The building blocks of operational resilience for financial services firms

How ready is your company to become operationally resilient?

If you aren’t sure, you will need an answer soon because the Financial Conduct Authority’s (FCA) PS21/3 rule requires financial firms to have carried out a number of activities towards operational resilience by 31 March 2022. With time running out, how can firms ensure they are ready by the deadline?

fscom’s experts in financial crime, cyber security and regulatory compliance offered their advice in a recent webinar. The speakers were:

• Alison Donnelly, Director of Regulatory Compliance and Head of Payments.
• Nick Gumbley, Associate Director for Cyber Security.
• Nick Wright, Senior Manager for Payments.

During the webinar, we asked attendees how ready their firms were for the March 2022 milestone. Two thirds said they had a project underway to plan for operational resilience, and a third hadn’t started. Nobody said they were completely ready.

If that applies to you, read on to understand our experts’ advice on becoming operationally resilient.

Rising regulatory requirements for operational resilience

There has been a trend towards more regulation around operational resilience in recent years. The FCA’s PS21/3 requires UK firms to demonstrate that they are taking steps towards operational resilience by March 2022.

Firms do not need to have achieved full operational resilience by then but to have identified the issues they need to act on to achieve that goal. But the work does not end there. By March 2025, firms must have fully mapped and tested their important business services to ensure they operate consistently within their impact tolerances.

Operational resilience is also becoming a focus of regulators in Ireland, who are considering a similar initiative to PS21/3. A consultation paper launched by the Central Bank of Ireland earlier this year stressed the need for financial services firms to enter a robust exercise to identify, prepare for and understand the implications of disruption to the services they provide.

Three steps to PS21/3 compliance

Financial services firms in the UK need to do the following to comply with developing regulations by 31 March:

1) Identify your important business services

Companies should identify what services they provide to customers – but they do not need to list all these services on the FCA’s self-assessment form. Instead, you should identify the most important services along with an explanation of how you came to that decision. These are services that are provided to one or more clients which, if disrupted, could cause “intolerable levels of harm” to the client(s) or pose a risk to the stability of the UK financial system or financial markets. The FCA will require firms to review these important business services annually starting from March 2022.

2) Assess and mitigate what level of disruption is tolerable

Companies should assess their maximum tolerable level of disruption to each important business service – what the FCA defines as “impact tolerances”. You should assess the scale and impact of disruption over time to the firm and its ability to deliver each service, covering “severe but plausible scenarios” of disruption.

3) Carry out mapping and some testing of your operational resilience

Companies need to map all important business services and set impact tolerances by March 2022. For this process to be sufficiently sophisticated, some testing of the resilience of services is required – but full testing only needs to be done by March 2025. Vulnerabilities in operational resilience should also be identified at this initial stage.

Plan now to improve your operational resilience for the future

During the webinar, the speakers outlined best practices that firms should put in place now to improve their process of moving towards full operational resilience by 2025. For firms outside the UK, this advice is still worth following because operational resilience will better prepare you to withstand future shocks.

Their tips included:

• Identify a programme sponsor at Board level who is responsible for the drive towards operational resilience. Only someone in the C-suite will have sufficient visibility and authority across the business and be able to take executive action and get people to come together in a room.
• Identify a project manager who can provide a bird’s eye view of the operational resilience requirements across the business. This may require bringing in independent support if your business lacks a project management function.
• Identify the key stakeholders to involve in this process – likely the heads of functions like technology, business operations, legal, risk management, procurement, information security and the MLRO.
• Prioritise and plan from now through to 2025, allocating the appropriate resources to meet the 2022 and 2025 deadlines.
• Recognise that communications are important in the event of disruption to business services. The FCA expects that companies determine who is responsible for internal and external communications. Holding statements and playbooks should be drafted and communications should be timely, meaningful and relevant to the audience.
• Train staff in the risks that their actions could pose to operational resilience, such as information security breaches. Offer enhanced training to any high-risk personnel who have a key role in maintaining important business services.

You can hear more tips to prepare for the March 2022 deadline and beyond by watching the webinar on demand here.

For more information or if you would like assistance with your operational resilience compliance, contact us today.