1 Aug 2022
Michael Walford-Williams, Managing Director at Westbourne, a risk management consultancy for the financial services and finTech industry, examines what is next for Operational Resilience; what the regulators expectations are, and why compliance with the rules alone may not be enough...
Earlier this year we looked at the new Operational Resilience Regulations from the FCA, PRA and BoE that took effect at the end of March; what they entailed and what it would take to become compliant with the new requirements.
Now that the deadline for implementation of Operational Resilience has passed and we enter the ‘transition phase’. Michael Walford-Williams, Managing Director at Westbourne, a risk management consultancy for the financial services and finTech industry, examines what is next for Operational Resilience; what the regulators expectations are, and why compliance with the rules alone may not be enough...
Operational Resilience - From Compliance to Resilience
Michael Walford-Williams, Managing Director at Westbourne
Connect with Micheal Walford-Williams on LinkedIn >
Click the link to learn more about Westbourne and their services > https://www.westbourneglobal.co.uk
Recap: where have we got so far?
Since the regulations came into effect at the end of March this year, firms are expected to have implemented Operational Resilience Frameworks which include having:
Defined ‘important business services’: these are the services that are most significant such that if they were disrupted, could cause intolerable harm to the firms clients and customers, or to the wider financial market, and in the case of PRA regulated firms could impact the safety and soundness of the firm itself.The key point here is that these services are outward facing, with an external user identified who would feel the impact, rather than internal services where the impact is felt only by the organisation itself.
Set impact tolerances for their important business services: these are thresholds at which intolerable harm for an important business service would manifest. This must be expressed as a timeframe e.g. The important business service “balance and transfer for online banking” must not be unavailable for more than 8 hours” but can also be expressed through a different metric, such as the volume and /or classification type of customer data that could be lost or compromised e.g. “No more than 200 records of sensitive personal information can be compromised” or “no more than the latest 24 hours of transaction history can be lost”.
Map Dependencies: firms must map all of the processes, people/teams, technology, premises and information that are required to deliver their important business services, and this should be done to a level that enables firms to identify vulnerabilities. Vulnerabilities could for example take the form of a single point of failure where a single technology, team or individual supports one or more important business service such that if that resource was unavailable, it could threaten the impact tolerance for the important business service.
Scenario Testing: firms must test their important business services against severe yet plausible scenarios. These scenarios will test a firm’s ability to remain within impact tolerance under the given scenario in order to learn lessons about the nature of their vulnerabilities, their current level of resilience and what actions could be taken to increase resilience.
Self-Assessment: firms are also required to produce a self-assessment document, signed off at Board Level, which shows how they meet the operational resilience requirements, and which can be made available to the regulator on request to implement these requirements has been a significant effort for many firms, however, the implementation of the framework marks only the beginning of the journey. In effect it’s the entry requirements that gets you onto the field of play and it’s clear that regulators expect that the real games are just about to begin...
So, what’s next?
We have now entered the transition period for Operational Resilience which will run up until the end of March 2025 when firms will be expected to attest that they are able to remain within agreed impact tolerances in the event that their important business services are disrupted. During this time firms will be expected to embed and maintain their operational resilience programmes and to ensure that they are properly governed. Including at board level where required.
In May this year, Duncan Mackinnon of the PRA set out the PRA’s expectations for how firms should take Operational Resilience forward over the transition period between now and March 2025 (1).
After reading the speech, I was reminded of the word of Neo from the first Matrix film “I didn’t come here to tell you how it’s going to end, I came to tell you how it’s going to begin." As it was clear that the regulators expectation is that firms will need to advance their programmes in a number of ways.
These include: Important Business Services and Impact Tolerances to be challenged: feedback from the regulators about initial assessment of firms’ definition of important business services and impact tolerances was that there was some significant variance in the level at which services had been defined and likewise tolerance thresholds varied greatly among firms for the same services. Through supervision, the regulators will be having conversations across the industry to understand their reasoning for how they have defined important business services and impact tolerances. It will be important that firms are able to ‘show their working’ for how they defined their important business services and impact tolerances, and that these are being validated and where necessary, refined through scenario testing.
Mapping and Scenario Testing should increase in sophistication: when the regulations came into effect at the end of March, Mapping and scenario testing did not need to be completed “to a level of sophistication necessary to accurately identify their important business services, set impact tolerances and identify any vulnerabilities in their operational resilience.” (2) Looking forward, the regulators expect “mapping should rapidly become more sophisticated, in line with firms’ potential impact. It should enable firms to identify vulnerabilities and inform the development of scenario testing” (3) - This could mean that mapping becomes more granular, or that instead of simply mapping a resource to an important business service, the interdependencies between resources should also be mapped in order to better understand potential vulnerabilities. That said, as with Operational Resilience processes generally, mapping should be conducted should be proportionate to the nature, scale and complexity of the services provided, and should be outcome driven.
Scenario testing should also increase in sophistication both in the scope and severity of the testing and in the nature of the delivery of scenarios. Mr McKinnon said that they should include “data integrity scenarios and incorporate third party disruption; they should also consider factors beyond the firm’s control.” This indicates that they wish firms to look at those severe yet plausible scenarios which go beyond business continuity planning, where things fail and where some current planning assumptions are broken. This could be, for example, a cyber-attack that affects the primary and DR instances of a critical system or where the business continuity arrangements for a critical third party outsourcing arrangement do not meet their RTO (4). The PRA also suggested that “For high impact important business services within systemic firms, desktop testing is ultimately unlikely to be sufficient,” and therefore the way in which firms undertake scenario testing will also need to evolve.
Third Parties are Key to Operational Resilience: the regulators have highlighted that third parties should very much be included in mapping and scenario testing exercises, and it is clear that they want firms to build resiliencearound critical third parties. They expect that firms should review and where required adapt third party outsourcing arrangements to ensure resilience, such that the failure of the third party, does not lead to the failure of the service as a whole and a breach of service. They also suggested that firms “may have to build substitutability into the way services are delivered”(5). Putting this all together suggests that they want firms to go further than traditional business continuity plans, and grapple with the possibility of a complete failure of a third party and to have resilience in place so as not to breach impact tolerances, if that should happen. This may be difficult to achieve for firms that have built their businesses using cloud service providers. This is supported by the PRA’s Outsourcing and Third Party Risk Management regulations (SS2/21). We will be exploring this topic in more detail in future newsletters!
Build Resilience within your firm: as mentioned before, the implementation of an Operational Resilience framework is just a starting point that allows firms to articulate their level of resilience and where they need to focus. The regulators are looking for firms to be concerned with practical outcomes, the lessons they have learnt about their resilience through their programmes, and most importantly the “so what?”; what are firms doing to address these and make their firms more resilient? This will involve building action plans to address ‘resilience gaps’ and vulnerabilities identified through mapping and scenario testing exercises, and that these action plans should be actively managed. And where the vulnerabilities are severe enough to threaten a firm’s ability to remain within impact tolerances, these plans should be implemented by the end of March 2025.That feels like a long time, but to the point made above, if action plans require, for example, the re-architecture of technology platforms to reduce reliance of a third party, that timeframe could suddenly start to feel a bit tighter.
Compliance vs Resilience: Creating a Resilient Culture: the regulators again stressed that they do not want Operational Resilience to just be a complianceexercise and that they “expect resilience to be embedded in the way firms do business” and that “operational resilience cannot be achieved through compliance alone” (6). On the surface this seems an odd concept, that a regulator issues new regulations and then says they want firms firstly to comply with them and additionally to go further, where the former comes witha clear set of rules and the latter does not.
However, the underlying point here is that following the regulatory rules alone will not guarantee that a firm will become genuinely resilient. The regulations provide a framework for you to understand and begin to manage the level of resilience within your organisation, but ultimately, for a firm to build resiliencewithin their organisation they need to choose to be resilient, and in order to do that they have to understand and be able to articulate the value of resilience to the business as a whole. This is about building a resilient culture in a firm, where resilience is considered in all areas and at all levels, so that resilience starts to become baked-into the organisation rather than addressed as an individual concern.
A resilient culture can sound like a slightly nebulous concept but here are some practical ways in which this can be achieved:
i) Have a mechanism to ensure that resilience considerations are included in business strategy decisions: when discussing where and how new business services are to be delivered include resilience as a factor in decision making: for example: Should we locate the next 50 staff in the same location and the existing 100? Should we outsource 100% of our core technology to a single cloud provider?
ii) Ensure Board level engagement: it is a regulatory requirement that the self-assessment document should be approved at board level; but to build a resilient culture, board level involvement should extend further beyond that. They should be aware and actively manage their resilience posture, and in many cases in order to answer some of those business strategy decisions, or to decide how to address resilience gaps, Board level involvement will be required. Not least because sometimes becoming more resilient comes at a cost, either in terms of cash, efficiency or opportunity and treading that difficult line between furthering the business and protecting the business needs to be done by the top level decision makers in the company.
iii) Involve more than just "required" staff in Operational Resilienceprocesses: look to involve more than just your risk teams and some key business leads in your Operational Resilience programme. One potentially effective way to do this would be through scenario testing. Involving wider teams in scenario testing will give them an understanding of Operational Resilienceand could mean that they start to think more about resilience in their day jobs. Involving staff in practical scenario testing may well prove more effective than traditional compliance training.
Business benefits of a resilience culture: there’s no doubt that running a compliant Operational Resilience programme requires a great deal of effort and resource, however it is also true to say that creating building resilience into a company can have a number of genuine business benefits which go beyond simply staying on the right side of the regulators, and this applies as much for smaller companies as it does for larger ones. Start-up and scale up companies are often primarily concerned with growing their business as best and as fast as possible with the limited resources available (and for good reason). They often don’t put as many measures in place to protect the business they are building until they become much larger, or when someone else such as a client, regulator or an investor demands it of them. At this point it can be difficult and costly to retrospectively engineer resilience into the business, and had resiliencebeen considered earlier it could have grown in a resilient way. For example, firms could have split technology across multiple providers, created a hybrid working model where staff are not collocated in a single location, cross trained staff so that more people were able to undertake critical business processes etc.
Additionally, in today’s climate where there is so much economic, social and geopolitical uncertainty, showing clients and customers that resilience is at the heart of how you do business will give them confidence in your ability to deliver services and can act as a differentiator to competitors.
To conclude, it’s clear that Operational Resilience is a key focus for regulators and requiring firms to implement a compliant framework is just the beginning. They want firms’ programmes to evolve in sophistication and become embedded in firms’ businesses. However, while this will undoubtedly require some effort, done right this can start to bring some genuine benefits to businesses beyond just regulatory compliance. To return to the sporting analogy, once on the field of play, a compliant approach will ensure that you don’t concede any goals, but with a resilient culture you might actually score a few goals.
4 RTO – “Recovery Time Objective”
Could you benefit from Westbourne's services?
Westbourne is a risk management consultancy for the financial services and FinTech industry. As leading specialists in their field, they support firms of all sizes from startups to some of the world's largest financial institutions. They also provide expertise within global regulatory environments across the areas they support, most notably in the U.S, Singapore & Hong Kong.
Westbourne helps firms enhance the way they manage risk and meet regulatory requirements, with risk management frameworks that give you confidence in your operations. Providing risk management services to the next generation of financial firms they take advantage of the latest technologies and innovative methodologies to make risk management, simpler, more flexible and more effective, helping you achieve your goals faster.
Westbourne specialise in the following areas:
Learn more about Wesbourne's services > https://www.westbourneglobal.co.uk/our-services