Connecting the dots to achieve ‘operational resilience’
By Priya Mehta, Partner , Buzzacott
Published: 28 June 2021
‘Operational resilience’ has become the new buzz word recently, especially in context to the new ways of running a business following the pandemic. After the recent upheaval in ‘normal’ working practices, the UK’s Financial Conduct Authority (FCA) have issued numerous surveys, guidance documents and specific consultations to reinforce its position and expectations.
One clear expectation for regulated businesses is the ability to demonstrate ‘operational resilience’ by ensuring that there is a robust ‘operational risk management (ORM) framework’ in place.
In this article we explore the ‘Goldilocks Rule’ relating to operational resilience, taking into account the challenges that the investment management industry typically faces. We also look into how incorporating resilience in the day-to-day operations can become beneficial rather than being an additional burden.
What does this mean in practice?
To understand the scope of operational resilience, let’s first look at the definition of an ORM framework.
An ORM framework is a comprehensive, proactive process that is used to identify, assess, manage, monitor and report on the significant strategic, business and process-level risks related to the achievement of the investment manager’s objectives, which are inherent in the business strategy and operations. This obliges investment managers to implement robust processes which help them not only to identify risks but also enable control and mitigation. The objective of the framework should be to create and protect value, leading to improvement in performance and innovation.
The ORM framework should function as the centrepiece of the firm’s business and all other policies and procedures should feed into the framework. This should be linked to the governance and culture of the organisation such that all staff and management take responsibility for the day-to-day adherence to the ORM framework.
Dissecting this into two key elements – ‘identification of risks’ and ‘governance’
Identification of risks
First and foremost is a check on whether all applicable risks have been correctly identified, qualified and quantified. The most significant ones which typically every business faces irrespective of size and structure are:
- Counterparty risk
- Business conduct risk
- Reputational risk
- Technology, IT and cyber security risk
- Internal and external fraud risk
- Legal, regulatory and compliance risk
- Financial risk
Each of the above could be broken down into greater detail to include many more risk areas. Once the relevant risks have been identified, it is critical to take a step back and analyse what these risks mean to your business; this is the most important aspect and perhaps the most challenging job. Also, linking this analysis to business continuity and disaster recovery plan is key.
Perhaps a recurring theme, ‘governance’ is something that everyone understands yet it is rarely documented properly. Governance is a top-down, principles-based articulation that unites the understanding of risk management with the strategy to deal with those risks. Good governance should focus on and enable proactive risk management processes rather than reactive ones. An effective governing body which could be a combination of various senior management personnel with appropriate decision-making powers should have primary responsibility for risk oversight in the light of an established risk appetite. Key outcomes and the desired culture should then be cascaded downwards from the governing body.
‘Skin in the game’ is the term used by the FCA to set out their expectations from the senior management of the business who are required to ensure that the firm can function in an orderly way and that their incentives align with the best interests of their clients or the wider financial markets. It is about demonstrating that the senior management have their own interests aligned with the business which makes them personally accountable and responsible.
Documentation, documentation and documentation
Shifting the discussion from the somewhat dictatorial and onerous obligations to some reasonable actions, let us ascertain how to get the right balance between what is expected vis-à-vis what is practical. The purpose of reinforcing ‘documentation’ in this context is to demonstrate a clear route to an effective ‘operational risk framework’ which evidences the strength of a firms’ processes and procedures, as well as identifying any potential weaknesses. That may mean a checklist approach for some or periodic health checks for others to ensure all the nuts and bolts are tightened regularly and a detailed report is fed back to the senior management or governing body. Most importantly, having a structure that works for the size of your business is vital.
It is not possible to talk about documentation without mentioning the requirements of the ‘Internal Capital Adequacy and Risk Assessment’ (ICARA) process being introduced by the ‘Investment Firm Prudential Regime’ coming into effect on 1 January 2022.
Deviating slightly from the ORM framework, it is worth noting the following key objectives of ICARA process and document:
- Identification, monitoring and mitigation of harms to the business
- Business model planning and forecasting; recovery and wind-down planning
- Assessing the adequacy of financial resources (own funds and liquidity)
Under the IFPR, all investment firms are required to carry out the ICARA process initially and to conduct a review at least every 12 months. A typical ICARA document for an investment manager would be expected to include the following:
- An explanation of the activities that the firm carries out, with a focus on the most material activities
- An explanation of why the ICARA is fit for purpose. Or, where this isn’t the case, an explanation of the deficiencies identified, the steps taken to remedy them, and who is responsible for implementing any remedies
- An analysis of the effectiveness of the firm’s risk management processes during the period covered by the review
- A summary of the material harms the firm has identified and any steps taken to mitigate them
- An overview of the business model and an assessment of capital and liquidity planning.
- An explanation of how the firm is complying with the ‘Overall Financial Adequacy Rule’. This should include a clear break‑down at the review date of available own funds, available liquid assets, and the applicable threshold requirements
- A summary of stress testing and reverse stress testing it has carried out
- An overview of wind‑down planning, including any key assumptions or qualifications
Thus, an ICARA document would be expected to capture a complete examination of the qualitative and quantitative approach to risk assessment.
Circling back to ‘operational resilience’
The FCA recently issued its policy statement on 'Building operational resilience' setting out rules and guidance on the new requirements, aimed at strengthening operational resilience by defining the maximum tolerable disruption and identifying any vulnerabilities.
Although the first set of action points to be implemented by 31 March 2022 are addressed to banks, building societies, Prudential Regulated Authority (PRA)-designated investment firms, insurers, Recognised Investment Exchanges, enhanced scope SMCR firms, and entities authorised and registered under the Payment Services Regulations 2017 and Electronic Money Regulations 2011; the FCA will look at extending the scope to all investment firms and will be consulting on this separately in the near future.
The policy statement will bring into force a granular level of mapping the important business areas to associated risks with the intention of carving out ‘impact tolerances’. This in turn will aid firms to conduct more focussed and practical scenario testing.
Although it is vital that all regulated businesses become mindful of all the legislative and regulatory requirements that seemingly overlap with each other, it is also crucial to combine various regulatory expectations to bolster effective controls and build efficiencies. Whilst the ‘letter of the law’ must be followed, firms should take a holistic view on these requirements which aim for the same goals.
We can assist you in navigating through these various requirements to help you build a pooled structure towards implementing ‘operational resilience’ as well as integrating expectations of the ICARA.
- FCA’s FG 20/1 – Our framework: assessing adequate financial resources
- FCA’s PS 21/3 – Building operational resilience
- FCA’s CP 21/7 – A new UK prudential regime for MiFID investment firms
- AIMA’s guide to sound practices for operational risk management