FCA's Priority of Operational Resilience - What Does That Mean For Your Firm?
High on the FCA’s cross-sector priorities for 2019/20 is ‘operational resilience’. The Regulator has recently turned its attention to technological changes and advances, particularly where these might impact on consumers or on regulator supervision, so it’s no surprise that high on the agenda is potential disruption caused by failure – or something more nefarious – of IT systems and other technologies.
Acknowledging that apart from the increasing use of new technologies in firms, there are additional risks of harm from use of third-party service providers, the FCA considers that building operational resilience is in the public interest and a vital part of protecting both the financial system and consumers.
As well as technological advances, recent cyber-attacks and data breaches are likely to also be behind the increased focus on firms’ system resilience.
Opening a consultation on 5 December 2019, the FCA propose a set of new requirements for firms – including banks, building societies, PRA designated investment firms, Solvency II firms, RIEs, Enhanced scope SM&CR firms and entities authorised or registered under the PSRs 2017 / EMRs 2011 – that intend to enhance operational resilience, with the measures aimed at ensuring firms are able to resume services quickly following any disruption.
The FCA define operational resilience as ‘the ability of firms and the financial sector as a whole to prevent, adapt, respond to, recover and learn from operational disruptions.’ The consultation also helps to clarify the difference between the concepts of operational risk and operational resilience. Operational risks are specific risks to the firm, with risk management being the process whereby the firm accepts, tolerates or avoids these risks. Operational resilience is an outcome – whatever the risk, and however the firm manages that risk, the firm remains operational.
In short, the regulator wants firms to consider the impact of disruption, including technology failures, cyber-security breaches, and other plausible internal and external incidents, whether these are inside the firm’s control or not. The rationale here is that if something could impact individuals, businesses and/or markets that rely on products and business services that become unavailable to the user, then this could cause harm to consumers and cause instability in the financial system.
The proposals are to require firms to:
Identify important business services that if disrupted could cause harm to consumers or market integrity
Map – identify and document the people, processes, technology, facilities and information that support a firm’s important business services
Set impact tolerances for each important business service (i.e. thresholds for maximum tolerable disruption)
Test their ability to remain within their impact tolerances and invest in their ability to respond and recover from disruptions as effectively as possible
Develop internal and external communications plans for when important business services are disrupted
Create a self-assessment document
In other words, firms are expected to understand their own vulnerabilities and to act where necessary - identification, mapping, testing and developing back-up plans isn’t the end of it. Where weaknesses are identified, firms will be expected to put improvements in place as well as clarifying and documenting processes for if the worst was to happen. Firms should be analysing potential issues pro-actively; it should not take a major event for firms to become aware of weaknesses and firms should be well-prepared to support customers and resume services when events do happen.
The consultation paper makes the context of each proposal clear, particularly helpful where there may be some confusion around new terminology, such as ‘impact tolerances’. Different to risk tolerance, an impact tolerance is the maximum level of disruption a firm can take, and should include variables such as maximum tolerable duration and any other appropriate measure such as volume of disruption or a measure of data integrity. In other words, this is different to risk appetite because it assumes the worst has already happened and measurement of impact tolerance enables firms to put in place plans to protect customers and the market now, and not only when events happen to expose weaknesses.
The new requirements are designed to be proportionate to the type of business conducted and in practice will depend on the number of important business services a firm has, which are likely to be proportionate to the firm’s role and size. For example, smaller and less complex firms will have simpler and fewer important business services. Firms are expected to consider likely scenarios, but not every possible scenario.
Although this consultation does not apply to all firms, the paper suggests that all firms may want to consider the proposals in light of the organisation of their own business.
The consultation closes on 3 April 2020; the FCA expects to publish finalised rules in a policy statement in 2020.