The 31st March deadline may have passed for financial firms to prepare and document the PRA self-assessments, but while financial institutions have identified their Important Business Services. Many have not yet carried out the required testing to demonstrate they are able to recover from potential disruptions.
WHAT IS OPERATIONAL RESILIENCE?
Operational resilience is having the plans in place to protect your business from threats, disruptions, and potential failures. Understanding the impact these will have upon your business and responding and adapting to change is key to future-proofing your business.
A successful operational resilience strategy requires you to have a thorough understanding of your business-critical success factors and points of failure.
In 2019 the FCA proposed changes to how firms address their operational resilience with the intention of improving the resilience of the UK financial sector.
Following a period of consultation, a set of rules were published in March 2021. These rules set out the requirements that all applicable financially regulated firms will have to adhere to.
WHAT ARE THE FCA GUIDELINES?
The new FCA (Financial Conduct Authority) rules and guidance for assuring sufficient levels of operational resilience come into force on 31 March 2022 (see FCA handbook section SYSC 15A). The new rules require all FCA regulated organisations to:
Have identified their Important Business Services, set impact tolerances for the maximum tolerable disruption and carried out mapping and testing to a level of sophistication necessary to do so. Firms must also have identified any vulnerabilities in their operational resilience.
As soon as possible after 31 March 2022, and no later than 31 March 2025, firms must have performed mapping and testing so that they are able to remain within impact tolerances for each important business service. Firms must also have made the necessary investments to enable them to operate consistently within their impact tolerances.
Applicable FCA regulated organisations must comply with the new rules to bring their own operational resilience to a level acceptable to the FCA and to avoid regulatory sanctions (such as financial penalties, suspensions, restrictions, conditions, limitations, disciplinary prohibitions, and public censures. You can refer to the FCA handbook enforcement guide.
If your organisation is FCA regulated, you are required to understand your organisation’s current level of compliance (and any actions required to ensure compliance against these new rules), and you must undertake (and keep a record of) regular self-assessment as the mechanism to establish the extent of your organisation’s compliance (see SYSC15A.6).
OPERATIONAL RESILIENCE TIMELINE
The UK rules will apply from 31 March 2022, although there is a transition period before firms and market infrastructure are required to remain within tolerance levels. Our timeline below outlines the key deadlines for compliance.
PS21/3 is published, triggering a 12-month implementation period.
The implementation period begins and firms have a 3-year transitional period to remain within their impact tolerances as soon as reasonably practicable.
Firms must have:
- Identified their important business services (IBS).
- Set impact tolerances or each IBS.
- Mapped their dependencies sufficiently to have completed the above points 1 and 2.
- Carried out scenario testing sufficiently to have completed the above points 1 and 2.
- Produced their first self-assessment document (to be updated regularly after that)
Transitional phase ends
Transitional period ends, and ideally well before this date, firms must have:
- Developed mapping and testing to a more sophisticated level.
- Be able to consistently stay within their impact tolerances.
DAISY’S OPERATIONAL RESILIENCE ASSESSMENT
If you don’t have enough time to spend on operational resilience, or if business continuity/operational resilience is not your full-time role, then Daisy can help. Daisy’s business continuity consultants can work with you to interpret the rules for your organisation and help you gather and record sufficient evidence of compliance and sufficient levels of operational resilience.
The Operational Resilience Assessment takes two approaches, based on the firm’s maturity level of operational resilience (as defined by the FCA Handbook section SYSC 15A):
- Firms which have mature operational resilience in place will be offered a “self-assessment”, as defined in section SYS 15A.6 of the handbook. Firms are required to conduct self-assessments regularly.
- Firms that do not have a mature operational resilience will be offered the “roadmap” version of the service. The same Daisy consultancy templates will be used, but the focus will be to advise on the next steps and actions for improvement to set out a roadmap for the firm’s operational resilience.
This is delivered by:
- Meeting with your representatives responsible for operational resilience at the firm, to ask questions and gather information.
- Presenting the findings and recommended actions in a report, with a review meeting to talk though the findings and actions, and to discuss your next steps.
Specialist assistance can:
- Establish how close you are to implementing Operational Resilience rules.
- Help you spend more time focussing on other key activities.
- Give you an impartial view from experienced business continuity professionals who are accustomed to working with FCA regulated organisations.
- Track year-on-year progress towards compliance with FCA rules.