The building blocks of operational resilience for financial services firms

Share this post

How ready is your company to become operationally resilient?


If you aren’t sure, you will need an answer soon because the Financial Conduct Authority’s (FCA) PS21/3 rule requires financial firms to have carried out a number of activities towards operational resilience by 31 March 2022. With time running out, how can firms ensure they are ready by the deadline?


fscom’s experts in financial crime, cyber security and regulatory compliance offered their advice in a recent webinar. The speakers were:

  • Alison Donnelly, Director of Regulatory Compliance and Head of Payments.
  • Nick Gumbley, Associate Director for Cyber Security.
  • Nick Wright, Senior Manager for Payments.

During the webinar, we asked attendees how ready their firms were for the March 2022 milestone. Two thirds said they had a project underway to plan for operational resilience, and a third hadn’t started. Nobody said they were completely ready.


If that applies to you, read on to understand our experts’ advice on becoming operationally resilient.



Rising regulatory requirements for operational resilience


There has been a trend towards more regulation around operational resilience in recent years. The FCA’s PS21/3 requires UK firms to demonstrate that they are taking steps towards operational resilience by March 2022.


Firms do not need to have achieved full operational resilience by then but to have identified the issues they need to act on to achieve that goal. But the work does not end there. By March 2025, firms must have fully mapped and tested their important business services to ensure they operate consistently within their impact tolerances.


Operational resilience is also becoming a focus of regulators in Ireland, who are considering a similar initiative to PS21/3. A consultation paper launched by the Central Bank of Ireland earlier this year stressed the need for financial services firms to enter a robust exercise to identify, prepare for and understand the implications of disruption to the services they provide.



Three steps to PS21/3 compliance


Financial services firms in the UK need to do the following to comply with developing regulations by 31 March:


1) Identify your important business services


Companies should identify what services they provide to customers – but they do not need to list all these services on the FCA’s self-assessment form. Instead, you should identify the most important services along with an explanation of how you came to that decision. These are services that are provided to one or more clients which, if disrupted, could cause “intolerable levels of harm” to the client(s) or pose a risk to the stability of the UK financial system or financial markets. The FCA will require firms to review these important business services annually starting from March 2022.


2) Assess and mitigate what level of disruption is tolerable


Companies should assess their maximum tolerable level of disruption to each important business service – what the FCA defines as “impact tolerances”. You should assess the scale and impact of disruption over time to the firm and its ability to deliver each service, covering “severe but plausible scenarios” of disruption.


3) Carry out mapping and some testing of your operational resilience


Companies need to map all important business services and set impact tolerances by March 2022. For this process to be sufficiently sophisticated, some testing of the resilience of services is required – but full testing only needs to be done by March 2025. Vulnerabilities in operational resilience should also be identified at this initial stage.



Plan now to improve your operational resilience for the future


During the webinar, the speakers outlined best practices that firms should put in place now to improve their process of moving towards full operational resilience by 2025. For firms outside the UK, this advice is still worth following because operational resilience will better prepare you to withstand future shocks.


Their tips included:


  • Identify a programme sponsor at Board level who is responsible for the drive towards operational resilience. Only someone in the C-suite will have sufficient visibility and authority across the business and be able to take executive action and get people to come together in a room.
  • Identify a project manager who can provide a bird’s eye view of the operational resilience requirements across the business. This may require bringing in independent support if your business lacks a project management function.
  • Identify the key stakeholders to involve in this process – likely the heads of functions like technology, business operations, legal, risk management, procurement, information security and the MLRO.
  • Prioritise and plan from now through to 2025, allocating the appropriate resources to meet the 2022 and 2025 deadlines.
  • Recognise that communications are important in the event of disruption to business services. The FCA expects that companies determine who is responsible for internal and external communications. Holding statements and playbooks should be drafted and communications should be timely, meaningful and relevant to the audience.
  • Train staff in the risks that their actions could pose to operational resilience, such as information security breaches. Offer enhanced training to any high-risk personnel who have a key role in maintaining important business services.



You can hear more tips to prepare for the March 2022 deadline and beyond by watching the webinar on demand here.


For more information or if you would like assistance with your operational resilience compliance, contact us today.

Article by fscom

More To Explore


Are you a member of The Payments Association?

Member benefits include free tickets, discounts to more tickets, elevated brand visibility and more. Sign in to book tickets and find out more.


Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.

Having trouble signing?

We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.

First things first

Have you set up your Member account yet? If not, click here to do so.

Still not receiving your auto-login link?

Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.

Please click the button below which relates to the issue you’re having.

I didn't receive an e-mail

Tip: Check your spam

Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association

Tip: Check “other” tabs

Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.

Tip: Click the link within 60 minutes

For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.

Tip: Only click once

The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.

Tip: Delete old login e-mails

Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.

Tip: Check your security policies

Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.

Need to change your e-mail address?

For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.

Still got a question?