Operational resilience and the third party challenge
By 31 March 2022 large financial services firms have to meet the first round of operational resilience requirements. For many firms this represents a significant body of work, with significant challenges. That deadline is itself the first of many. After March 2022 there will be a further three-year transitional period for firms to meet the operational resilience objectives they’ve established.
None of this should come as any surprise to the sector. The new statements were issued following a long period of consultation with a wide range of stakeholders, which began with a 2018 discussion paper, was followed by a consultation paper in 2019, and delayed very slightly in 2020 by the pandemic.
What might be more surprising over the next 12 months is the depth and breadth of what’s actually involved – particularly when it comes to third parties.
What are the new regulatory requirements?
Under the new requirements, UK financial services must, by 31 March 2022:
1. Define their important business services (IBS)
2. Set appropriate impact tolerances for each IBS
3. Complete a mapping exercise of the of the business ecosystems that need to operate successfully to deliver them
4. Perform appropriate scenario testing to confirm that IBS will remain within the Impact Tolerances they’ve set.
What are the challenges ahead?
In mapping the ecosystem required to deliver an IBS, firms will need to consider the role that technology, facilities, information, people and processes play, in considerable detail. That may mean more data is required, different reporting, and additional resourcing.
On top of that firms will need to have the right operational resilience strategies, governance, processes and systems to enable the development and operation of their resilience frameworks – and they will need to be able to show both their thinking and practical application. They have to develop a self-assessment document that provides the Board with appropriate oversight – and confirms to regulators that they are meeting their operational resilience responsibilities.
Where things get even more complicated is where third parties are providing services for a firm that impact an Important Business Services – and its ability to remain within Impact Tolerance.
Regulators will expect firms to show clear consideration and understanding of their dependencies on third parties (including from intra-group providers), and therefore many firms are focused on identifying their material third-parties, seeking information on what providers’ resilience arrangements are, what scenario analysis and testing they’re performing, and how that can dovetail with their own framework. Firms also need to think about, to an extent, the level of reliance and threat to their operational resilience from the material sub-contractors of their third-party providers.
Four third party issues
The difficulty of mapping in third party dependencies will of course depend on the number and kind of third parties firms work with – but also the relationship they have with them. These are some of the issues Sicsic Advisory have been helping firms work through:
- Balance of power
The balance of power can be quite unequal between firms and their third parties – many of which may not be regulated by UK financial services regulators – and such third parties may not see a commercial benefit in supplying the information needed, many not be willing to invest in it, or overcome things like confidentiality concerns.
- Legacy contracts
Another stumbling block may be legacy relationships. Many firms have long-term supply contracts where the extent of information needed for operational resilience purposes wasn’t foreseen, and they may have very limited contractual rights or leverage to receive or audit such information. In some cases, firms will have limited contractual negotiating power, in the first instance. In other cases, firms may not really understand the extent to which a provider – in a crisis situation – may prioritise their needs versus those of others.
- Sub-sub contractors
Many third parties will not be the end of the supply chain, but will themselves be working with and relying on sub-contractors, making it even harder to pin down resilience parameters.
- Information overload
Third party providers themselves are likely to be working with multiple financial services firms, and therefore receiving multiple requests for resilience information. This may inevitably constrain their willingness or ability to respond in the manner and timescales firms require.
The PRA’s supervisory statement on outsourcing places a new onus on firms to inform them when a provider is unwilling or unable to include required terms, including on disclosures relating to resilience, in their material outsourcing agreements.
Six key actions to take now
While firms may choose initially to simply inform regulators of instances where information isn’t available and suggest a plan as to how they will remediate this situation through time – this won’t be sustainable long term. But there are some key things firms can do now.
Firms should segment their providers using a risk-based approach, concentrating on those that are most material and present the greatest risk to the delivery of an IBS, and then looking at the type of contractual relationship and the regulatory status of the provider. Material sub-contractors should be part of this process, wherever possible.
- Picture building
While there may be limits on the flow information initially, firms should look to continually improve the sophistication of the mapping of services they receive from providers, so the data can build over time to form a more accurate picture.
- Relationship building
Building on the relationship with third parties will be key over the coming months, and more touch points may be needed to gather information, and for firms to get an understanding of how they would be prioritised by third party suppliers in the event of an operational or financial crisis.
Any ongoing challenges in obtaining the required information, must be flagged to the Board as soon as possible – particularly where there are significant gaps in knowledge. Future options can then be determined within the right governance arrangements.
- Back-up options
It’s worth putting in time now to research alternative providers. If a third party supplier is not ultimately able to provide information of sufficient detail or clarity for a firm’s operational resilience purposes, there need to be clear plans and arrangements to exit the relationship, and switch to a ‘plan B’ provider. Recognising when it’s time to make the cut may prove difficult, and firms should start this contingency activity early.
- Future-proofing contracts
Any new relationships with third party providers will need to have the requirement for operational resilience data built into contracts, and that’s work and wording that can start immediately.
Longer term, firms and their advisers will clearly need to engage with the regulators to get more guidance – and potentially look for formal requirements to be imposed on key providers.
We can also foresee a market evolution where independent assurance of the resilience of service providers becomes available and is endorsed by regulators, not dissimilarly to external controls assurance seen in the investment industry.
Our advice for now, though, is to get to grips with the challenge of third party information as quickly as possible – and stay ahead of the regulations.
How Sicsic Advisory can help
Based on our deep understanding of business models and operations, and extensive experience in operational resilience, we’re uniquely placed to support insurers, intermediaries and asset managers to embark on a tailored journey to strengthen operational resilience.
If you would like to know more, please get in touch with our operational resilience lead, Martin Jarman.