment to meet regulatory compliance expectations at the same deadline as all other firms. This may be a particular issue for brokers and other intermediaries, where there is considerable industry consolidation underway just now – a firm that comes into scope through inorganic growth will need to comply, perhaps within a significantly shortened timeframe.
Firms should factor this requirement into pre- and post-acquisition planning. On a case-by-case basis, regulators may include considerations on operational resilience as part of their authorisations process.
All of these points indicate that for some firms, there is still a lot to do.
Sicsic Advisory, working with ORIC, is currently conducting a maturity benchmarking exercise across multiple dimensions of Operational Resilience, which firms can use to consider not just where they are currently, but also the extent of the gap to their own target state and to the level of progress made by their peers. Participants in the survey will receive anonymised results, and if you want to participate in the survey, please contact us at email@example.com.
If you’d find a conversation with us about the points raised in this blog helpful, or have any questions or concerns on operational resilience and the wider regulatory agenda, please don’t hesitate to get in touch.
This article was first published on LinkedIn on 7 February 2022.