Operational resilience: how do you measure up?

• United Kingdom

• Financial services and markets regulation
• Financial services disputes and investigations
• Financial services

01-02-2022

On 27 January 2022, Suman Ziaullah (Head of Technology, Resilience and Cyber at the Financial Conduct Authority (FCA)) delivered a keynote speech ahead of the upcoming operational resilience policy milestone on 31 March 2022.

Suman emphasised the need for firms to have taken 6 key steps by this date, as follows:

1. identified their Important Business Services
2. set impact tolerances
3. completed the mapping exercise to a level of sophistication to have identified any vulnerabilities
4. prepared a consumer communications plan
5. completed the lessons learned exercise
6. prepared a self-assessment document, which will be used to assess progress against the policy requirements and that can be required by either the FCA or the Prudential Regulation Authority (PRA) at any point after 31 March 2022

Suman also provided some observations on implementation to date following a PRA request that was issued to 25 high impact firms across a range of sectors. The key takeaways are as follows:

Important Business Services

• Important Business Services will always be external services. Some firms have categorised internal services or functions as Important Business Services on the basis that they are pivotal in the provision of external services, and that these would be affected if the internal service was disrupted. This is a misunderstanding of the rules. Important Business Services are external services provided to consumers. Internal services are better considered as “internal enablers” and should form part of the mapping exercise referred to above.

• The justification for each Important Business Service must be distinct to each service. Some firms had provided the same rationale for multiple Important Business Services. The regulators encouraged firms to use values and metrics relating to market share, customer numbers or consumer research to demonstrate the impact that a disruption to the relevant service would have on consumers, so as to justify its decision to identify it as an Important Business Service. This will also assist the regulators in understanding the firm’s rationale.

• Firms should ensure that Important Business Services are named in such a way that clearly explains the scope of the service, so that someone outside of the business can easily understand. The regulators also suggested including an explanation of what the service does not include.

Impact tolerances

• The ultimate aim of firms should be to avoid breaching impact tolerances in the first place. The focus should be on this, rather than on recovery of the service after a breach has taken place.

• Firms should not confuse impact tolerances with the risk posed to the firm itself in the event of a disruption. Impact tolerances are outwards-looking and need to consider the impact of an event on consumers.

• The use of recovery time objectives as a driver for setting impact tolerances should be avoided. These are internal metrics measuring when a service should be restored and do not consider when intolerable harm is suffered by consumers or when a risk is posed to the market, which are the key considerations in setting impact tolerances.

• Firms should ensure that they have clear documented methodologies for setting their impact tolerances. The rationales for the level at which these are set should reflect consideration of consumer and market impact. For example, if an impact tolerance is set at 12 hours, firms should be prepared to demonstrate consideration of the impact on consumers at hour 11 and hour 13, in order to explain the rationale for the tolerance. These explanations should also be reviewed by senior management

• A clear indicator that a firm will be unable to remain within its impact tolerances is if it fails to understand the relevant chain of third party services and how these impact the firm’s Important Business Services. The FCA expects the mapping exercise to identify these, although it accepts that there may be refinement and revision of the mapping methodology over the course of the next three years in order to achieve the necessary granularity.  

Self-assessment document

• The format of this document is up to the firm, but it should be a snapshot of the firm’s operational resilience at that point in time. It should document the firm’s (i) Important Business Services; (ii) impact tolerances; (iii) methodology that has been used in the firm’s mapping exercise; and (iv) actions taken or planned to deal with vulnerabilities.  The regulators expect that this document will mature and develop over the course of the next few years.

• This document requires sign-off by senior management and it is the FCA’s expectation that this process is not left to the last minute. The FCA also expects the document to be reviewed regularly. More broadly, senior management should be able to evidence that they are satisfied that the firm is meeting its responsibilities.

• The regulators have no plans to request the self-assessment document across the board after 31 March 2022, although firms are reminded that regulators can request this document at any time. In particular, firms should expect to provide this document if impact tolerances are breached after 31 March 2022.

• In the event of a breach, firms are expected to notify the regulators via their normal channels. After 31 March 2022, the regulators will be looking at what work has been done to identify important business services and set impact tolerances as part of any investigation.

For further information, see:

• Policy Statement 21/3
• Eversheds Sutherland Operational Resilience Hub