This is an extract from Finextra's The Future of Regulation 2022 report.

With financial services increasingly dependent on technology, players across the landscape must work toward building robust processes to ensure operational resilience. Incoming rules introduced by UK regulators are designed to guide firms in their plans for operational resilience, with exacting requirements likely to be felt not only by incumbents, but by fintechs.

Catherine Gibaud, Senior Advisor at A&O Consulting, explains that operational resilience has been brought to the fore as regulators including the FCA, PRA and the Bank of England continue to hold the view that operational resilience is at least as important as financial resilience.

“Operational disruptions can cause far-reaching harm to consumers and risk market integrity. Disruptions can also threaten the viability of firms and cause instability in the financial system.”

Noting the severe disruption caused by the pandemic, Gibaud adds that firms have had to maintain their services despite moving to widespread remote working, and despite challenges to their control environments and staff wellbeing.

“The pandemic has shown why it is critically important for firms to understand the important business services they provide and to protect themselves, consumers and markets. Regulators expect that firms should be operationally resilient against multiple forms of disruption to minimise the harm caused to consumers and markets.”

As firms begin to implement the new rules and guidance and begin scenario testing in the coming months, regulators will ask boards and senior managers to identify their firm’s operational resilience vulnerabilities and drive improvement where weaknesses are found.

“This topic is a strategic priority for the regulators and one where they have shown their willingness to use their supervisory and, in more serious cases, enforcement powers to address potential and crystallised risks.”

The FCA published its final operational resilience Policy Statement in March 2021, sharing the policy summary with the Bank of England and the PRA.

Gibaud notes that the regulators expect firms and the financial sector to implement these requirements, so they are better prepared to prevent, adapt, respond to, recover, and learn from operational disruptions. During 2021/22, the FCA will assess firms’ progress in implementing these new operational resilience requirements and identify areas for improvement.

While Gibaud observes that in A&O’s experience, client firms are taking steps to prepare for the March 2022 deadline, there still remains much to do.

With rules starting to apply from 31 March 2022, in-scope firms will need to have identified their important business services, set impact tolerances for the maximum tolerable disruption to each of those services and carried out initial mapping and testing at a level which allows them to set the tolerances. As soon as possible after 31 March 2022 (and no later than 31 March 2025) firms must have performed mapping and testing so that they are confident they can remain within their impact tolerances for each important business service.

An Important business service, Gibaud explains, according to the FCA, means a service provided by a firm, or by another person on behalf of the firm, to one or more clients of the firm which, if disrupted, could: 1. cause intolerable levels of harm to one or more of the firm’s clients; or 2. pose a risk to the soundness, stability or resilience of the UK financial system or the orderly operation of financial markets.

Users of these important business services must be identifiable–whether retail consumers, business customers or market participants. Firms are required, when scenario testing, to identify their “severe but plausible” scenarios and to take action to ensure that they remain within their impact tolerances in those scenarios.

“The regulators expect firms to consider previous actual incidents or ‘near misses’ within the firm, across the financial sector and in other sectors and jurisdictions, to build these scenarios, and they are expected to evolve as the firm learns from the scenario testing process. In an increasingly interconnected financial system, the cause of disruption may increasingly be unpredictable and give rise to cross border and possibly global challenges (e.g. failures in cyber security or disruption from pandemic) and firms should reflect this in their scenario testing and mapping.”

The nature and severity of scenarios appropriate for firms to use will vary according to size, complexity, and the firm’s importance to the financial system

“However, if the firm chooses a scenario that is insufficiently severe, regulators warn that they may view this as boards and senior management possibly taking inappropriate risks with the running of their businesses. The supervisory authorities expect this will be a common area for supervisory discussion – supervisors will ask how firms have selected their scenarios and why. Best practice in this regard is expected to develop over time.”

It is possible that fintechs outside the scope of the rules may still be indirectly impacted through the mapping requirements. As firms within the scope of the operational resilience regime must consider not only their vulnerabilities in their internal system, but the resilience of third party providers, fintechs may be brought into this scope. The Wirecard saga is a clear example of the potential disruption that can be caused through the failure of a third-party provider.

Regulators are increasingly attuned to third party risk management, with the FCA confirming that it will continue applying the European Banking Authority’s guidelines on outsourcing.

Catherine Gibaud, senior advisor, A&O Consulting lists key factors to help financial institutions better prepare for upcoming changes:

• The role of Boards and senior management is central to the regulators’ operational resilience policy. 
• Boards are accountable for, and should approve, the identification of their firm’s important business services, impact tolerances and self-assessment. As with any regulatory change project, firms need to ensure that they have appropriate governance to oversee the project, senior management engagement and oversight and that they have a robust audit trail of steps taken to implement the new requirements.
• The ability of firms to deliver on regulators’ requirements depends on appropriate reporting and accountability throughout the firm. Where limitations are identified, leadership from firms’ board and senior management is essential to prioritise the investment and cultural change required to improve operational resilience.
• Firms may arrive at different impact tolerances for similar business services as a result of differences in the nature and scale of their client bases. The regulators emphasise that, rather than look for definitions or examples from other firms, it is important that boards and senior management take the lead and make judgements in the selection of their own important business services and the formulation of their own strategy detailing how they will comply with regulators’ requirements. 
• Boards will need to work with senior management to set impact tolerances that are appropriate for their organisation. Further, board chairs must ensure that the board has adequate knowledge, skills and experience to provide constructive challenge in relation to choice of important business services and impact tolerances, and that the board articulates and maintains a culture of risk awareness and ethical behaviour for the organisation which drives the firm’s operational resilience. Note that, where applicable, the SMF24 (Chief Operations) role includes responsibility for the firm’s operational resilience.
• The regulators’ new rules relating to operational resilience will come into force on 31 March 2022. Firms and FMIs must identify their important business services and set impact tolerances by 31 March 2022. Despite feedback requesting flexibility in relation to mapping and testing beyond that 12 month deadline, the regulators have emphasised that they do expect firms and FMIs to have mapped their important business services and started their programme of scenario testing by March 2022, while acknowledging that both mapping and scenario testing are ongoing processes and that firms’ approach to both will evolve and become more sophisticated over time.
• From March 2022, firms must work to ensure that they have comprehensive strategies, sound processes and effective systems that enable them to address risks to their ability to remain within their impact tolerance for each important business service, in the event of a severe but plausible disruption. Firms must be able to remain within their impact tolerances (as defined in the new rules) as soon as reasonably practicable, but no later than 31 March 2025, ie. Within 3 years of the “in force” date.
• Firms are also expected to comply with the PRA’s new expectations in relation to outsourcing and management of third party risk from 31 March 2022. In particular, firms should take steps to ensure that outsourcing arrangements that they enter into on or after 31 March 2021 meet these expectations by 31 March 2022. Firms should seek to review and, where necessary, update legacy outsourcing agreements entered into before 31 March 2021 at the “first appropriate contractual renewal or revision point” in order to meet the PRA’s expectations as soon as possible on or after 31 March 2022.
• From 31 March 2022 to 31 March 2025, the regulators will assess firms’ progress in being able to remain within their impact tolerances ie. The maximum tolerable amount of disruption to an important business service and this will be a measure of whether or not the changes to the operational resilience rules and guidance have been effective in improving the operational resilience of the UK’s financial services firms.