Less than two months until Phase I of Operational Resilience readiness required

Over the last 10 months we have been discussing the implication of the new Operational Resilience regulation issued by the PRA and FCA. With less than two months to go to have the Self-Assessment Report (SAR) available for the regulator, there is no time to waste. In this article we go through some Q&A’s of this regulation.

Q: What is operational resilience and what are people required to do about it?

A: In the UK regulation it is quite specifically indicated; it is achieving resilience to operational disruption within your organisation. It is a strategic business imperative as well as a regulatory and compliance area of focus and the UK regulation is looking at it through the lens of the important business services (IBS) in our organisations. An IBS is defined as a service provided by a firm or by another person (it could also be outsourced on behalf of the firm) to one or more clients of the firm. And if disruption would occur, it would cause intolerable levels of harm to one or more of the firm’s clients, or would pose a risk to the soundness, stability or resilience of the UK financial system or the orderly operation of financial markets.

A broad definition, but at the same time, it indicates that it just goes beyond the firm itself. In the past Business Continuity Planning was very much focusing on the organisation itself, operational resilience is now moving that towards protecting clients and the financial markets. 

Q: What is the international dimension of operational resilience and the difference between the regulators and the sort of timelines for implementing.

A:  The UK regulation doesn’t stand alone. Similar regulation has already been introduced in other countries/regions, for example in Asia and Europe and through international bodies, like the Basel committee and the international organisation of securities commissions. There is also a US joint authority paper on operational resilience.

Initially there has been a focus on the resilience around cybersecurity, especially the EU regulation (Digital Operational Resilience Act). The UK regulation however goes further, not by ignoring cybersecurity, but by making it part of the broader operational resilience.

Clearly all those regulations have certain implementation dates, and therefore it is important to look at the combined elements of these regulations and make sure that you understand the general denominator of these regulations where they apply to your organisation.

All international regulations operate from the same spirit, i.e. identifying and remediating the operational resilience risk and replicating the format across your organisation and jurisdictions.

Q: What are the business benefits of operational resilience beyond the prevention of harm to clients and financial markets?

A: There will be three points to highlight here. The first point to look at is, operational resilience gives organisations more holistic visibility on the resilience performance and the risk that is attached to their business.

The second point is, thinking about operational resilience helps organisations look at or achieve a better coordination between business lines and entities, when talking about risk and prevention of risk, and it equally reduces the duplication of inefficiencies.

The third point is around bringing better clarity in the organisation in terms of roles and responsibilities with regards to risk and prevention of risk.

More and foremost, it gives boards and senior management a further ability to assert their role vis a vis risk.

Q: Can you give us some clarity on what is an IBS an important business service?

A: When we talk about IBS, an example would be the acceptance of clients’ transactions through a client order management system. Obviously if that cannot take place, people cannot place or withdraw their investments, therefore it will potentially harm the firm’s clients. Equally placing investment orders within funds, if that would not be a resilient process because of, for example, operational or outsourcing issues, it would likely impact next to the fund performance (and as such the investors) also the financial markets.

If we on the other hand look at IT specifically, there is a quite high concentration risk, for example where the company itself directly has outsourced its cloud services to company X, but at the same time the outsourced provider uses company X for its cloud service as well.

You therefore need to understand for that order management system or for investment orders, if outsourced, which outsourced IT solutions are used by the outsourced party.

Do you have that full picture of IT services and the different service providers behind it? i.e. Is it the sub outsourcing of the outsourced party.

So you need to be looking at in-house IBS as well as how third party service providers manage operational resilience, even more if the regulatory requirements do not directly apply to them.

You could mitigate that operational resilience risk and get further assurance by carrying out audits. Even a joint audit with competitors would be useful, as they might use the same service provider.

Q: What is self-assessment and what steps would you recommend in terms of a plan for self-assessment?

A: There really are three steps that we would recommend. The first is the identification, second is the definition and three is the testing.

Identification it is a matter of defining what your IBSs are and having marked your resources that contribute to the business services.

The definition is articulating per IBS the tolerance level and what the remaining impact of those is.

The testing is really coming up with scenarios to test the impact on each or combined IBS, and access this against your operational resilience risk tolerance.

The next step is to then design the risk remediation program for which you have the next three years to put this is place.

Q: What are the reporting requirements?

A: There is no standard provided by the regulator in terms of the report, but we would recommend going through an identification process, a definition process and a testing process and summarise that into a self-assessment report. And most importantly, identify what needs to be remediated over the next three years.

By March 2022 firms are expected to have this self-assessment report available on request. From March 2022 to 2025 firms have three years to implement the remediation.

Q: What happens after March 2022.

A: Once you established the self-assessment report, within that you will have identified a program or a plan that maps out how you are going to address and remediate the shortcomings of your scenario testing ie for those areas where you are outside of your operational resilience tolerance. You have three years to implement this.

We recommend in your self-assessment report of March 2022, you include the three year mitigation plan and make sure you have a team in place that is responsible for the execution of the plan.

Equally we recommend you update your governance model, to ensure on a regular basis the review of interim progress reports.

The self-assessment is an iterative and dynamic process. Some new risks are likely to emerge that will need to be incorporated in the report highlighting the overall operational resilience risk and mitigation (progress).

AlgoMe Consulting has designed the seven steps to establish your firm’s operational resilience framework and can prepare with you the Self Assessment Report due for March 31, 2022.

Don’t hesitate to get in touch with us to discuss further via luuk.jacobs@algome.com or pierreyves.rahari@algome.com