Operational resilience: Practical steps for building an operationally resilient firm
By Jon Szehofner, Partner; Joshua Clarke, Junior Consultant, GD Financial Markets
Published: 28 June 2021
On 29 March 2021, the Bank of England (BoE), Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) — collectively the ‘supervisory authorities’ — published their policy and supervisory statements aimed at strengthening the UK financial system’s ability to withstand impact from operational disruption.
The focus of this paper is not a detailed decomposition of the supervisory statements, other than to remark that there are few unexpected changes to the anticipated approach set out during the consultation process (although there will be some devil in the detail as the industry grapples with implementation). The focus is instead to provide you; FCA regulated hedge fund managers, alternative credit managers and funds of funds, with a clear roadmap of the activities that you will now need to navigate in order to meet the FCA requirements. It is important to note firms need to take a proportionate approach in line with their size and type of services they offer to consumers.
Operational resilience requires firms to adopt a mindset of disruption being inevitable. The assumption is that business disruption and failures will occur, and as a result there is an ongoing need to assess the firm’s ability to respond, recover and take proactive action to ensure that its important business services remain resilient.
Characteristics of an operationally resilient firm are one in which:
- Prioritises the things that matter: by understanding the services it delivers to an external end user or participant and determining which are the most important.
- Sets clear standards for operational resilience: by defining the maximum level of disruption to an important business service that can occur before intolerable harm manifests.
- Invests to build resilience: by testing its ability to remain within its impact tolerances and identifying where vulnerabilities need to be addressed.
When identifying and prioritising those services – business services – which are most important, the FCA propose that firms should examine the impact of their disruption. Testing the firm’s ability to remain resilient against an appropriate and proportionate set of plausible disruption scenarios should enable boards and senior management to make prioritisation and investment decisions.
Now that the long-anticipated regulatory policy and supervisory statements have been published, we explore the key activities UK regulated firms should be fully focused on.
1. Setup the change programme for success
Resilience is not a new topic. However, taking a business service-led approach to resilience will be new for many firms and necessitate a change in how they think about their business architecture and the outcomes they deliver to their consumers. Firms need to develop an operational resilience strategy and framework which utilises existing capabilities and is approved by the board with SMF 24 accountability where applicable; aimed at removing organisational silos, promoting cross-functional responsibility and a culture of resilience practices within the fabric of the firm.
2. Identify and prioritise business services
Fundamental to the supervisory authorities’ objectives for operational resilience is the approach and methodology taken to identify important business services that are specific and proportionate to the firms’ own context and then monitored on an ongoing basis. The supervisory authorities have deliberately steered away from providing a prescribed taxonomy, but instead offer four key considerations for when identifying and prioritising business services:
• Harm to customers and markets
• Harm to financial stability
• Harm to firm safety and soundness
• Service substitutability
By now firms should have started this process to identify and prioritise business services to a sufficiently granular level so that an impact tolerance can be applied and tested. The FCA’s guidance for what constitutes an important business services includes:
Important business service means a service provided by a firm, or by another person on behalf of the firm, to one or more clients of the firm which, if disrupted, could: (1) cause intolerable levels of harm to any one or more of the firm’s clients; or (2) pose a risk to the soundness, stability or resilience of the UK financial system or the orderly operation of the financial markets.
3. Build and maintain the dependency map for each important business service
To understand the possible threats to resilience, firms are required to capture the key resources and dependencies which contribute to the provision of each important business service. This should include facilities, people, processes, systems, data and third parties at an appropriate level of detail. Mapping needs to be maintained close to real time and reflect any changes to how important business services are delivered. Mapping is designed to highlight vulnerabilities in how important business services are delivered such as single points of failure, concentration risk and limited substitutability of resources. Many firms have taken a ‘customer value stream approach’ to mapping which requires a detailed focus on the stage within the important business service which if disrupted would cause intolerable harm rather than simply an inconvenience. This approach enables the firm to focus resources on the activities which really matter from a resilience perspective.
4. Set impact tolerances and scenario test
Firms are required to assess how disruption may impact end users of the business service and propose corresponding impact tolerance i.e. the amount of disruption that can be tolerated before intolerable harm manifests. Firms are required to develop a methodology for setting impact tolerance statements for each important business service, using time/duration-based metrics, covering the objectives of the FCA (consumer harm and market integrity). Where firms are providing a service to another firm who holds the direct relationship with the end consumer, the impact tolerance of both relationships should be considered and should be supportive of their collective aim of serving the end consumer.
Scenario testing then assesses the firm’s ability to manage service delivery within impact tolerances across a range of plausible disruption scenarios. In carrying out scenario testing, the firm must identify an appropriate and proportionate range of adverse circumstances, severity and duration relevant to its business and risk profile.
The firms testing strategy should consider disruption scenarios occurring simultaneously (multi-incident) and also multiple business services being impacted concurrently.
5. Assign owners within the organisation who are responsible for the end-to-end resilience of each important business service
Firms will need to identify appropriate owners for each important business service who are responsible for the following:
- Hold an end-to-end understanding of and provide oversight over the processes, people technology, data, third parties and facilities relevant to the business service
- Set appropriate impact tolerance statements for the business service and establish governance to periodically review and update this
- Test the service performance against the set of impact tolerances and establish a process to do so annually
- Identify all stakeholders required to support the business service and establish a RACI and supporting SLAs with internal and external service providers
- Establish a forum to discuss the effectiveness of the control environment as well as strategic and operational risks and issues which relate to the business service. The owner should be able to prioritise and fund remediation activities as and when required
- Define and implement appropriate management information across the end-to-end business service
- Develop and embed a plan to maintain the service during times of disruption by developing and leveraging response and recovery plans and embedding effective crisis communications both internally and externally
6. Define the operating model and invest appropriately to enhance and maintain resilience
The firm should develop and embed a set of capabilities to deliver operational resilience on an ongoing basis, leveraging, supplementing and enhancing existing resilience capabilities and risk management frameworks where appropriate. The operating model should enable the firm to prioritise the things that matter; prioritise those activities that, if disrupted, would be detrimental to customers or the firm’s safety and soundness. Firms should embed ongoing resilience procedures to monitor the resilience profile. This includes incident management procedures, communication plans and training. Investment should be made available to enhance the control framework where required.
Lastly, a key feature of the operating model and a responsibility of the business service owner is the requirement to produce an annual self-assessment which should be made available to the regulators when required. The self-assessment should focus on:
- Ongoing evaluation of business services identification methodology
- Review of the approach to prioritising important business services
- Ongoing evaluation of impact tolerances
- Review of the firm’s approach to mapping important business services
- Ongoing evaluation of testing scenarios
- Business as usual governance of operational resilience
- Implementation of resilience procedures and ongoing review of procedures (including RACI)
- Training delivered to impacted people and teams in line with newly embedded resilience procedures and any future changes
- Investment and remediation to close out vulnerabilities identified that threaten the firm’s ability to deliver its important business services
Firms should apply the principle of proportionality to the assessment based on their scale and risk profile. The assessment should be reviewed and approved by the firm’s board or equivalent management body regularly. The regulatory policy set out a clear timeline which includes an initial implementation period to 31 March 2022, followed by a period of ‘reasonable time’ to demonstrate that firms can remain within their impact tolerances for important business services in severe but plausible scenarios.