UK regulators expect financial sector to beef up operational resilience

In line with an approach outlined in a recent speech by Lyndon Nelson, Deputy CEO of the Bank of England’s Prudential Regulation Authority (PRA), a number of UK regulators – the Bank of England, the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA), have presented their joint view on the need for the financial sector to boost its operational resilience.

The joint discussion paper, published today, focuses on the operational resilience of the financial system and the individual firms and financial market infrastructures (FMIs) within it.

Operational resilience refers to the ability of firms, FMIs and the sector as a whole to prevent, respond to, recover and learn from operational disruptions. There are various challenges to making sure their businesses are resilient to operational disruption. These challenges have become more complex and intense in recent years, during a period of technological change and in an increasingly hostile cyber environment. Additional challenges occur where firms operate internationally or outsource a significant level of activities to third parties.

The supervisory authorities consider that the continuity of business services is an essential component of operational resilience. Accordingly, firms and FMIs are expected to focus on that outcome when approaching operational resilience. The supervisory authorities envisage that boards and senior management have to assume that individual systems and processes that support business services will be disrupted, and focus on back-up plans, responses and recovery options.

Also, the authorities anticipate that the boards and senior management of firms and FMIs would set impact tolerances for the operational disruption of business services, on the assumption that some or all supporting systems and processes will fail. In setting impact tolerances, the supervisory authorities suggest that a firm’s or FMI’s board or senior management might prioritise those business services which, if disrupted, have the potential to: threaten the firm’s or FMI’s ongoing viability; cause harm to consumers and market participants; or undermine financial stability. The chapter also highlights relevant existing regulatory standards related to operational resilience that firms and FMIs are already expected to meet.

Impact tolerance is expressed by reference to specific outcomes and metrics. Such metrics could include the maximum tolerable duration or volume of disruption, a measure of data integrity or the number of customers affected.

Having impact tolerances may help ensure that boards and senior management consider what the firm or FMI would do when a disruptive event occurs, rather than only trying to minimise the probability of disruption. This might include how to handle the situation to minimise the consequences of disruption as well as ensuring that the relevant business services continue to be delivered within tolerance.

The discussion paper also suggests an approach for potential supervisory expectations and assessment:

• Preparation: firms and FMIs identify and focus on the continuity of their most important business services as a means of prioritising their own analysis, work and investment in operational resilience. They set impact tolerances for their important business services and are able to demonstrate substitutability or the capability to adapt processes during disruption.
• Recovery: firms and FMIs assume disruptions will occur, and develop the means by which they can adapt their business processes and practices in the event of shocks in order to preserve continuity of service.
• Communications: firms and FMIs have strategies for communicating with their internal and external stakeholders, including the supervisory authorities and consumers. This should include how to handle the situation to minimise the consequences of disruption.
• Governance: firms’ and FMIs’ boards and senior management are crucial in setting the business and operational strategies and overseeing their execution in order to ensure operational resilience.

Feedback is welcomed from all parts of the financial sector, as well as from consumers, market participants and other stakeholders, including other regulatory organisations. Comments are accepted by October 5, 2018.