Operational Resilience – A Year On…
In a few weeks’ time, Operational Resilience will mark its first anniversary following regulation day on 31st March 2022. This also marks the end of the first year of the transitional period.
During the three-year transitional period to 31st March 2025, firms are expected to stay within their impact tolerances as soon as reasonably practicable and report breaches of their tolerance levels to the regulator. At least annually, firms must review their Important Business Services and update their self-assessment documentation which must be available for inspection. The level of sophistication surrounding mapping and scenario-based testing is to increase.
It’s very clear that the FCA is set to continue its focus of minimising the impact of operational disruptions. In their three-year Strategy, the FCA states ‘Operational disruptions are inevitable. Firms must be able to respond to, recover and learn from and prevent future operational disruptions.’
Currently, the Operational Resilience requirements apply to banks, building societies, PRA-designated investment firms, insurers, Recognised Investment Exchanges, Enhanced scope Senior Managers and Certification Regime firms, and entities authorised and registered under the Payment Services Regulations 2017 and Electronic Money Regulations 2011.
However, this is only the start of the journey - following the implementation of the Operational Resilience framework requirements, the FCA, together with the PRA and Bank of England have published a Discussion Paper (DP3/22) on potential measures to oversee critical third parties. The discussion paper highlights the relevant sections of the Financial Services and Markets Bill that was put before parliament in July 2022 and sets out the framework for managing the systemic risks posed by critical third-party suppliers. The potential measures will mean the supervisory bodies will be able to identify critical third-party suppliers, set minimum resilience standards for them in respect of the material services they provide to firms and set out ways to test their resilience.
For firms who are already subject to the Operational Resilience requirements, the FCA has provided some useful insights from its review of insurance firms. The FCA identified areas for improvement within firms and noted that some firms had not demonstrated an understanding of the FCA and PRA guidelines or had not yet applied them fully to their operational resilience programmes.
Another area for improvement was some firms did not identify important business services that would reasonably be expected for the firm's business model or included internal or irrelevant business services. Some firms did not consider harm caused to consumers through being unable to purchase, amend or renew products or consider the impact of unavailable important business services on vulnerable customers. In contrast, some firms seem to have demonstrated a clear understanding of the requirements of the Operational Resilience framework and had identified all important business services expected and had considered the possible harms at various stages of the customer journey.
Wherever you are on your Operational resilience journey we can help, and we will soon have some useful resources on our dedicated resources page.