Regulatory Timeline: Operational Resilience

Status: Ongoing
Regulator: FCA, PRA and Bank of England

Under the most recent update from the FCA on 7th December 2023, firms are now also expected to report material operational incidents to the FCA. Examples would include situations that:

  • result in a significant loss of data;
  • result in the unavailability or control of your IT systems;
  • affect a large number of customers; or
  • result in unauthorised access to your information systems.

The FCA and PRA have created a cyber resilient self-assessment questionnaire, CQUEST, this consists of multiple-choice questions covering aspects of cyber resilience, such as:

  • Does your firm have a Board approved cyber security strategy?
  • How does it identify and protect its critical assets?
  • How does it detect and respond to an incident, recover the business, and learn from the experience?

The PRA sees cyber-related risks as a major emerging threat to firms and in that context firms can be expected to have considered cyber-related operational threats as part of their Operational Resilience planning more generally. It is one of the key issues highlighted by Sam Woods in his foreword to the PRA plan. The FCA has also created a broader operational resilience self-assessment questionnaire called ORQUEST to help firms understand their operational resilience capabilities, including their cyber capabilities.

This timeline provides key dates in the regulatory calendar and links to ICSR articles and webinars on the subject. If you would like to discuss any aspects of Operational Resilience, please contact us.

Back to Regulatory Timeline: Overview

31st March 2025

Deadline for mapping and testing

By no later than 31 March 2025, firms will need to have:

  • performed mapping and testing so that you can remain within impact tolerances for each important business service;
  • made the necessary investments to enable you to operate consistently within your impact tolerance

Read FCA Guidance

19th March 2024

FCA Business Plan 2024/5

The FCA Business Plan for 2024/5 confirms their ongoing commitment to focus on “Minimising the impact of operational disruptions”. A consultation paper clarifying its expectations on how firms should report operational incidents is expected.

Read FCA Plan

b
18th January 2023

TSB Operational Resilience Fine – What Lessons Can Insurers Learn From This?

Justice

 

 

 

ICSR Risk & Compliance Director Claire King looks at the actions taken by the PRA following an IT systems and data migration project, moving its corporate and personal customer servicing onto a new platform. While this, in itself, was successful, technical failures were soon being flagged, causing significant disruption to TSB’s banking services; branch, telephone, online and mobile banking. 

Read Article

31st March 2022

Deadline for compliance with the Policy Statement requirements.

“By 31 March 2022, firms must have identified their important business services, set impact tolerances for the maximum tolerable disruption and carried out mapping and testing to a level of sophistication necessary to do so. Firms must also have identified any vulnerabilities in their operational resilience.”

Read Bank of England update

24th March 2022

FCA Report: Operational resilience insights for insurance firms

The FCA asked a sample of 47 firms about its rules for strengthening operational resilience and published its observations on what it learned. Read its observations to review your firm’s approach.

Read FCA report

b
10th February 2022

ICSR Article: Outsourcing and Third-Party Arrangements – Creating Resilience In Your Operational Processes

 

 

 

This article takes a look at SS2/21 including its scope, aims, the key requirements and what firms need to do to ensure they are compliant.

Read Article

26th May 2021

ICSR webinar - Impact Tolerances

Webinar: Operational Resilience: Impact Tolerances with Kenneth Underhill

b
15th April 2021

ICSR Article: Operational Resilience – A Regulatory Double-Header

Operational resilience - a regulatory double header

 

 

 

 

ICSR Director Kenneth Underhill looks at the approach to Operational Resilience adopted by the PRA and FCA in their co-ordinated Policy Statements.

Read Article

29th March 2021

PRA Policy Statement PS6/21

The PRA have published their Policy Statement

Read PRA Policy Statement

29th March 2021

FCA Policy Statement

The FCA have published their Policy Statement

Read FCA Policy Statement PS21/3

b
12th November 2020

ICSR Article: Mapping Important Business Services: When Does A Service Finish?

claims payments

 

 

 

ICSR Director Kenneth Underhill considers questions about mapping claims and at what point in the service delivery process does the requirement for mapping cease.

Read Article

8th October 2020

ICSR webinar - Service and Activity Mapping

Webinar: Operational Resilience: Service and Activity Mapping with Kenneth Underhill

1st October 2020

Consultation Period closes

Consultation period for CP19/32 closes. The original date of 3rd April 2020 has been extended to 1st October 2020 due to the coronavirus pandemic.

16th July 2020

ICSR webinar - Technology and Operational Resilience

A webinar on Technology and Operational Resilience.

4th June 2020

ICSR webinar - Introduction to Operational Resilience

ICSR Director Kenneth Underhill provides an overview of Operational Resilience.

b
29th April 2020

ICSR Article: Coronavirus – The Long And The Short Of It

Coronavirus pandemic

 

 

 

ICSR Director Kenneth Underhill considers the operational resilience implications of the coronavirus pandemic.

Read Article

5th December 2019

Consultation Papers Published

The Bank of England (the Bank), Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) have published a shared policy summary and co-ordinated consultation papers (CPs) on new requirements to strengthen operational resilience in the financial services sector.

Read FCA Consultation Paper

5th October 2018

Discussion period closes

The deadline for firms to submit their representations to the regulator.

5th July 2018

Discussion Paper released

Building the UK financial sector’s operational resilience

  • Bank of England DP01/18
  • Prudential Regulation Authority (PRA) DP01/18
  • Financial Conduct Authority (FCA) DP18/04

Read Discussion Paper

Advisory & Resourcing

Pin It on Pinterest