Last week the Financial Conduct Authority (FCA), the Prudential Regulation Authority (PRA) and the Bank of England published long-awaited policy statements and supervisory materials setting out their final rules and guidance on operational resilience. These apply to financial market infrastructure firms (FMIs) and the majority of regulated firms, and follow the publication of a suite of consultation documents by the supervisory authorities in December 2019.
What is operational resilience?
Operational resilience refers to the ability of regulated firms, FMIs and the financial sector as a whole to prevent, adapt and respond to, recover and learn from operational disruption. A financial system that is operationally resilient is, to quote the FCA, “one that can absorb shocks rather than compound them”.
An obvious source of disruption is a cyber-attack, and in the past this has been a key area of focus. But the recent impact of the coronavirus pandemic—which compromised access to infrastructure and key people—has demonstrated the importance of casting the net wider when thinking about sources of disruption. Systems failures and changes to systems, people or processes can all work to damaging effect.
Rules and guidance
Subject to some tweaks (including to definitions) the supervisory authorities have implemented their proposals largely as consulted on. Firms to which the rules and guidance apply will have until 31 March 2022 to, among other things:
- identify important business services that, if disrupted, could cause intolerable harm to consumers or risk to market integrity, threaten the viability of firms or cause instability in the financial system;
- set impact tolerances for the maximum tolerable disruption to these services; and
- carry out mapping and testing to identify important business services, set impact tolerances and identify any vulnerabilities in its operational resilience.
Relationship with cyber resilience
It is readily evident that strategies and thinking already deployed in the cyber realm can be leveraged in operational resilience programs. Indeed, the FCA suggests that teams which currently focus on cyber resilience should now input into operational resilience programs to help identify priority areas, and that as any operational resilience program progresses firms should be able to identify how to align resources to generate learning and collaboration across the two areas. This may be easier said than done for some organisations, but it is clear that the regulators believe existing cyber resilience expertise will be of vital importance to regulated firms and FMIs as they embed processes to achieve long term operational resilience.