Operational Resilience: The Regulator is Knocking…
In recent weeks we have seen the FCA start to reach out to Enhanced Firms for copies of their Operational Resilience Self-Assessment document, along with evidence of Senior Management and Board engagement. Are you ready for their call?
In-scope firms are now well into the three year transition period which kicked off on 1 April 2022. During this time the FCA expect firms to invest in their operations to improve the Operational Resilience of their Important Business Services (IBS), ensuring they fall within Board approved tolerance thresholds in severe but plausible stress events. These improvement plans make real the FCA’s and PRA’s Operational Resilience requirements, in what has been described as one of the most important of the regulator’s objectives. The regulators simply did not expect firms to be fully compliant at the end of March last year and see implementing improvements as key to success.
So How are Firms Looking to Improve their Operational Resilience?
1) Vendor Engagement: Effective vendor engagement is crucial. During the initial implementation period a number of firms found that key vendors were reluctant to engage beyond simple Q&A’s, making this a key focus area for the transition period. Greater dialogue is required on topics such as 4th/5th party dependencies and recovery plans. In the PRA’s recent Discussion Paper, CTPs (critical third parties) have been identified as posing a risk to wider financial stability and are the focus of proposed supervisory measures. One such measure is a ‘range of tools’ for testing the resilience of material services that CTPs provide to firms, which will support engagement. Alpha recently discussed this topic in an article on Critical Third Parties to the UK Financial Sector.
2) Resilience Culture: Communicating the regulator’s aims to Group Boards and embedding resilience culture effectively has been a challenge. As reported by the BCI, 17% of survey respondents suggested that there was no need for an operational resilience programme as they already had a BCP/DR plan in place. Engagement and education are key. Firms are using part of the transition period to continue the required knowledge sharing Reference BCI, 2022. We have also seen Core firms – not directly in scope of the regulation – look to apply its principles to support rolling out more effective resilience regimes.
3) Disaster Recovery Plans: IBS scenario testing has revealed gaps in firms’ Business Continuity and Disaster Recovery plans. These have not been challenged to the same level of rigor as posed by the new Operational Resilience regime and plugging these gaps are high priority items.
4) Cyber Security: a topic almost universally acknowledged as a key concern. Firms, particularly those in scope for the EBA’s DORA requirements (Digital Operational Resilience Act), will be paying close attention to their local cyber resilience frameworks to address ‘any reasonably identifiable IT risks’. Key IT estate management will cover tools (systems/protocols), the IT supply chain and exit strategies. Of note, DORA also applies to third party IT service providers, which goes one step further in the value chain than the FCA’s equivalent. Reference IT Pro, 2022
General opinion from firms is that the FCA left requirements deliberately vague. Whilst this has allowed for some flexibility during implementation, it also raises the risk of divergent and / or non-compliant approaches. Industry focus groups have highlighted the usefulness of peer-group collaboration for improvement plans validation, as well as engagement with independent advisors.
There is more expected from the regulators to improve Operational Resilience; whilst the ‘initial push’ is complete, many firms are yet to work resilience arrangements into their OpModels as the ‘new normal’. Questions persist for both Enhanced and Core scope firms, with the potential expansion to CPTs likely to require ongoing impact assessments and consideration for some time. Now that the FCA are reviewing firms’ plans, you should be prepared for further FCA guidance in the coming months and we’d be happy to discuss how you can be ready.