The clock is ticking for insurance firms ahead of the March 2025 deadline to fully implement and demonstrate Operational Resilience. This date marks the end of the transitional period mandated by the Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA), during which firms have been tasked with building and refining their resilience to operational disruptions. For Chief Risk Officers (CROs) and Chief Operating Officers (COOs) across the insurance sector, ensuring that your organisation can withstand, adapt, and recover from disruptions is more critical than ever.

However, there’s a crucial distinction that must not be overlooked: doing the right thing is no longer enough. The final step to ensure good governance in this era when it is critical to evidence completeness of transition projects, is for the board to be able to sign off the work undertaken by your firm. This requires an assessment of the measures implemented. That assessment is not simply about whether your firm has robust Operational Resilience measures in place – you need to be able to evidence it to the satisfaction of the board.

Without clear validation and documentation of your firm’s efforts, the risk is that all the hard work, investment, and internal changes may fall short of meeting good governance leaving the board members and any SMF responsible potentially exposed to personal liability. This is where independent assurance comes in, providing the evidence and transparency required to satisfy regulatory demands and future-proof your firm. That independence may be internal (if you have the skills in house, for instance within your internal audit team) or external, the key being an independence of thought from the team undertaking the original assessments and work.

Scrutiny Post-Transition Period

The Insurance industry, like much of the financial services sector, has long been guided by the principle of doing the right thing when it comes to managing risks and ensuring business continuity. For decades, firms have invested in internal controls, governance frameworks, and disaster recovery plans. Yet, under the new Operational Resilience rules, the regulatory bar has been set much higher.

Boards, COOs and CROs are no longer just asking their teams to build resilience – they need them to be able to evidence it. The regulators are also committed to intensifying their oversight and demanding stronger evidence of compliance, especially in high-risk sectors like financial crime, AML, and – the focus of #ICSROpResAssuranceWeek – Operational Resilience.

This means:

  • Evidence of Operational Resilience frameworks: Demonstrating that your firm has identified important business services, set realistic impact tolerances, and put mechanisms in place to remain within those tolerances during a severe disruption.
  • Evidence of testing and validation: It’s not enough to design processes on paper. Firms need to demonstrate that they have stress-tested their systems, infrastructure, and response plans under real-world scenarios.
  • Evidence of continuous and ongoing monitoring and improvement: Operational Resilience is not a one-time project. Your firm must show that resilience is embedded in your culture, with governance structures, ongoing monitoring, reporting and oversight at the appropriate level within the governance framework to adapt to new and evolving risks.

For CROs and COOs, the message is clear: without robust evidence, you may struggle to convince your board that your firm has met its obligations and they can approve the self-assessment report. From March 2025 onwards, once the transition period has passed, firms must ensure they can demonstrate full compliance with regulations that require:

  • Identification of important business services
  • Setting of clear impact tolerances
  • Evidence that these tolerances can be met during severe disruptions

Independent assurance can provide the objective evidence you need to show that your firm’s Operational Resilience framework meets these expectations. It serves as an objective stamp of approval, validating that your organisation has done everything possible to meet regulatory requirements. It will provide added strength to your Self-Assessment ahead of board review and sign off.

The Role of Independent Assurance in Evidencing Your Self-Assessment Findings

Operational Resilience is not just another compliance checkbox – it’s a fundamental shift in how regulated firms need to think about risk, disruption, and the continuity of their most critical services. The key question isn’t just whether your firm has taken steps to enhance resilience, but how effective those steps will prove to be if put into practice.

Engaging an independent party to review your Operational Resilience plans and measures can bring substantial benefits, ensuring that your firm is not only compliant but also better prepared to manage the complexities of modern risks and the inevitable changes that arise internally and externally, with the potential to impact Operational Resilience plans.

From Monday 11th November, as part of ICSR’s Operational Resilience Assurance Week (LinkedIn: #ICSROpResAssuranceWeek), we will be exploring how firms might consider approaching Operational Resilience Assurance to ensure that they:

  • Uncover any blind spots in their Operational Resilience planning, project management and self-assessment;
  • Enhance stakeholder confidence and ensure boards are able to provide any regulatory attestations that may be required;
  • Strengthen their management of Third-Party related risks; and
  • Be appropriately prepared for any post-deadline regulatory scrutiny.

With those objectives in mind, we will delve into the following key areas:

  1. Operational Resilience assurance and why is it important for firms.
    What is the objective of your Operational Resilience Assurance and why is it important for firms to dedicate sufficient and appropriate resources, even if they feel their plans are already well considered and developed.
  2. Undertaking a review of the project governance process.
    Undertaking a review of the project governance process, with a specific focus on making sure the original set of actions and deliverables were appropriate and the plan was sufficiently flexible to respond and adapt to any subsequent changes in the macro or micro environment, including any changes in your firm’s business model that may have occurred during the delivery phase of Operational Resilience planning.
  3. The approach to the identification of Important Business Services, Impact Tolerances and Scenario Testing, including the creation of your Operational Resilience framework.
    The process of undertaking an objective examination of the effectiveness of governance, decision-making processes, and the evidence supporting your firm’s Operational Resilience work and strategy.
  4. The changing landscape of outsourcing and Third-Party Risk management, including rules on Critical Third Parties.
    The changing landscape of outsourcing and Third-Party Risk management, alongside the impact of the separate – but related – regulatory work on Critical Third Parties (CTPs), including the implications of doing business with an officially designated CTP and how your Operational Resilience plan might need to respond.
  5. Remaining relevant and adaptable post transition-period.
    Understanding the ability of your Operational Resilience framework to remain relevant and adaptable beyond the 31st March 2025, including a look at what is required to ensure your board have the necessary confidence to be able to make any ongoing regulatory attestations that may be required.

 

When Is A Good Time To Start Your Operational Resilience Assurance Review?

To ensure readiness for the March 2025 Operational Resilience deadline, firms will need to present their self-assessment to their board for review and approval by Q1 2025 and demonstrate compliance with the regulatory expectations. This self-assessment should be thorough and backed by robust evidence. As a result, all Assurance reviews must be completed prior to this, including any critical remediation work that may have been identified in the process.

Given this timeline, firms should be standing up their assurance efforts without delay. Assurance activities take time to execute, particularly if gaps or shortcomings are identified that require urgent attention. Scenario testing, mapping, and reviewing your firm’s ability to stay within its Impact Tolerances are intricate tasks that require comprehensive oversight and cross-functional collaboration. Any delays could leave insufficient time to address findings or provide the board with the assurance they need to confidently sign off on the self-assessment.

Therefore, firms cannot afford to wait until the final months. By starting now, you can ensure the review process is thorough, any issues are resolved ahead of time, and the board have ample time to engage with the findings and take necessary actions. In short, to meet the March 2025 deadline effectively, firms should have their reviews well under way this side of Christmas.

Conclusion

CROs and COOs in the insurance industry must focus not just on building Operational Resilience but on being able to evidence it – and evidence that the frameworks remain relevant now and into the future. Regulators are looking for clear, objective proof that your firm can maintain critical services through disruption, and internal assurances not backed up with evidence will not be enough to satisfy their expectations.

Independent assurance offers the validation and documented evidence needed to bridge the gap between doing the right thing and proving it. By investing in this process now, your firm can confidently demonstrate that it has achieved the necessary levels of Operational Resilience through their self-assessment and provide its board with the information required to review, challenge and ultimately provide their sign-off.

ICSR has been supporting a variety of clients with the implementation of their Operational Resilience frameworks, as well as providing independent assurance. We have developed significant first-hand experience of the way the application of the principles underlined by the Operational Resilience and DORA frameworks provides challenges for companies with myriad business and operating models, distribution strategies, risk profiles, supply chain complexities and IT infrastructure security.

If you would like to discuss how ICSR can leverage their extensive knowledge and experience to bolster your firm’s confidence in their ability to evidence compliance with Operational Resilience regulation, please do speak with the author or your usual ICSR contact.

Stay tuned! From Monday 11th November we will be issuing more useful information on the topics covered above through daily articles as part of ICSR’s Operational Resilience Assurance Week.

Additional Reading & Viewing - articles, webinars and case studies on Operational Resilience

Related Articles

Advisory & Resourcing

Pin It on Pinterest

Share This