In March 2021, the PRA and FCA issued their joint final supervisory statements related to firms’ demonstration of Operational Resilience (SS2/21 and PS21/3).
Learning lessons of the fallout from TSB’s technical issues related to its IT systems and data migration project and understanding the vulnerabilities highlighted by the COVID-19 pandemic, the regulators identified a need for a more proactive and standardised approach to managing firms’ operational risks through improved resilience.
These requirements prioritised the protection of consumers through greater financial stability in the FS sector, shifting the focus from a traditionally reactive approach to managing operational disruption, to a more proactive one and consequently future proofing the sector to better adapt to new technology and emerging threats.
The timeframes for demonstrating compliance with these new regulatory expectations seemed generous – more like a long-distance race than a sprint – with firms directed to implement their obligations by March 2025. But to understand exactly what was expected of firms, the majority of whose business continuity and disaster recovery frameworks might be down the priority list for corporate investment, much work was needed to be completed. Firms should now be well into the ‘final furlong’ of that work.
What Firms Needed To Do – A Reminder
Starting from a position of assuming disruption will occur at some future point, as opposed to the approach of many firms who considered operational disruption as something they would manage ‘if’ it happens, was the primary driver of the Operational Resilience regulations and determined the following component features.
Firms were required to identify their important business services (IBSs) and determine at what point intolerable harm might be experienced by policyholders, should the service not be recovered before this point. It was mandated that impact tolerances must be set using time/duration metrics as a minimum, but that they may also be supplemented with additional metrics and must relate to a single disruption rather than an aggregation of disruptions.
These tolerances should be addressed through the identification and documentation of the necessary ‘resources’, that is to say people, processes, technology, facilities and information required to deliver each IBS, including third parties.
And then these impact tolerances needed to be stressed through a programme of scenario testing, where a range of severe but plausible scenarios would be defined to identify the appropriateness of the impact tolerances documented.
The progress towards these requirements was to be shared in an annual Self-Assessment report to the Board; the inaugural one being due back in March 2022, with subsequent annual versions expected to articulate and demonstrate the progress being made by the firm towards full compliance ahead of the March 2025 deadline.
Our Questions For Those With Responsibility For Op Res
So, to all the COOs, CROs and any other positions responsible for ensuring their company’s operational resilience framework is maturing towards a fully functioning status, how confidently can you answer the following questions, now we are in the final straights of demonstrating operational resilience?
We’ll start with the easy ones…
- Have you identified IBSs from both a policyholder harm and firm harm perspective?
- Have you articulated the process maps, identifying all the resources employed in the execution of each IBS?
- Do you have impact tolerances in place for each IBS, with stress tests performed to validate their appropriateness?
- Have you created a Self-Assessment report for your annual Board updates?
Building on these early deliverables, the following features are those that you should have been progressing towards during 2022 and 2023 and reflected in your March 2024 Self-Assessment report to your Board.
Did your March 2024 Board Report cover:
- A full programme of stress tests to identify vulnerabilities in processes, both internal and external?
- A remediation plan identifying the programme of work to improve resilience where necessary,
- Building recovery and communication plans defining how to restore and resume IBS(s) within tolerance?
- Governance and oversight frameworks developed and maturing, with clear ownership responsibilities across the first- and second-line functions? and
- Lessons learnt processes identified and implemented after any live risk event, as well as simulation exercises?
Not Forgetting DORA
For those firms with a presence in Europe as well, there is the added requirement to meet the obligations of the Digital Operational Resilience Act (DORA). The regulation came into force in January 2023 and will be applicable from January 2025, with its purpose to strengthen the IT security of financial entities specifically.
DORA focuses on five main pillars that financial entities and critical ICT service providers need to address:
- ICT Risk Management and Governance – firms must establish a comprehensive ICT risk management framework. This includes identifying and assessing ICT risks, implementing controls to mitigate them, and having a clear governance structure for ICT oversight.
- ICT Incident Reporting – firms are obligated to report major ICT-related incidents to the relevant authorities. DORA defines what constitutes a “major” incident and outlines the reporting timeframe.
- Digital Operational Resilience Testing – firms need to conduct regular testing of their digital resilience. This involves simulating various disruption scenarios like cyberattacks or IT outages to assess their ability to respond and recover effectively.
- Information and Intelligence Sharing – DORA encourages information sharing between firms and authorities regarding cyber threats and vulnerabilities. This collaborative approach strengthens the overall resilience of the financial sector.
- Information and Communications Technology (ICT) Third-Party Risk Management – since many firms rely on third-party ICT service providers, DORA mandates that they assess and manage the associated risks. This ensures that any vulnerabilities within the third-party ecosystem don’t compromise the overall resilience of the financial entity.
While these add to the demands of UK entities with a suite of specific expectations, the UK and EU regulations harmonise by focusing on different aspects of a firm’s ability to withstand disruptions, with the following advantages perceived:
- Stronger foundation: a robust operational resilience framework, as required by the PRA and FCA, provides a solid foundation for firms to build upon when addressing digital operational resilience under DORA.
- Targeted measures: DORA’s specific requirements for ICT risk management, testing, and reporting further strengthen a firm’s overall resilience by focusing on a critical area – its digital infrastructure.
- Comprehensive approach: together, they provide a comprehensive approach to managing disruptions, ensuring firms are prepared to handle both traditional and technology-driven threats.
By complying with both sets of requirements, firms will consequently build a more robust and holistic approach to operational resilience, safeguarding their critical functions and services in an increasingly digital world.
BAU And Oversight Ownership
So, as we canter along to the final phase of implementation and the March 2025 Self-Assessment, those in the first and second line, with responsibilities for executing the Operational Resilience and DORA frameworks, should have a clear view of their responsibilities.
If implementation is still in a remedial phase, that is to say, if early stress tests identified vulnerabilities which are still being addressed, then the deliverables required will still have a project flavour. The remainder of this year will be spent ensuring these are implemented, such that the firm is confident it is able to attest to impact tolerances not being breached in periods of disruption.
For those firms who are in the position where their Operational Resilience and DORA framework development is largely complete and now being embedded as business-as-usual across the first and second lines of defence – an enviable position – they are likely taking the opportunity to explore how these new processes might translate into operational efficiencies/excellence.
Much of the ownership of the Operational Resilience and DORA requirements live in the first line, but with key oversight responsibilities falling to a firm’s Enterprise Risk function, who might be required to assume responsibility for the stress testing and almost certainly will be required to assume responsibility for the annual Self-Assessment Board report.
Conclusion
ICSR has been supporting a variety of clients with the implementation of their Operational Resilience frameworks, as well as supporting firms to provide assurance as to whether these are developing towards maturity at the required pace. We have developed significant first-hand experience of the way the application of the principles underlined by the Operational Resilience and DORA frameworks provides challenges for companies with myriad risk profiles, supply chain complexities and IT infrastructure security.
It is inevitable that with complex frameworks such as these, being applied across a wide range of different operating and distribution models, that some complex questions will arise as to the interpretation of the rules. Being able to draw on a broad base of work on the subject has enabled us to guide clients through those complexities, achieving pragmatic solutions that meet both the business and regulatory expectations and allowing them to successfully navigate their final furlong and reach their finishing line.
If you would like any support or guidance to progress your framework development, or get independent assurance that you have fulfilled the requirements of the regulations, please do speak with the author or your usual ICSR contact.