Michael Walford-Williams
1 Aug 2022
Michael Walford-Williams, Managing Director at Westbourne, a risk management consultancy for the financial services and finTech industry, examines what is next for Operational Resilience; what the regulators expectations are, and why compliance with the rules alone may not be enough...
Earlier this year we looked at the new Operational Resilience Regulations from the FCA, PRA and BoE that took effect at the end of March; what they entailed and what it would take to become compliant with the new requirements.
Now that the deadline for implementation of Operational Resilience has passed and we enter the ‘transition phase’. Michael Walford-Williams, Managing Director at Westbourne, a risk management consultancy for the financial services and finTech industry, examines what is next for Operational Resilience; what the regulators expectations are, and why compliance with the rules alone may not be enough...
Operational Resilience - From Compliance to Resilience
Written By
Michael Walford-Williams, Managing Director at Westbourne
Connect with Micheal Walford-Williams on LinkedIn >
https://www.linkedin.com/in/michael-walford-williams-2302a78a/
Click the link to learn more about Westbourne and their services > https://www.westbourneglobal.co.uk
A quick recap of operational resilience frameworks
Since the regulations came into effect at the end of March 2022, firms are expected to have implemented measures for operational resilience. This is a framework mandated by the FCA to ensure any disruptions to your business don’t harm consumers or the wider financial market.
Any changes to the financial services industry can be a major headache. So let’s start by defining a few basic terms to make sure we’re all on the same page:
What is operational compliance?: Operational compliance is how well your firm follows industry rules and regulations.
What is operational resilience?: This is a measure of your firm’s ability to continue delivering its critical services in the face of disruptions.
Operational resilience vs business continuity: Both of these terms relate to your ability to resume normal levels of service delivery in the face of disruption. The difference is that operational resilience also involves your ability to prevent, adapt to and learn from disruption, not just respond to it.
That being the case, the FCA and other institutions require your operational resilience framework to include the following safeguards.
Defined ‘important business services’
These are your most significant services that, if disrupted, could cause intolerable harm to your clients and customers, or to the wider financial market.
In the case of PRA-regulated firms, disruptions to your important business services could also impact the safety and soundness of the firm itself.
The key point here is that these services are outward facing with an external user identified who would feel the impact. They’re not simply internal services where the impact is felt only by the organisation itself.
Set impact tolerances for their important business services
Impact tolerances are thresholds at which intolerable harm for an important business service would manifest.
These thresholds are typically expressed as a timeframe. For example: ‘the important business service balance and transfer for online banking must not be unavailable for more than 8 hours’.
However, they can also be expressed through a different metric, such as the volume or classification of public data that could be lost or compromised. So an impact tolerance might be ‘no more than 200 records of sensitive personal information can be compromised’ or ‘no more than the latest 24 hours of transaction history can be lost’.
Map dependencies
Firms must map all of the processes, people or teams, technology, premises, and information that are required to deliver their important business services. Operational resilience mapping should be done to a level that enables firms to identify vulnerabilities.
Vulnerabilities could take the form of a single point of failure. For example, where a single technology, team or individual supports one or more important business services that, if unavailable, could threaten the impact tolerance of those services.
Scenario testing
Firms must test their important business services against severe yet plausible scenarios.
These scenarios will test a firm’s ability to remain within impact tolerance under the given scenario. This will allow the firm to learn lessons about the nature of their vulnerabilities, their current level of resilience and what actions could be taken to increase resilience.
Self-assessment
All financial organisations are also required to produce a self-assessment document, signed off at board level, that shows how they meet the operational resilience requirements.
This must be made available to the regulator on request.
Remember, this is just the beginning…
Implementing these requirements has been a significant effort for many firms.
However, the implementation of your operational resilience framework marks only the beginning of the journey.
In effect, it’s the entry requirement that gets you onto the field of play – and it’s clear that regulators expect that the real games are just about to begin.
So, what’s next for operational resilience?
The transition period for operational resilience will run up until the end of March 2025.
At this time, firms will be expected to attest that they’re able to remain within agreed impact tolerances in the event that their important business services are disrupted.
During this period, firms will be expected to embed and maintain their operational resilience programmes, and to ensure they’re properly governed. That includes at board level where required.
In May 2022, Duncan Mackinnon of the PRA set out the organisation’s expectations for how firms should take operational resilience forward over the transition period between now and March 2025 (1).
After reading the speech, I was reminded of the words of Neo from the first Matrix film: “I didn’t come here to tell you how it’s going to end. I came to tell you how it’s going to begin."
It was clear that the regulators’ expectation is that firms will need to advance their programmes in a number of ways.
How should firms advance their operational resilience programmes?
Your important business services and impact tolerances may be challenged
Following initial assessment, regulators found significant variation in firms’ definition of important business services and impact tolerances.
The level at which services had been defined was inconsistent, as were the tolerance thresholds among firms offering the same services.
Through supervision, the regulators will be having conversations across the industry to understand firms’ reasoning for how they have defined important business services and impact tolerances.
It’ll be important that firms are able to ‘show their working’ for how they defined their important business services and impact tolerances.
These will also need to be validated and, where necessary, refined through scenario testing.
Operational resilience mapping and scenario testing should increase in sophistication
When the regulations came into effect at the end of March 2022, operational resilience mapping and scenario testing didn’t need to be completed “to a level of sophistication necessary to accurately identify their important business services, set impact tolerances and identify any vulnerabilities in their operational resilience” (2).
Looking forward, the regulators expect “mapping should rapidly become more sophisticated, in line with firms’ potential impact. It should enable firms to identify vulnerabilities and inform the development of scenario testing” (3).
This could mean that operational resilience mapping becomes more granular. It could also mean that, instead of simply mapping a resource to an important business service, the interdependencies between resources should also be mapped to better understand potential vulnerabilities.
That said, as with operational resilience processes generally, mapping should be proportionate to the nature, scale and complexity of the services provided, and should be outcome driven.
Scenario testing should also increase in sophistication, both in the scope and severity of the testing and in the nature of the delivery of scenarios.
Mr McKinnon said that they should include: “data integrity scenarios and incorporate third party disruption; they should also consider factors beyond the firm’s control.”
This indicates that they wish firms to look at those severe yet plausible scenarios that go beyond business continuity planning, where things fail and where some current planning assumptions are broken.
This could be, for example, a cyberattack that affects the primary and disaster recovery (DR) instances of a critical system. Alternatively, it could be where the business continuity arrangements for a critical third party outsourcing arrangement don’t meet their recovery time objective (RTO).
The PRA also suggested that: “for high impact important business services within systemic firms, desktop testing is ultimately unlikely to be sufficient”. Therefore, the way in which firms undertake scenario testing will also need to evolve.
Third parties are key to operational resilience
The regulators have highlighted that third parties should very much be included in operational resilience mapping and scenario testing exercises.
As such, it’s clear that they want firms to build operational risk and resilience measures around critical third parties.
They expect firms to review and, where required, adapt third party outsourcing arrangements to ensure resilience. This will ensure that the failure of the third party doesn’t lead to the failure of the service as a whole and a breach of service.
Regulators also suggested that firms: “may have to build substitutability into the way services are delivered” (4).
Putting this all together suggests that they want firms to go further than traditional business continuity plans and grapple with the possibility of a complete failure of a third party. Firms must demonstrate that they have the operational risk and resilience measures in place so as not to breach impact tolerances if that should happen.
These goals may be difficult to achieve for firms that have built their businesses using cloud service providers. This is supported by the PRA’s Outsourcing and Third Party Risk Management regulations (SS2/21).
We’ll be exploring this topic in more detail in future newsletters!
Build resilience within your firm
As mentioned, the implementation of an operational resilience framework is just a starting point that allows firms to articulate their level of resilience and where they need to focus.
The regulators are looking for firms to be concerned with:
Practical outcomes;
Lessons learned about their resilience through their programmes;
And most importantly what they’re doing to address these and make their firms more resilient
This will involve building action plans to address resilience gaps and vulnerabilities identified through mapping and scenario testing exercises. These action plans should also be actively managed.
Where the vulnerabilities are severe enough to threaten a firm’s ability to remain within impact tolerances, these plans should be implemented by the end of March 2025.
That feels like a long time. However, if action plans require, say, the re-architecture of technology platforms to reduce reliance on a third party, that timeframe could start to feel much tighter.
Compliance vs resilience: Creating a resilient culture
The regulators again stressed that they don’t want operational resilience to just be a compliance exercise.
They “expect resilience to be embedded in the way firms do business” and that “operational resilience cannot be achieved through compliance alone” (5).
On the surface, this seems an odd concept – a regulator issues new regulations and wants firms to comply with them and then go further, where the former comes with a clear set of rules and the latter doesn’t.
However, the underlying point here is that following the regulatory rules alone won’t guarantee that a firm will become genuinely resilient.
The regulations provide a framework for you to understand and begin to manage the level of resilience within your organisation.
Ultimately, for a firm to build resilience within their organisation, they need to choose to be resilient.
In order to do that, they have to understand and be able to articulate the value of resilience to the business as a whole.
This is about building a resilient culture in a firm. Resilience must be considered in all areas and at all levels, baking it into the organisation rather than being addressed as an individual concern.
A resilient culture can sound like a slightly nebulous concept. So here are some practical ways in which it can be achieved.
i) Have a mechanism to ensure that resilience considerations are included in business strategy decisions
When discussing where and how new business services are to be delivered, include resilience as a factor in decision making.
For example:
Should we locate the next 50 staff in the same location as the existing 100?
Should we outsource 100% of our core technology to a single cloud provider?
ii) Ensure board-level engagement
It’s a regulatory requirement that the self-assessment document should be approved at board level.
However, to build a resilient culture, board-level involvement should extend further beyond that.
They should be aware of and actively manage their resilience posture, in many cases to answer some of those business strategy decisions.
Board-level involvement will also be required to decide how to address resilience gaps.
This is particularly important because becoming more resilient sometimes comes at a cost, either in terms of cash, efficiency or opportunity.
Treading that difficult line between furthering the business and protecting the business needs to be done by the top-level decision makers in the company.
iii) Involve more than just "required" staff in operational resilience processes
Look to involve more than just your risk teams and some key business leads in your operational resilience programme.
One potentially effective way to do this would be through scenario testing.
Involving wider teams in scenario testing will give them an understanding of operational resilience, and could mean they start to think more about resilience in their day jobs.
Involving staff in practical scenario testing may well prove more effective than traditional compliance training.
Business benefits of a resilience culture
There’s no doubt that running a compliant operational resilience programme requires a great deal of effort and resources.
However, it’s also true that building resilience into a company can have a number of genuine business benefits that go beyond simply staying on the right side of the regulators.
This applies as much for smaller companies as it does for larger ones.
Startup and scale-up companies are often primarily concerned with growing their business as best and as fast as possible with the limited resources available (and for good reason).
They often don’t put as many measures in place to protect the business they’re building until they become much larger, or when a client, regulator or an investor demands it of them.
At this point, it can be difficult and costly to retrospectively engineer resilience into the business. Had resilience been considered earlier, it could have grown in a resilient way.
For example, firms could have:
Split technology across multiple providers
Created a hybrid working model where staff aren’t collocated in a single location
Cross-trained staff so that more people were able to undertake critical business processes
In today’s climate where there’s so much economic, social and geopolitical uncertainty, showing clients and customers that resilience is at the heart of your business gives them confidence. It proves that you can deliver services effectively even in the face of disruption, and can act as a differentiator to your competitors.
Transform your operational compliance into a resilience culture
It’s clear that operational resilience is a key focus for regulators, and that requiring firms to implement a compliant framework is just the beginning. They want firms’ programmes to evolve in sophistication and become embedded in their businesses.
While this will undoubtedly require some effort, when done right it can bring some genuine benefits to financial businesses beyond just regulatory compliance.
To leverage a sporting analogy, once on the field of play, a compliant approach will ensure you don’t concede any goals. With a resilient culture, on the other hand, you might actually score a few.
Article References:
2 https://www.fca.org.uk/publication/policy/ps21-3-operational-resilience.pdf
4 RTO – “Recovery Time Objective”
Could you benefit from Westbourne's services?
Westbourne is a risk management consultancy for the financial services and FinTech industries.
As leading specialists in their field, they support firms of all sizes from startups to some of the world's largest financial institutions. They also provide expertise within global regulatory environments across the areas they support, most notably in the U.S, Singapore and Hong Kong.
Westbourne helps firms enhance the way they manage risk and meet regulatory requirements, with risk management frameworks that give you confidence in your operations.
Providing risk management services to the next generation of financial firms, they take advantage of the latest technologies and innovative methodologies to make risk management simpler, more flexible and more effective, helping you achieve your goals faster.
Westbourne specialise in the following areas:
Learn more about Wesbourne's services > https://www.westbourneglobal.co.uk/our-services