New Operational Resilience Rules Present Challenge and Opportunity
“The disruption caused by COVID-19 has shown why it is critically important for firms to understand the services they provide and invest in their resilience,” the FCA said in its joint statement with the PRA at the end of March on operational resilience. Businesses will have a year to get their systems up to scratch.
Many will be left scratching their heads, both at the scale of the challenge and the short timeframe. However, if handled correctly, this could present an opportunity…
New rules
Policy statement PS21/3, which has been jointly issued by the PRA and the FCA, requires firms to identify vulnerabilities in their operational resilience and set impact tolerance levels for their critical business lines. The deadline to complete this is 31st March 2022, followed by three years to perform mapping and testing, as well as to make sufficient investments to ensure their business operations remain inside these tolerances.
The move appears to have been triggered, at least in part, by the challenges of the pandemic, and a growing recognition that, in the words of the FCA, “operational resilience is at least as important as financial resilience.”
Operational resilience - the ability to continue working in the face of disruption
The last year has provided a perfect case in point in which businesses had to scramble to function in the face of an unprecedented challenge. Some managed it better than others. Ensuring that the UK financial sector is operationally resilient is now top of the regulators’ agenda. As we saw during 2020, many major business services were unavailable and this caused harm to consumers, but had the potential to cause greater and further-reaching harm as well as risk market integrity. Not to mention causing instability within the financial sector as a whole.
The new rules affect building societies, insurers, banks, designated investment firms, Recognised Investment Exchanges (RIEs), enhanced scope SMCR firms, and also those entities registered under PSRs 2017 and/or EMRs 2011). The FCA says, “Firms not subject to these rules should continue to meet their existing obligations.”
How to comply
The new rules come with two challenges. First, a year is not long to get ready. Depending on how far down the line firms are in such preparations, they may have to make considerable adjustments, quickly. The second is the vague nature of the guidelines, which appears to be intentional. Regulators have purposefully issued a wide-ranging set of guidelines to prevent this from becoming a box ticking exercise. By being vague, these rules are intended to provoke real change.
This is an open-ended exercise and firms will have to show real discipline in identifying vulnerabilities and tolerances and then making sure they operate within those parameters. Operational resilience should however be something businesses think about regardless of moves from the regulators, so the new rules come at a good time.
Aside from improving their readiness, this exercise will also be one of those which forces companies to take more control of their data. A by-product of this will be that it helps firms understand their own operations better, identify their risks and possibly uncover opportunities to improve business performance. So, while time is pressing, businesses would be well advised to up their game on operational resilience, for their own benefits as much as for the regulators.
To speak to us or subscribe to our newsletter please contact us here.
Or message us via the chat icon in the bottom right corner of your screen.