The FCA recently held a webinar on Operational Resilience as a ‘checkpoint’ for firms to see how they measure up against FCA expectations. This is two months ahead of the 31 March deadline for the first operational resilience policy milestone – identifying important business services, setting impact tolerances, and carrying out mapping and testing. Firms will also need to have run a lesson's learned exercise and developed internal and external communications plans, as well as prepare a self-assessment document providing a snapshot of their operational resilience at that point in time. It is important to note that the self-assessment document can be requested by the regulator at any time (for example, if there is a breach of impact tolerance) and must be approved (and regularly reviewed) by the board/governing body. This means that they should be involved in the preparation process at an early stage.
The FCA explained that it doesn’t expect the mapping and testing to be carried out to a ‘full sophistication’ by the end of March; however, the FCA does expect the mapping and testing process to be sufficiently advanced enough to have identified important business services, set impact tolerances and identified operational resilience vulnerabilities. Overall, having reviewed responses from firms on their ongoing work, the regulators were pleased to note that firms are making good progress.
The regulator spent some time explaining what constitutes an ‘important business service’. The FCA stressed that these are services provided to external customers – internal functions that support external services should be identified and mapped, but not listed as ‘important business services’. A distinct rationale should be provided for each important business service identified, and the regulator added that metrics around consumer impact are particularly helpful.
The regulator also explained that impact tolerances are distinct to internal risk tolerances, and the former should be perceived as the point where intolerable harm is being caused to consumers or there is a risk to market integrity. Intolerable harm to consumers in this context is explained as harm from which consumers cannot easily recover. The FCA emphasised that firms should think proactively about how to avoid ever breaching an impact tolerance (e.g. investing in systems, processes and people), rather than thinking about how they would rectify the service once the tolerance has been breached. While disruptions will occur, firms should be sufficiently resilient to ensure these disruptions don’t cause a breach of impact tolerances.
After the March deadline is a ‘transitional period’ where firms should continue mapping, testing and investing to operate consistently within impact tolerances. It is clear that this should be an ongoing area of focus and investment for firms, and operational resilience is going to be a permanent feature of the regulatory landscape. As threats to firms evolve, so will the resilience of the financial sector, as firms continue to future proof their businesses.
‘Time and again, we are being reminded that the threats to your ongoing business services are real, evolving and may even be increasing. It's your readiness, therefore, that determines the outcome.’ Financial Conduct Authority