Operational Resilience and Accountability
Boards and senior management are ultimately responsible for their firm’s operational resilience. Therefore, the Board must have adequate knowledge, skill and experience to provide constructive challenges in relation to the choice of important business services and impact tolerances.
Reminder
In March 2021 the FCA, PRA and Bank of England published final rules and guidance on Operational Resilience. The rules cover three main areas, important business services, impact tolerances and mapping. An important business service is a service provided by a firm which, if disrupted, could cause intolerable levels of harm to the firm’s clients, or pose a risk to the soundness, stability or resilience of the UK financial system. The first requirement of firms has been to identify those important business services and in doing so firms will have regard to several factors including the nature and size of the service, amount and sensitivity of data held, impact that failure could have on the firm’s financial stability, or the stability of the industry. Firms must identify and keep under review the people, processes, technology, facilities and information necessary to deliver each of its important business services.
RELATED ARTICLES:
RELATED RESOURCES:
Impact tolerances must be set for each important business service, these are the maximum level of disruption, measured by time or any other relevant metrics, reflecting the point at which any further disruption to the important business service could cause intolerable harm to any one or more of the firm’s clients or pose a risk to the soundness, stability or resilience of the UK financial system or the orderly operation of the financial markets.
The aim is to demonstrate that important business services can stay within their impact tolerances and this is measured through scenario testing. The scenarios, or stress tests if you prefer, should be set around severe but plausible disruption to the services. It is also a requirement to complete a self-assessment which shows how they meet the operational resilience requirements and this must be made available to the regulator on request. Senior Management should review and approve the self-assessment document regularly.
Governance
As firms have implemented the rules and guidance and started scenario testing, boards and senior managers are expected to identify their firm’s operational resilience vulnerabilities and drive improvement where weaknesses are found.
Governance is key to the success of a firm’s operational resilience strategy – leadership teams must ensure they have appropriate management information to inform decisions that have consequences for operational resilience. This is also important because where limitations are identified, the business must have a clear leadership to prioritise the required change.
A clear challenge of operational resilience is to measure the impact tolerances, and this is where senior management must take the lead and make judgments as to what those impact tolerances are.
As ever we try to support our clients and to help with this complex issue we have developed a small suite of templates to assist, they can be found here.
Comments