On the 29th of March 2021, the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) have issued confirmed policy statements on operational resilience. While the statements are very much aligned to the consultations published in December 2019, banks and financial services institutions will have a lot to do in the next 12 months. Karl Kiarie, Head of Strategic Transformation at RedCompass Labs, has prepared a practical summary of seven things you should know about operational resilience policies and what they mean for financial institutions.
The operational resilience journey
Operational resilience continues to grow as a topic of interest for the financial services industry. 2020 proved it more than ever as COVID-19 took hold and industry-wide outages occurred, such as the ECB's Target 2 system being down for 11 hours. As the complexity of our financial ecosystem increases, thinking about preparedness is critical to both gain and maintain a competitive advantage. It is critical to maintain consumer confidence and ensure that firms can maintain high standards on the services they provide to their customers, counterparties and the wider financial ecosystem.
Regulation-wise, operational resilience has been in the focus of several regulators for some years, and they have all issued consultations on the subject. In the UK, following the publication of the PRA Discussion Paper in July 2018, we now have confirmed policy statements from the PRA and FCA on the topic. Here at a glance are the key areas of difference between the consultations and policy statements:
- Changes to the timelines to provide firms with more time and flexibility to meet mapping and scenario testing requirements.
- Clarifications on how the rules fit with the broader domestic and international regulatory landscape.
- Further information on how the FCA and PRA will further support firms in implementing the rules on operational resilience.
- Examples of how different types of firm might apply the proposals.
But let's have a closer look at the seven key points outlined in these policy statements that you really should know about.
PRA's and FCA's operational resilience policy statements in seven points
1. Implementation and transition period deadlines postponed by three months
The regulators have maintained the relatively short 12-month implementation period, but moved the deadline from 31st of December, 2021 to 31st of March, 2022. Similarly, the transition period has shifted, with full compliance expected by 31st of March, 2025. The 3-year remediation timeframes proposed in the consultations have been retained.
2. The principle of "operational resilience as an outcome" is maintained
The regulators have maintained their intent to enshrine a "principle and outcome-based" rather than a "prescriptive, rule-based" policy approach to operational resilience. They have also provided for a proportional and flexible framework to the policy implementation, leaving it up to individual firms to implement operational resilience in a manner that suits firms' business models.
3. Critical business services to be assessed through the three lenses of operational resilience
Firms are encouraged to rigorously challenge their assessment of critical business services through the three key lenses – avoiding customer harm, maintaining firm viability and promoting financial ecosystem stability. This helps firms avoid falling into the trap of classifying services that may be important to the firm but do not meet the criteria (e.g. payroll services). In addition, it gives firms a variety of scenarios to consider when assessing critical business services from a people, process and system capability perspective.
4. A "compelling" end-to-end assessment is required during the implementation period
Firms are expected to have completed all steps on the operational resilience assessment (identify and map critical business services, set and test impact tolerances and identify remediation gaps) by the 31st of March, 2022. Regulators have outlined that they are not looking for perfection, but rather for "a compelling gap analysis"1 to have been completed, clearly setting out a plan on how identified gaps will be remediated.
5. Scenario testing should be used to assure resilience
The policy statements advocate for a scenario testing approach to impact tolerances. Firms will be required to demonstrate that critical business services fall within the impact tolerances they have set. This means that "severe but plausible" scenarios will need to be considered for impact tolerance testing. The PRA and FCA have steered away from being prescriptive, and instead expect firms to enhance their capability to effectively simulate disruptions, including any existing inputs on near misses, industry experiences and approaches taken in other jurisdictions to inform their scenario testing strategies.
6. Engagement of all levels of governance in the organisation is critical
The role of boards and senior management is clearly emphasised in the policy statements, with an expectation for boards to approve the operational resilience self-assessment. While the policy statements avoid being prescriptive on the format of the self-assessment, they do provide some guidance on the expected content. The statements also reaffirm the provision of the Senior Managers and Certification Regime (SM&CR) regime, with ultimate responsibility for operational resilience sitting with the Senior Management Function 24 (SMF24), namely the Head of Operations or the COO.
7. Cross-border regulatory alignment and coordination will continue to increase
The PRA and FCA have made deliberate efforts to align regulatory inputs coming both from within the UK and abroad. Operational resilience is indeed the first policy to have been created in coordination with the four main UK financial regulators (FCA, PRA, Bank of England and Financial Policy Committee) on a "principle and outcome-based" approach. In addition, the Principles on Operational Resilience of the Basel Committee on Banking Supervision (BCBS) feature extensively in the intent of the policies. Regulators in the EU and other jurisdictions will continue to work closely to harmonise operational resilience regulatory regimes in the coming years.
What does it mean for financial institutions?
The principle-based approach adopted in the regulatory proposals encourages firms to actively engage in the implementation of regulations. Add in the multi-jurisdictional nature of operational resilience, and it is clear to see how all firms need to think carefully through a framework of implementation that can be leveraged across their footprint. Banks and other financial services industry players will need to "be alert and prepared", and incorporate operational resilience as a key tool in their business models going forward.
Is there a lot to do? Absolutely.
Can it be done? Definitely!
And if you need a hand validating your payments’ operational resilience, we are here to help.
RedCompass Labs has a strong track record of managing complex organisational changes and winning the support of operating divisions to embrace the changes necessary for future growth. Our consultants draw upon a wealth of experience and expertise in delivering change in challenging operational landscapes. Our geographical footprint in the UK, Poland, Singapore and Japan puts us in a unique position to support you and ensure your operational resilience framework is fit for purpose across multiple geographies. Don't hesitate to get in contact for more information.