A Guide to Understanding the Operational Resilience Proposals for U.K. Firms and Financial Market Infrastructures

The timeline of operational resilience proposals

More than a decade after the financial crisis of the late 2000s, operational resilience – the ability of firms and the financial sector as a whole to prevent, adapt, respond to, recover, and learn from operational disruptions – remains a key concern of central bankers and other prudential regulators. These stakeholders, of course, were already responsible for erecting a post-crisis regulatory infrastructure intended to bolster the stability of financial markets; so, one might ask, from where do their new resilience concerns issue? 

It appears the interest in operational resilience, above and beyond levels demanded by existing regulation, is a product of the new risk picture, characterized by hostile cyber environment, technical innovation, increased system complexity, changing mobile behaviors, etc. Indeed, the working assumption of regulators is that as new risk triggers accumulate (see more below), disruption becomes more likely to occur at some point in the future. And that disruption, come as it will from newer risk factors, will not only prevent firms and FMIs (financial market infrastructures) from operating as usual but might also pose grave peril to the broader financial system. 

So, given the changes to the industry-wide risk picture, regulators haven’t been quiet. In recent years, they have taken initial steps to collate pragmatic business continuity, operational resilience, and operational risk management best practices as well as build on existing regulation, all with the end-goal of mandating an industry-wide approach to operational resilience. In the U.K., specifically, the Bank of England (BoE), Prudential Regulatory Authority (PRA), and Financial Conduct Authority (FCA) put out a joint discussion paper, 2018’s “Building the UK financial sector’s operational resilience,” intended to jump-start a dialogue with the financial industry. 

And a dialogue it began. Retail, commercial, custody, and wholesale financial institutions weighed in. The trade association, UK Finance, and consultancy, EY, culled together some of those responses in the July 2019 publication, “Perspectives: Operational Resilience in Financial Services.” 

There, report drafters came away with important themes: (1) operational resilience comes from the effective management of risk; (2) response and recovery capabilities, particularly incident management and business continuity, have long been foundational to effective operational risk. What’s called for now, in the industry’s estimation, is the addition of broader risk management techniques that cut across siloes and focus on end-to-end business services, not just individual teams, systems, and/or facilities. 

On that point, the industry and regulators prove to be in alignment. Case in point: at the end of 2019, the supervisory authorities, BoE, PRA, and FCA, put out a list of proposals to begin embedding a uniform, systematic approach to operational resilience into policy. The proposals consisted of the following: 

• PRA Consultation Paper (CP), including draft rules, a draft Statement of Policy (SoP), and a draft Supervisory Statement (SS). 
• PRA CP on outsourcing and third-party risk management
• FCA CP, including draft rules and guidance, as well as chapters on outsourcing
• Individual CPs issued by the BoE for central counterparties and securities depositories 

Risk factors for financial sector disruption

Root causes of disruption

• Change management
• Third-party failure
• Software/application issue
• Cyber attack
• Hardware issue
• Human error
• Capacity management
• Process/control failure
• External factors
• Root cause not found

Top resilience concerns for bank functions

• Cyber risks
• Critical third-party outage
• Prolonged IT outages
• Data unavailability
• Critical data being destroyed
• IT obsolescence

Source: UK Finance and EY, “Perspectives: Operational Resilience in Financial Services”

What’s come out so far are merely proposals, intended at this stage to solicit more industry feedback. And then? Well, the supervisory authorities have given the industry until April 2020 to respond to their proposals. That feedback will then be incorporated into final proposals, set for circulation in late 2020. After that, the industry will have until the second half of 2021 (Brexit, notwithstanding) to fully implement the final proposals. As the industry has every reason to believe that the proposals will require substantive, end-to-end modifications to the way resilience, this guide recaps what’s gone on so far, so as to preview what might be coming.

Important dates for feedback and implementation

• December 2019. Supervisory authorities publish proposals which would embed an approach to operational resilience into policy
• April 2020. Consultation on proposals closes
• Late 2020. Final operational resilience policies to come out
• Second Half of 2021. Proposed implementation date for firms and FMIs.

Examining the joint discussion paper

First, the original discussion paper. Published in July 2018, the joint discussion paper, “Building the UK financial sector’s operational resilience,” lays out what the supervisory authorities – charged as they are with safeguarding financial stability – think about operational resilience. important here is what those authorities determined constitutes operational resilience:

• Clear understanding of the most important business service or services
• Comprehensive understanding and mapping of the systems and processes that support these business services, including those over which the firm or FMI may not have direct control, including an understanding of the resilience of outsourced providers or entities within the same group but in another jurisdiction
• Knowledge of how the failure of an individual system or process could impact the provision of the business service
• Knowledge of which systems and processes are capable of being substituted during disruption so that business services can continue to be delivered
• Tested plans that would enable firms and FMIs to continue or resume business services when disruptions occur
• Effective internal communication plans, escalation paths, and identified decision makers
• Specific external communication plans for the most important business services, which provide timely information for customers, other market participants and the supervisory authorities 

Given the broad definition, interventions to improve operational resilience will require complementary approaches to tackling the continuity of business services considered vital – in other words, services that if disrupted would lead to significant customer loss, financial loss, or reputational damageⁱ. 

What would improving operational resilience mean according to this approach? Foremost, it would entail identifying the most important business services and ascertaining how much disruption could be tolerated, in what circumstance. This concept is called setting impact tolerances. And according to the supervisory authorities, boards and senior management should play a key role in setting impact tolerances for the operational disruption of important business services in their firms or FMIs – the tolerances themselves are to be expressed by reference to specific outcomes and metrics. 

Sill, setting these impact tolerances shouldn’t be an academic pursuit. The business benefits of doing so can be tangible. For one, setting tolerance for impact, or disruption, helps the firm or FMI to prioritize investment and resource allocation. What’s more, it clears the scope when firms and FMIs want to test reliance, as well as providing sharper focus for supervisory engagement.

Setting impact tolerances alone won’t ensure operational resilience, though. Business continuity and contingency planning help, as well. Some of that work might already be complete or ongoing; supervisory authorities already require firms and FMIs to undertake appropriate contingency planning and maintain continuity plans that suitably explain how they will respond to and recover from likely disruptions. But given new regulatory focus on important business services, contingency plans should be redrafted to give greater attention to a firm’s or FMI’s most important business services. Those services are often outsourced, a source of risk in and of itself; and so, contingency plans must also cover third-party providers.

Besides business continuity, operational resilience initiatives must be in alignment with other activities that are likely already occurring across the organization; those include financial resilience, disaster recovery, cyber response (a top risk), and operational continuity in resolution.

The original discussion paper also addresses the need for effective crisis communications, as a means of mitigating consumer harm (not to mention, reputational damage). What measures should be undertaken, specifically? To be effective, business continuity interventions require prompt and meaningful communications, targeted to both internal and external parties – examples of the latter include supervisory authorities, consumers, other clients, and the press. At a basic level, viable plans will specify how to get hold of key constituencies, operational staff, as well as consumers, suppliers, and authorities.

Improve operational resilience with pragmatic business continuity management software

With the rise of new risks in finance, achieving operational resilience can be more challenging than ever. But developing effective business continuity management (BCM) protocols with the help of pragmatic business continuity management software can help, especially with forthcoming mandates to invest in the ability to respond to and recover from disruptions by having appropriate systems, oversight, and training. Here are some of the technology factors to consider: 

• Identify the most important business services (and underlying dependencies), and how much disruption could be tolerated in what circumstance. The BIA (Business impact Analysis) is intended to help organizations isolate critical business functions in tandem with the processes and resources needed to support those functions, as well as assess how the failure of an individual system or process impacts the business service. But it shouldn’t become a laborious, academic exercise. 
  
  Instead, firms and FMIs should invest in BCM software, with easy-to-use functionality, that defines domains, critical business activities, assets and sites, as well as records inter-dependencies. The solution should also be able to create registers of critical business activities, risks, insurances, roles and responsibilities, as well as assess the risk and impact of outages across all activities, assets, and sites. On the risk control side, the solution needs to implement risk treatment plans and actions to mitigate risks and/or reduce the likelihood of impact.
• Map the systems and process that support these business services; clearly define ownership. Find software that enables managers to assign and track business impact assessments and other risk management activities for organizational unit owners. In addition, the solution should allow teams to easily visualize the locations of specific risks (also, incidents, people, and assets) with fully integrated mapping features.
• Test using scenarios and by learning from experience, that resilience meets the firm’s tolerance. New mandates make scenario testing firm requirements. To facilitate testing, find pragmatic BCM software that already provides a comprehensive library of crisis and incident response plans and teams structures, covering common disruptions, hazards, and scenarios. BCM technology should also be able to digitize business continuity, crisis, and incident response plans, including strategies and considerations, roles and responsibilities, as well as pre-assigned checklists that are ready to deploy when incidents do occur. That way plans come to life seamlessly, teams know what they need to do, and progress gets tracked in real time.
• Communicate timely information to internal stakeholders, supervisory authorities, customers, counterparties, and other market participants. Firms and FMIs need to stay abreast of what’s going on during a disruption. And BCM software should help here, too, enabling maximal situational awareness, by providing teams and stakeholders with a single, integrated system capable of tackling critical events in real time. 
  
  To support better visibility and awareness, as well as facilitate communication and collaboration, the flexible system should include chat, impact, assessment, and communication planning functionality. BCM software should also let teams communicate and follow-up within the app itself, preferably via dedicated, event-specific chat rooms, in addition to email, SMS, and app notifications. Additional, advanced features to improve collaboration include dashboards and collaboration spaces which provide teams with key details, actions, feeds, and timelines. 

A summary of recent regulatory proposals

So, what changed from the original discussion to the operational resilience proposals that came out December 2019? The proposals themselves are less prescriptive than generic. For the most part, the statutory authorities avoid introducing definitive lists or taxonomies; instead, they counsel taking a firm, yet pragmatic, approach to achieve operational resilience. In the main, the proposals set out three key directives to meet the objective – the directives having already been previewed in the 2018 discussion paper:

• Prioritize the things that matter, i.e. important business services
• Set clear, internal standards for operational resilience, i.e. maximum allowable levels of disruption, including time limits within which the firm and FMI will be able to resume the delivery of important business services following a disruption 
• To support the above, invest in building resilience, e.g. contingency arrangements to ensure that firms’ and FMIs’ important business services can remain within impact tolerances 

Following, at more depth, the authorities again define important business services, as activities provided by a firm or FMI to an external end user or participant whose disruption could cause the following: intolerable harm to consumers or market participants, harm to market integrity, a threat to policyholder protection, financial instability. 

Where authorities declined to identify specific activities that would fit the above criteria, they did refine their approach to setting impact tolerances – tolerances within which firms will be required to remain, according to the new rulebook. For one, under governance provisions, authorities will require boards and senior managers to approve the impact tolerances to be set for each of the firm’s important business services. Secondly, the authorities establish a conceptual distinction between impact tolerances and risk appetite – the former assumes that a particular risk has crystallized. Then, they stipulate that time-based impact metrics, though helpful, might be in and of themselves insufficient to gauge the maximum tolerable level of disruption, just how long an impact can be tolerated and how quickly a contingency arrangement will need to be able to come into effect.

Proposed activities to ensure the delivery of operational resilience again hewed closely to pragmatic business-continuity best practices, with examples including replacing outdating infrastructure, increasing system capacity, achieving full fail-over capability, addressing key-person dependencies, being able to communicate with all affected parties, also taking action to address vulnerabilities in legacy systems. Scenario-testing provisions were similarly pragmatic, stipulating as they did that the firm or FMI must identify a practicable range of relevant, adverse circumstances of varying nature, severity, and duration. 

And to ensure that an important business service remains within its impact tolerance, firms must understand the totality of how the service is itself delivered and how it can be disrupted. Identifying and documenting the resources required to deliver an important business service within its impact tolerance calls for comprehensive mapping, which facilitates later robust, scenario testing as well as helps firms and FMIs identify existing vulnerabilities (to correct). According to the proposal, mapping, already a business-continuity best practice, will become a firm requirement in addition to scenario testing. 

What’s the enforcement mechanism for these proposals? For the most part, the authorities are allowing firms and FMIs to self-police and self-assess, with boards and senior management held principally accountable for key activities. Specifically, senior stakeholders must be satisfied that their firm or FMI is meeting the requirement for having suitable strategies, processes, and systems for identifying important business services, setting tolerances, and performing mapping and testing. 

The firms themselves must take “prompt and effective” action to improve operational resilience where the firm or FMI is not able to remain within the set tolerance, including taking action to address vulnerabilities in legacy systems. Again, mapping, scenario-testing (proportionate to the firm’s size and complexity), and preparing a self-assessment will be mandated, with the relevant methodology used to meet requirements documented.

Finally, firms and FMIs might have some time to go before these proposals become firm policy with a compliance due date. But to the extent that these proposals are pragmatic, institutions should get started heeding the directives, so as to mitigate risk and achieve operational resilience.

Citations

i Indeed, important business services might already be under regulatory scrutiny. For instance, because of Internal Capital Adequacy Assessments and Risk Controls, firms and FMIs must already articulate the circumstances that may lead the firm or FMI to failure.