Since the publication of the Operational Resilience Policy Statements 21/3 and 6/21 by the FCA and PRA respectively, there have been a lot of questions asked around the implications, practice, and implementation of them. Here are some of the FAQs answered by our Operational Resilience specialists. For a solution demo and consultation, reach out to us.
See below for frequently asked questions and answers in regards to Operational Resilience in the UK financial sector.
1. Why is Operational Resilience a priority for UK regulators?
In the policy statement, FCA PS 21/3 Building Operational Resilience (page 3), the UK regulators state – “Operational disruptions and the unavailability of important business services have the potential to cause wide reaching harm to consumers and risk to market integrity, threaten the viability of firms and cause instability in the financial system.”
In the discussion paper, CP29/19 Operational resilience: Impact tolerances for important business services (page 1) the PRA states that: “The proposals aim to address risks to operational resilience including those arising from the interconnectedness of the financial system, and the complex and dynamic environment in which firms operate. The PRA considers that there is a need for a proportionate minimum standard of operational resilience that incentivises firms to prepare for disruptions and to invest where it is needed.“
2. What is the timeline for Operational Resilience compliance?
- PS 21/3 was published in March 2021
- During the next year firms are expected to operationalise the policy framework.
- There is then a 3-year transition period that runs until March 2025 during which it is expected that firms will test and remain inside the impact tolerances defined.
- The policy comes fully into force in March 2025
3. What are the principles that firms need to comply with?
The overarching principles of CP 19/32 & PS 21/3 Building Operational Resilience underlined the need for firms to:
- Identify and protect themselves from threats and potential failures.
- Prepare, Detect, Respond, Recover and Adapt to disruptive events .
- Minimise the impact of disruptive event on the delivery of important business services and operations through disruption.
4. What are the key steps described in the Policy to ensure compliance?
- Identify – Identify the most important business services and how much disruption could be
tolerated in what circumstances.
- Map – Map the systems and process and resources that support these business services.
- Assess – Assess how failure of an individual process could impact a business service.
- Test – Test using scenarios and experience determine if resilience meets firms’ experience.
- Invest – Invest in a capability to respond and recover from disruptions through having appropriate systems, oversight and training.
- Communicate – Communicate in a timely manner to internal stakeholders, authorities and customers.
5. Who is impacted by the policy?
In the UK these changes will affect banks, building societies, designated investment firms, insurers, Recognised Investment Exchanges (RIEs), enhanced scope senior managers’ and certification regime (SM&CR) firms and entities authorised or registered under the Payment Services Regulations 2017 (PSRs 2017) or the Electronic Money Regulations 2011 (EMRs 2011).
6. This is just BCP isn’t it? What is the difference between Operational Resilience and Business Continuity Planning?
Business continuity planning and management (BCP/M) is, for the most part, focused on individual technology assets and how to recover them if a failure occurs. Thus, it is designed to react to a failure of an asset rather than proactively focus on how to recover an Important Business Service in the event of a failure of a supporting resource. The latter could involve the recovery of a resource but could equally involve adopting an adapt strategy and substituting an alternative resource for the failed one.
Business continuity planning and management (BCP/M) also tends to focus primarily on IT assets, their failure and recovery. PS 21/3 covers technology, people, location, data and 3rd parties that support an Important Business Service not just the IT resources. These must all be mapped, assessed and tested to comply with the policy.
7. Where is risk in the Corporater Operational Resilience solution?
Corporater Operational Resilience solution utilises an alternative method to evaluate the risk profile of a given Important Business Service (IBS). In place of a traditional risk register, heat maps and inherent/residual risk assessment processes, our solution focuses on the assessment of threats and the control environment used to assess the Vulnerability and Recoverability of a resource (technology, premises, people, data and 3rd Parties). In turn resources are mapped to processes and processes to Important Business services (as per the guidance outlined in PS21/3) this allows us to aggregate the resource assessment (Vulnerability and Recoverability), to the process level and subsequently to overall Important Business Service. Ultimately all IBS’s are rated on a vulnerability and recoverability basis, this method inherently provides us with a service risk assessment, i.e. the ability to determine which services are at risk of imminent failure (vulnerability) and which services are at risk of not being able to recover from an operational disruption within its defined Impact Tolerance (recoverability).
Moreover, at a Service level we have the ability to combine/substitute scenarios, and associated test results, with the resource recoverability ratings to determine the overall service Recoverability status. Scenarios can also include mitigate options, to detect, respond, recover and adapt from the proposed disruption, these mitigants are tested and provide a further view on whether or not the service could recover within impact tolerance, i.e. what is the risk of the service not be able to recover if the scenario were to materialise.
In summary, the application controls, their coverage and their effectiveness provides the mechanism to determine which controls reduce/mitigate the risk of resources from operating outside of their tolerances, in conjunction with resource metrics (threats in our case) we are able to determine an overall view of resource risk from two dimensions, 1) how vulnerable a resource is and 2) how recoverable a resource is. These ratings are aggregated to dependent processes and in turn the dependent Important Business Service.
Vulnerability – A measure of how likely it is that a business service will experience disruption based on underlying resource threats and control environment.
Recoverability – An indicator of whether or not a business service can continue to operate within impact tolerance.
8. Is a software solution required to comply with the policy?
While it is not mandated that firms must use a software solution, to achieve the aims of and assure compliance with the policy, it is difficult to see how a firm of any significant size would be able to meet their obligations without one.
To manually perform the required activities (Identify, Map, Assess, Test, Invest, Communicate) using old style spreadsheets is resource intensive and prone to error. The additional overhead involved in collating the data and compiling the required reports and supporting evidence, and in addition the need to describe and justify the methodology used, makes the manual approach prohibitive in most cases.
9. What approach has Corporater taken to address the policy’s requirements in their solution?
We have developed a purpose-built solution to address the requirements of the policy. In response to PS21/3 Corporater made a critical decision to create a solution with the FCA/PRA’s policy statement at its heart, instead of repurposing our existing risk management and business continuity solutions. Our Operational Resilience software solution is out of the box functionality allows firms to prepare, detect, respond, recover and adapt to disruptions to important business services.
Corporater’s dedicated Operational Resilience Solution is:
10. What are the solution’s key differentiators?
- Regulation Based – Translation of Operational Resilience regulations five intervention steps to key solution design principles.
- Enables clients to prioritise areas of strategic and operational importance.
- Focused on the needs of users – COO, IBS and Resource owners.
- End-to-End operational resilience analysis from identifying services through to recoverability assessment.
- Identify and map services, processes and resources.
- Set customer, firm and market impact tolerances.
- Define and test plausible service disruption scenarios.
- Customisable, tailored to specific terminology and processes.
- Allows improved oversight of a firm’s operational resilience.
- Aggregates and consolidates data.
- Connects to the wider IT ecosystem, including BI tools, to enable the detection of resource vulnerabilities. (Ingest & present data, and manual data input as required.)
11. What are the solution’s driving design principles?
The solution has been built based on a hierarchy with important business services at the top followed by the underlying processes. The resources involved in those processes sit below with the underpinning controls in the lowest layer. The important business services have been rated against two concepts, that of ‘vulnerability’ and ‘recoverability’.
- Vulnerability – A measure of how likely it is that a business service will experience disruption based on underlying resource threats and control environment.
- Recoverability – An indicator of whether or not a business service can continue to operate within impact tolerance.
These concepts of vulnerability and recoverability are both assessed against ‘threats’ and the current ‘control environment’ with these two dimensions used, though aggregation logic, to give an assessment of their rating with the aggregation typically based on ‘worst’ status.
12. What benefits does the Corporater solution bring?
- Enables compliance to PS 21/3
- Supports business growth and performance
- Enables collaboration and communication
- Enables strategic and operational oversight of Operation Resilience
- Improved strategic, tactical, and operational decision-making
- End-to-end transparency of services, their catagorisation and resilience status.
- Provides a method of assurance around third party relationships, if they are well managed and that the contracts in place support the Operational Resilience strategy
- Helps identify resources needed to address capacity and capability risks
- Establish Operational Resilience as an integral part of the business strategy
13. Who uses the solution and why?
PS 21/3 has wide ranging implications for individuals across the organisation, but each will have differing requirements, will need to see the data from different perspectives and will need to have access to different functionality.
Who are the key users of the solution?
- Service owner
- Pillar Owners
- Resource Owners
- System Managers
- Scenario Testers
- Business Service Assessors
Corporater offers a purpose-built Operational Resilience software solution with out of the box functionality that allows firms to prepare, detect, respond, recover and adapt to disruptions to important business services. Contact us to know more.