Building Operational Resilience – Financial Service regulators introducing new rules

Regulators are introducing new rules to strengthen operational resilience in the financial services sector. As firms continue to experience disruption from coronavirus, we ask — how can firms quickly implement the new rules and remediate risks?

Operational resilience is the ability of firms and the financial sector as a whole to prevent, adapt, respond to, recover from, and learn from operational disruptions.

Operational disruptions and the unavailability of important business services have the potential to cause wide-reaching harm to consumers and market integrity, threaten the viability of firms, and cause instability in the financial system.

Supervisory authorities around the world are responsible for defining the level of operational resilience required such that the provision of these services can be maintained in the event of disruptions.

In March 2021 the Bank of England, Prudential Regulation Authority (PRA), and Financial Conduct Authority (FCA) published a shared policy statement detailing new regulatory requirements aimed at strengthening operational resilience for financial services firms.

These requirements follow an industry consultation that started in December 2019 (pre-dating Covid-19) and follow a shift in supervisory discussion at the international level aimed at broadening the scope of operational resilience and standardising industry practices.

The disruption caused by the pandemic has demonstrated why it is critically important for firms to understand the services they provide and invest in their resilience to protect themselves, their consumers, and the market from disruption. 

What are the new rules?

The new regulatory rules published by U.K. authorities (consistent with guidance issued by financial sector authorities in response to the Covid-19 crisis) show that operational resilience standards need to include the following elements:

• Service Identification— identify the important business services that if disrupted could cause harm to consumers or market integrity.
• Mapping — identify the people, processes, technology, facilities, and information that support a firm’s important business services.
• Third-Party Providers — understand dependencies on external service providers and ensure that critical suppliers are sufficiently prepared for scenarios in which there will be heavy reliance on their services.
• Technology — ensure that IT infrastructure can support a sharp increase in usage over an extended period and take steps to safeguard information security.
• Impact Tolerances — set impact tolerances for each important business service (i.e. thresholds for maximum tolerable disruption).

Existing requirements on firms to manage operational risk or business continuity planning will remain in place — including current arrangements for outsourcing and other third-party service providers.

Who is impacted, and when?

The rules impact a broad range of buy-side, sell-side, and market infrastructure participants, including banks and building societies, investment firms, insurers, exchanges, and any firm registered under the Payment Services Regulations or Electronic Money Regulations.

The U.K. authorities have announced the following timeline:

1. March 2021: PS21/3 published — 1-year implementation period begins for firms to operationalise the policy framework.
2. March 2022: Final rules come into force— implementation period ends, and 3-year transitional period begins for firms to remain within their impact tolerances as soon as reasonably practicable.
3. March 2025: Transition period ends

What do firms need to do?

During the implementation period which runs to 31 March 2022, firms need to carry out mapping to a level necessary to accurately identify their important business services, set impact tolerances, and identify any vulnerabilities in their operational resilience.

Traditionally, most firms approach this mapping exercise top-down— they create a high-level description of their business services and then link each service to their operating model, process model, application architecture, and supplier list.

This approach has some drawbacks:

• impact tolerances have to be estimated.
• the mapping exercise is static and is not kept up-to-date when changes occur (new staff, applications, business services, etc).
• it is time-consuming and expensive to deliver — firms often have to employ external consulting firms to conduct interviews with staff and manually document findings.
• mapping is inaccurate and/or incomplete.
  

How can firms implement the new rules quickly?

Operational issues always manifest themselves in a firm’s enterprise communications data. For example:

• when a system fails a ticket is raised in an incident tracking system.
• when a client has an issue they call or email the customer service team.
• when a process breaks the operations team receives email alerts.
• … etc.

By analysing communications data, we can:

1. identify all historical operational resiliency issues and precisely understand actual impact tolerances.
2. automate the mapping of people, processes, systems, etc that support each business process.
3. monitor each business service in real-time against agreed tolerances.
4. keep mapping up-to-date as the operational landscape changes.
5. use live data to validate that mapping is always accurate and complete.

By focusing on mapping, firms will have a clear picture of the resources that enable an important business service to function, and the impact if any of these are disrupted.

Using a data-driven approach is a better way to implement the new regulatory rules, as it offers a much faster time-to-value and is significantly cheaper to implement.

Many of our clients are integrating these and other regulatory requirements with their broader digital transformation strategy.