On 25 May 2022 the Bank of England ("BoE") published a speech by Duncan Mackinnon, Executive Director for Supervisory Risk Specialists at the BoE, "What will operational resilience look like going forward? An overview of the supervisory regulatory position". The speech provides key guidance to firms on where the Prudential Regulation Authority ("PRA") expects firms to focus their work towards achieving the joint PRA, BoE and Financial Conduct Authority policy requirements in "Operational resilience: Impact tolerances for important business services", which must be complied with by March 2025. "Operational resilience" is defined as "the ability of firms, financial market infrastructures and the financial sector as a whole to prevent, adapt and respond to, recover and learn from operational disruption". By March 2025 firms will need to ensure they are resilient to disruption of their important business services, within agreed impact tolerances, which if disrupted, could pose a risk to their safety and soundness or in certain cases to the financial stability of the UK.
Mackinnon noted that firms have been operating in a challenging environment, facing risks such as Brexit, the pandemic, and the crisis in the Ukraine, and that the system is ever-more complex with a fast-evolving and unpredictable risk environment. However strengthening operational resilience is key to management of these risks.
Mackinnon outlined particular areas where the PRA expects firms to focus as they work towards meeting the policy expectations.
- Implementing operational resilience policy
By now firms should have identified important business services, set impact tolerances and have mapped and commenced a programme of scenario testing. However this is only the beginning, and this cannot be achieved through compliance alone: "Approaches and solutions must acknowledge that operational failures are inevitable. And as we do not know what disruptions will materialise, firms need to plan for a wide range of possible failures." Mapping will need to include the mapping of third party providers and all critical resources, and firms will need to consider internal and external dependencies.
- Scenario testing
Firms' scenario testing should assume disruption has occurred, include data integrity scenarios and incorporate third party disruption. Firms should also consider factors beyond their control. Mackinnon outlined other factors that firms should consider when scenario testing: "Scenarios should consider the evolving risk environment, they should be challenging, and ask what might happen if back up arrangements do not function as anticipated. Scenarios will include cases where multiple parts of the organisation are disrupted simultaneously. Given that impact tolerances are set at the maximum level of disruption a firm can tolerate, firms will have to judge how close to that line they are comfortable to be through their testing."
Mackinnon set out the PRA's expectations on the form of testing firms use. He also explained that the right governance should also be in place, and that senior management and boards should be involved and engaged with the testing results.
- Building resilience
Mackinnon explained that "the operational resilience policy is outcome-based". Firms have discretion in how they implement resilience into their systems. However Mackinnon made it clear that firms may need to invest significantly to achieve the policy outcomes: "For example, by building an additional data centre or facility so services can be transferred and delivered to the same standard following a failure. Firms will also need to review and adapt outsourcing arrangements and re-architect or replace critical legacy systems as a part of building their resilience."
Embedding operational resilience
Implementing operational resilience is not a "tick box" exercise: "Implementing operational resilience is not just about the individual requirements and outcomes within the policy. We expect resilience to be embedded in the way firms do business."
Operational resilience policy compliments existing expectations such as operational risk, disaster recovery and business continuity. Firms can leverage their approaches and frameworks to meet more than one policy objective, which the PRA sees as firms embedding operational resilience into the way they do business. However the policy requirements in each expectation will still need to be met in full.
Mackinnon referred to the PRA's publication of its outsourcing and third party risk management policy alongside its operational resilience policy. He explained "Implementation of this policy is fundamental to firms’ resilience. The requirements are complementary."
Mackinnon's speech provides important guidance on implementing operational resilience policy ahead of March 2025. As Mackinnon stated compliance cannot be achieved through adherence to a singular rulebook or set of principles. The requirements are instead outcomes-based – they must be designed to address the unique circumstances of each firm and plan for unexpected future contingencies that each particular firm may face. Mackinnon summarised the position: "we expect firms to go beyond compliance. Operational resilience is not something a small team of experts can achieve. It requires firms to think differently and integrate resilience into the way they do business." In an increasingly uncertain risk environment firms will be prudent to take on board this most recent guidance from the PRA as if a major operational incident transpires it will be no excuse that the event was unforeseen in any following enforcement processes.