FCA’s & PRA’s approach to Operational Resilience

Operational resilience has become a top priority for financial institutions in the UK, driven by new requirements from the Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA). Both regulators have taken significant steps to ensure firms can continue delivering essential services even when faced with severe disruptions.

In December 2019, the FCA and PRA published a joint policy statement setting out their expectations for strengthening operational resilience. This built on earlier discussion papers and feedback from the industry. The policy aims to address several high-profile outages and service disruptions that have affected major banks and building societies in recent years.

TSB Bank took 8 months to return to ‘business as usual’ after botched tech transfer, say regulators. In Appri 2018, TSB attempted to move 5.2m customer records onto a new system. This initiative resulted in customers not being able to access their accounts. It took until December 2018 for TSB to return to business as usual”.

The key elements include:

Identifying Important Business Services: Firms must systematically determine which services they provide that, if disrupted, could cause intolerable harm to consumers or market integrity. This depends on factors like market share, external dependencies, and substitutability.

Setting Impact Tolerances: For each important business service, firms must define a maximum tolerable level of disruption, such as the length of time the service can be unavailable before intolerable harm occurs.

Mapping Dependencies: Firms need to create maps that identify all the people, processes, technology, facilities and information required to deliver each important service. This will uncover vulnerabilities.

Testing Resilience: Scenario testing will validate whether firms can remain within their impact tolerances for each business service during severe but plausible scenarios. Any risks or gaps must be addressed.

Building Communications Plans: Documented communication strategies will be essential for promptly informing stakeholders in the event of an operational disruption. This includes customers, regulators, and market infrastructure providers.

The regulators expect boards and senior management to take responsibility for implementing these measures and maintaining operational resilience on an ongoing basis. Firms will be required to carry out regular self-assessments of their capabilities and report the results to supervisors.

The initial deadlines focus on systemic firms and services critical to the wider UK financial system. Investment firms have until March 2022 to identify important business services and set impact tolerances. Other requirements take effect in 2023-2025 depending on the size and type of firm.

Many see operational resilience as representing a fundamental shift in regulatory philosophy. Rather than applying detailed rules or standards, the FCA and PRA have defined broad outcomes they expect firms to achieve. This gives greater flexibility on how to comply based on each institution’s specific risk profile and business model. However, it also places greater responsibility on senior leaders to implement robust frameworks tailored to their organization’s needs.

The operational resilience agenda represents a significant undertaking for financial firms. It will require mobilizing resources across multiple functions to map interconnected systems and processes, assess risks, and implement effective controls. However, developing greater resilience will ultimately help firms safeguard critical services that underpin financial stability and protect consumers. This underscores why operational resilience has become both a regulatory priority and strategic imperative.

DecideWright is a UK-based consultancy that delivers solutions in the areas of Strategy Execution and Enterprise Performance Management, Enterprise and Operational Risk Management, Operational Resilience including DORA and Measurement & Metrics, including KPIs & OKRs.

Contact us to see if we are the right firm for your project.