Welcome to the third article in the ICSR Operational Resilience Assurance Week series (Follow the conversation on LinkedIn at: #ICSROpResAssuranceWeek) which explores how assurance reviews can provide firms with confidence that their Operational Resilience measures around IBS, Impact Tolerances, Scenario Testing, and vulnerability management are sound, actionable, and aligned with regulatory expectations therefore ensuring that their Operation Resilience framework is delivering on all objectives.
Why An Assurance Review Of Key Aspects Of Your Operational Resilience Framework Is Critical
An assurance review acts as an independent checkpoint that confirms the effectiveness of your firm’s Operational Resilience framework. It provides a structured review of whether:
- Appropriate decisions have been made regarding the identification of IBS, setting of Impact Tolerances, and use of Scenario Testing for resilience.
- Processes are effective and adaptable, and provide documented evidence that can be presented to regulators if required.
- Governance structures are functioning well, ensuring that oversight is not just theoretical but applied practically to guide Operational Resilience efforts.
In this regard, assurance reviews help mitigate risks by providing independent confirmation that all necessary actions have been taken. They also help build confidence for your firm’s board and stakeholders.
Assurance Review Of Important Business Services (IBS)
What Are Important Business Services (IBS)?
IBS are those services that, if disrupted, could cause significant harm to customers, threaten market integrity, or undermine your firm’s safety and soundness. For an insurance firm, this might include key services such as providing cover, providing claims services, and customer support. There are subtle differences in the definition used by the FCA and PRA, which dual-regulated firms should remain cognisant of. This was something we explored in more detail in our article back in April 2021: “Operational Resilience – A Regulatory Double-Header”.
Purpose Of The Assurance Review For IBS
The assurance review for IBS evaluates whether your firm has accurately identified its critical services and has put in place appropriate plans to protect those services during disruption. This assessment should include the identification of third-party providers who are integral to the delivery of the IBS. Key areas of focus for this review include:
- Has your firm identified the correct IBS?
The review assesses whether the criteria used to identify IBS are sound, and whether these services have been appropriately prioritised based on their potential to cause harm in case of disruption. This should include suitable mechanisms being in place to identify new IBSs as a result of business change. - Is there a strong governance structure around IBS?
An assurance review looks for evidence of board-level oversight and the extent to which senior management has been involved in the decision-making process around IBS. - Are there contingency plans for IBS?
This part of the review examines your firm’s documented contingency plans for maintaining or restoring IBS during disruptions and assesses their practical application.
Review Focus:
- The identification and classification of IBS.
- The extent to which the delivery of the IBS is provided by a third party and if material, what assurances have been obtained by them related to service continuity.
- The governance structures managing IBS resilience.
- Contingency plans for maintaining service continuity.
Assurance Review Of Impact Tolerances
What Are Impact Tolerances?
Impact Tolerances refer to the maximum level of disruption your firm can tolerate before its ability to deliver Important Business Services is significantly compromised, causing intolerable harm to customers or the market. Firms must set these tolerances based on both regulatory guidance and their own risk appetite, noting that firms risk appetite will not influence their analysis of consumer harm. It is another area where subtle differences exist between the definitions used by the FCA and PRA.
If you would like to revisit the subject of Impact Tolerances in a little more detail, this ICSR webinar from May 2021 may be helpful.
Purpose Of The Assurance Review For Impact Tolerances
The assurance review of Impact Tolerances ensures that your firm has set clear, measurable limits for disruptions and that these limits reflect both regulatory standards and internal operational realities. The review explores:
- Were Impact Tolerances set based on sound, well-documented reasoning?
This aspect of the review ensures that Impact Tolerances are not arbitrary but based on a clear assessment of the potential harm to customers, market stability, and your firm itself. It evaluates the governance and decision-making processes used to determine these thresholds. - Is there effective monitoring of Impact Tolerances?
Assurance reviews examine how well your firm monitors its services against set Impact Tolerances during both normal operations and disruptions. - Are Impact Tolerances periodically reviewed?
Your firm should reassess Impact Tolerances regularly to account for changes in business models, emerging risks, or new regulatory requirements. The review checks whether these tolerances have been adjusted in line with evolving risks.
Review Focus:
- The rationale behind setting Impact Tolerances.
- Evidence of consistent monitoring of performance against tolerances.
- Ongoing review and adaptation of Impact Tolerances.
Assurance Review Of Scenario Testing
What Is Scenario Testing?
Scenario Testing involves simulating a range of potential disruptions to evaluate how well your firm’s Operational Resilience framework holds up under different stresses. These scenarios are designed to assess your firm’s ability to maintain delivery of its IBS within the established Impact Tolerances, under both plausible and extreme disruption scenarios.
Purpose Of The Assurance Review For Scenario Testing
Unlike stress testing, which often focuses on financial conditions, Scenario Testing in Operational Resilience is broader and evaluates your firm’s response to operational threats, such as cyberattacks, system failures, and external crises. It should also consider service elements that are outsourced to a third-party service provider. The assurance review for Scenario Testing ensures that your firm’s scenario simulations are realistic, challenging, and provide actionable insights. The review addresses:
- Were the scenarios realistic and sufficiently challenging?
The review evaluates whether your firm’s scenarios reflect the full range of risks it could encounter. It assesses whether scenarios are based on real-world threats and encompass the most likely and severe operational disruptions. - Were the outcomes of Scenario Testing actionable?
The assurance review ensures that insights gained from Scenario Testing leads to tangible improvements. It looks at whether your firm identified vulnerabilities during testing and if corrective measures were taken in response to these findings. - Is Scenario Testing embedded in your firm’s governance framework?
The review checks whether Scenario Testing is an integral part of your firm’s decision-making and Operational Resilience planning. It ensures that results from tests are shared with senior management and influence risk management strategies.
Review Focus:
- The quality and realism of the scenarios tested.
- The ability to translate test results into concrete improvements.
- The integration of Scenario Testing into ongoing governance and risk management.
Assurance Review Of Vulnerabilities Resolution
Identifying And Resolving Vulnerabilities
Vulnerabilities are weaknesses in your firm’s Operational Resilience framework that could lead to failure during a disruption. These may arise from technological limitations, dependencies on third-party providers, or inefficiencies in internal processes. Firms must proactively identify, address, and resolve these vulnerabilities to prevent significant operational impacts.
Purpose Of The Assurance Review For Vulnerabilities Resolution
An assurance review of vulnerability resolution focuses on your firm’s approach to identifying, prioritising, and mitigating weaknesses. This review verifies that your firm has a structured process in place and that it takes meaningful action to address vulnerabilities before they become critical risks. The assurance review typically looks at:
- Has your firm effectively identified key vulnerabilities?
The review evaluates whether your firm has the tools and processes in place to identify vulnerabilities within its Operational Resilience framework. It also checks for completeness in the identification process. - Is there evidence of adequate action being taken?
The assurance review ensures that once vulnerabilities are identified, they are addressed in a timely and effective manner. It checks whether there is sufficient documentation and evidence to support the actions taken. - Are escalation and communication mechanisms in place?
The review assesses whether there are clear escalation protocols to ensure that senior management is aware of critical vulnerabilities and is involved in decision-making around their resolution.
Review Focus:
- The comprehensiveness of your firm’s vulnerability identification process.
- The quality and effectiveness of the resolution process.
- Communication and escalation procedures related to significant risks.
The Assurance Review: What Should You Consider?
When conducting your next assurance review, consider these key questions:
- IBS Identification: Have we correctly identified our Important Business Services, and is there robust governance ensuring their resilience? Are we regularly updating our IBS list as the business evolves or operating models change?
- Impact Tolerances: Are our Impact Tolerances set using sound judgment, and do we regularly review and adapt them to changing risks? Have we set practical Impact Tolerances that reflect operational realities, and can we consistently meet them during disruption scenarios?
- Scenario Testing: Are our scenario tests reflective of the full range of operational risks, and are the insights leading to actionable improvements? Are we conducting scenario tests across various disruption scenarios? Was our test execution realistic and reliable enough? Have we included our third-party service providers in testing?
- Vulnerabilities: Do we have an effective process for identifying and resolving vulnerabilities, and are critical risks escalated appropriately to senior management? Was our prioritisation process sound and defensible? Have we satisfactorily resolved all our key vulnerabilities?
Conclusion
Assurance reviews of IBS, Impact Tolerances, Scenario Testing, and vulnerability management will play a pivotal role in ensuring that firms’ frameworks are resilient and compliant. These independent reviews provide objective assessments that verify whether a firm’s Operational Resilience measures are well-founded, effectively governed, and capable of standing up to regulatory scrutiny.
By focusing on the decisions, processes, and evidence behind Operational Resilience, assurance reviews provide critical insights that help firms adjust, improve, and strengthen their frameworks. They also offer valuable reassurance to the board and senior management that your firm is well-prepared for operational disruptions.
If you would like to discuss how ICSR can leverage their extensive knowledge and experience to bolster your firm’s confidence in their ability to evidence compliance with Operational Resilience regulation, please do speak with either of the authors or your usual ICSR contact.
Tomorrow we will be looking at the changing landscape of outsourcing and Third-Party Risk management, including the new rules on Critical Third Parties.
Talking Operational Resilience
Kenneth Underhill talks about undertaking an assurance review of IBS, Impact Tolerances, Scenario Testing, and Vulnerabilities Resolution in this short video.
Additional Reading & Viewing - articles, webinars and case studies on Operational Resilience
- ICSR Operational Resilience webinars – watch on our YouTube channel:
- Operational Resilience – Introduction with Kenneth Underhill (4th June 2020)
- ICSR Webinar: Technology & Operational Resilience (16th July 2020)
- Operational Resilience: Service and Activity Mapping with Kenneth Underhill (8th October 2020)
- Operational Resilience: Impact Tolerances webinar (26th May 2021)
- Articles:
- Operational Resilience Assurance Week – Preparing For Q1 Board Review And Sign-Off (25th October 2024)
- Operational Resilience – The Final Furlong Towards Implementation (21st May 2024)
- TSB Operational Resilience Fine – What Lessons Can Insurers Learn From This? (18th January 2023)
- Outsourcing and Third-Party Arrangements – Creating Resilience In Your Operational Processes (10th February 2022)
- Operational Resilience – A Regulatory Double-Header (15th April 2021)
- Mapping Important Business Services: When Does A Service Finish? (12th November 2020)
- Operational Resilience: The First Shot Has Been Fired! (6th March 2020)
- Case Studies:
- Assisting International Insurer Manage Its Operational Resilience Obligations
- Digital Operational Resilience Act (DORA) Support For Client In The Irish Regulated Market
- Supporting The Client With The Delivery Of A New Governance, Service And Operating Model As A Part Of A Corporate Restructure
- Assisting London Market Insurance Broker With Operational Resilience
- Support Developing Operational Resilience Control Framework
- Assisting Client With Project Delivering PRA and FCA Operational Resilience Requirements
- Support Preparing For Introduction of Operational Resilience and Business Continuity Planning
Related Articles
Operational Resilience: The 31st March 2025 Deadline And Beyond
In this article we look at what firms need to have in place by the end of March 2025 to be compliant with Operational Resilience regulations in the UK, looking beyond the deadline into the areas UK regulators are expected to shift their focus towards.
Operational Resilience: An Assurance Review Of Outsourcing Policies, Third-Party Risk Management And Critical Third Parties
Outsourcing has become a fundamental aspect of operational strategy – as firms strive to meet OpRes requirements. Ensuring their outsourcing policies and third-party relationships are robust and capable of withstanding disruptions is key.
Operational Resilience: The Project Governance Process – An Assurance Review
Learn more about the role of project governance in Operational Resilience, looking in particular at how assurance processes support the successful delivery of actions and deliverables.
Operational Resilience: Why Assurance Matters And What Is Required
Learn more about the vital role assurance plays in Operational Resilience, including the regulatory backdrop, the risks of non-compliance, and how firms can ensure their assurance processes are robust, transparent, and aligned with long-term business objectives.
Operational Resilience Compliance – Doing The Right Thing Is Not Enough; You Must Prove It!
The clock is ticking for insurance firms ahead of the March 2025 deadline to fully implement and demonstrate Operational Resilience. Claire King and Benoit Steulet explore the importance of being able to evidence compliance with the regulations.
Operational Resilience Assurance Week – Preparing For Q1 Board Review And Sign-Off
The Operational Resilience regulations require firms to undertake a process of self-assessment and sign-off, but what are the regulatory expectations for that work?