Operational Risk & Impact Tolerances

operational risk and impact tolerances

On Monday 29th March, the Prudential Regulation Authority (PRA), the Financial Conduct Authority (FCA), and the Bank of England published the results of the FCAs and PRAs consultations concerning Operational Resilience: Impact Tolerances for Important Business Services. Despite having huge implications for the financial services sector, the announcement received little attention from the financial press.

Perhaps this was because much of the paper was a reaffirmation of the consultation papers published by the PRA and FCA. However, sections 4.3 to 4.8 of the paper contained critical details regarding the policy’s implementation dates, with the 31st March 2022 and 31st March 2025 being key dates for the diary.

Firms and FMIs have until 31st March 2022 to demonstrate that they have identified their important business services and set impact tolerances. There is a degree of flexibility with respect to what is deemed a critical service and the impact tolerance that is set. The paper is very clear that the implementation of the policy is a strategic priority and the responsibility for delivering the outcomes of the policy rests with senior management.

By 31st March 2025, firms and FMIs should have sound, effective, and comprehensive strategies, processes, and systems that enable them to address risks and their ability to remain within impact tolerance for each important business service in the event of a severe but plausible disruption (or extreme disruption).

Where should FMIs and Firms start?

The paper offered clear guidance on this question. It advised firms and FMIs that over the course of the next 12 months, they should prioritize mapping and scenario testing. The paper recognized this is a complex exercise for medium-sized firms and for large firms it will have to be based on a set of prioritized critical services.

The evolutionary outcome-based approach the PRA and FCA have taken is both a blessing and a curse. There is no one size fits all approach to building operational resilience. Instead, firms need to reflect on their own risk positions, resources, systemic importance, and impact on others. While it recognizes that each firm and FMI is unique, it assumes that current systems are sufficiently flexible to be able to track, govern and assure critical business services.

Our experience tells us that this is not the case. To the credit of firms and FMIs, a great deal of preparatory work has already taken place with respect to understanding the operational resilience landscape. Some firms and FMIs are currently deliberating design choices with respect to systems. Firms and FMIs have told us that speed to market, agility, and flexibility to meet ongoing requirements are the most important considerations.

Over the last year, we have responded to client interest and feedback by building a market-ready Operational Solution that is centered on the principles of the policy but sufficiently flexible to meet the needs of individual firms and FMIs. We have been able to do this because our solution is architected using a series of interchangeable building blocks. The main advantage of this approach is that the solution can be configured to a client’s exact specification and deployed with minimal resources in a matter of a few weeks.

Want to find out more? Please get in touch with us.