Jaywing partners with global innovator Suade Labs
Jaywing wins coveted Anti-Fraud Solution Award with Virgin Money
Is your firm ready for operational resilience?
03 December 2021 ·
Improving the operational resilience of financial institutions has been an evolving theme of the PRA & FCA. Following the previous discussion papers, DP 1/18, 'Operational Resilience: Impact Tolerances for Important Business Services' and Consultation Paper 29/19, the PRA & FCA have outlined the final requirements in the latest policy statement. It has been a long time coming, but the deadline of 31 March 2022 is now just over 3 months away.
The requirements are far-reaching and interconnected with multiple other core firm responsibilities such as SS 2/21 'Outsourcing and Third-Party Risk Management' and other more established business planning requirements such as ICAAP and Recovery and Resolution Planning.
Continue reading as Jaywing's Regulatory Risk Practice Director, Dean Mitchell, summarises the regulations' key requirements and highlights three particular areas that firms should look out for.
Overview of Key Requirements
We have summarised a reminder of the key requirements every firm must address prior to 31 March 2022, and the actions to be completed on an ongoing basis thereafter.
At this stage, the majority of firms will have completed the process of identifying and mapping the important business services (IBS) they provide. Although similar in nature, it is worth noting that the definitions of IBS’ differ slightly between the PRA and FCA. The table below, as published in PS 6/21, illustrates both definitions.
If you have not yet started implementing this new regulation, there is still time, but you will need to make this a priority and dedicate a suitable level of resources. From our discussions with firms who have begun, or are well on the road to completion, we can share that most firms have identified at least one IBS and have completed this task. However, the identification of the IBS is just the first task in a fairly long "to do" list.
We have identified three areas of the requirements which firms should pay particular attention to:
- Setting measurable tolerances
- Designing appropriate scenario tests
- Completing the self-assessment
Setting Measurable Tolerances
When setting the impact tolerance level for each of your identified IBS’, it is important to remember that the limits will differ from your existing risk appetite metrics. These measurements help firms monitor where they currently sit within a range of increasingly less acceptable points on a continuum. Based on a firm's calibration of reaction times required to reverse negative trends, a firm then sets risk appetite tolerance levels where management actions begin to be executed.
On the other hand, impact tolerances should be set at a point near the top of a firm's risk appetite, where disruption to IBS’ would start to pose a risk to either the firm's safety and soundness or financial stability.
One of the difficulties in establishing the new tolerances levels is that it is not always clear where disruption of the business services will pose this risk. The regulations dictate that the firm must be able to have robust procedures which ensure that the delivery of the most IBS’ are maintained. This is likely to be an area the regulators will focus their attention on when reviewing the first self-assessment.
The new requirements ask firms to develop a range of severe and plausible scenarios, designed to expose potential vulnerabilities within their business. The purpose of scenario testing is not so much to prevent the scenario from unfolding but to reveal how the firm can respond during the period of stress. When developing your scenarios, you should assume the scenario has already crystallised.
Another consideration is that scenario testing is designed to be a long-term process. The regulators expect firms to have started to develop different scenarios and, indeed, undertake some form of testing during the first self-assessment, despite the full force of this regulation not being required until March 2025.
So, how much is enough?
The answer will likely be related to the size and complexity of your organisation. Firms with a higher number of IBS' will need to convince the regulator that they have a solid foundation of stress-testing in place and have laid out how the testing will evolve in the coming years.
Each firm must complete a self-assessment of their IBS', the methodology used in preparing the assessment, the approach to mapping their IBS', details of their strategy for mapping the IBS', and the controls in place to manage potential vulnerabilities.
Unlike the ICAAP and ILAAP processes, the completion of the Operational Resilience report requires a higher level of participation from all areas of the business. The role of the Board is particularly important as this concept may not be familiar to all members. Firms should consider who in the firm would be best placed to help the Executive and Board to understand the concepts of the requirements. Early and frequent interactions with the Board will facilitate a high-quality level of challenge which will undoubtedly help with the overall quality of the initial self-assessment.
Independent Assessment - how Jaywing can help
There's no doubt about it. It's challenging to complete your first self-assessment and establish suitable internal controls and governance arrangements that comply with the new regulatory requirements. To help firms ensure their self-assessment is comprehensive and meets all expectations, Jaywing's experts can provide a 3rd party review of your work and help validate your inaugural self-assessment.
If you would like to speak to us about any aspects of the new requirements, please contact Dean Mitchell, Regulatory Risk Practice Director, or your existing Jaywing contact.