Regulatory Timeline: Operational Resilience
Status: Ongoing
Regulator: FCA, PRA and Bank of England
Under the most recent update from the FCA on 7th December 2023, firms are now also expected to report material operational incidents to the FCA. Examples would include situations that:
- result in a significant loss of data;
- result in the unavailability or control of your IT systems;
- affect a large number of customers; or
- result in unauthorised access to your information systems.
The FCA and PRA have created a cyber resilient self-assessment questionnaire, CQUEST, this consists of multiple-choice questions covering aspects of cyber resilience, such as:
- Does your firm have a Board approved cyber security strategy?
- How does it identify and protect its critical assets?
- How does it detect and respond to an incident, recover the business, and learn from the experience?
The PRA sees cyber-related risks as a major emerging threat to firms and in that context firms can be expected to have considered cyber-related operational threats as part of their Operational Resilience planning more generally. It is one of the key issues highlighted by Sam Woods in his foreword to the PRA plan. The FCA has also created a broader operational resilience self-assessment questionnaire called ORQUEST to help firms understand their operational resilience capabilities, including their cyber capabilities.
This timeline provides key dates in the regulatory calendar and links to ICSR articles and webinars on the subject. If you would like to discuss any aspects of Operational Resilience, please contact us.
Deadline for mapping and testing
By no later than 31 March 2025, firms will need to have:
- performed mapping and testing so that you can remain within impact tolerances for each important business service;
- made the necessary investments to enable you to operate consistently within your impact tolerance
FCA Business Plan 2024/5
The FCA Business Plan for 2024/5 confirms their ongoing commitment to focus on “Minimising the impact of operational disruptions”. A consultation paper clarifying its expectations on how firms should report operational incidents is expected.
TSB Operational Resilience Fine – What Lessons Can Insurers Learn From This?
ICSR Risk & Compliance Director Claire King looks at the actions taken by the PRA following an IT systems and data migration project, moving its corporate and personal customer servicing onto a new platform. While this, in itself, was successful, technical failures were soon being flagged, causing significant disruption to TSB’s banking services; branch, telephone, online and mobile banking.
Deadline for compliance with the Policy Statement requirements.
“By 31 March 2022, firms must have identified their important business services, set impact tolerances for the maximum tolerable disruption and carried out mapping and testing to a level of sophistication necessary to do so. Firms must also have identified any vulnerabilities in their operational resilience.”
FCA Report: Operational resilience insights for insurance firms
The FCA asked a sample of 47 firms about its rules for strengthening operational resilience and published its observations on what it learned. Read its observations to review your firm’s approach.
ICSR Article: Outsourcing and Third-Party Arrangements – Creating Resilience In Your Operational Processes
This article takes a look at SS2/21 including its scope, aims, the key requirements and what firms need to do to ensure they are compliant.
ICSR webinar - Impact Tolerances
Webinar: Operational Resilience: Impact Tolerances with Kenneth Underhill
ICSR Article: Operational Resilience – A Regulatory Double-Header
ICSR Director Kenneth Underhill looks at the approach to Operational Resilience adopted by the PRA and FCA in their co-ordinated Policy Statements.
PRA Policy Statement PS6/21
The PRA have published their Policy Statement
FCA Policy Statement
The FCA have published their Policy Statement
ICSR Article: Mapping Important Business Services: When Does A Service Finish?
ICSR Director Kenneth Underhill considers questions about mapping claims and at what point in the service delivery process does the requirement for mapping cease.
ICSR webinar - Service and Activity Mapping
Webinar: Operational Resilience: Service and Activity Mapping with Kenneth Underhill
Consultation Period closes
Consultation period for CP19/32 closes. The original date of 3rd April 2020 has been extended to 1st October 2020 due to the coronavirus pandemic.
ICSR webinar - Technology and Operational Resilience
A webinar on Technology and Operational Resilience.
ICSR webinar - Introduction to Operational Resilience
ICSR Director Kenneth Underhill provides an overview of Operational Resilience.
ICSR Article: Coronavirus – The Long And The Short Of It
ICSR Director Kenneth Underhill considers the operational resilience implications of the coronavirus pandemic.
Consultation Papers Published
The Bank of England (the Bank), Prudential Regulation Authority (PRA) and Financial Conduct Authority (FCA) have published a shared policy summary and co-ordinated consultation papers (CPs) on new requirements to strengthen operational resilience in the financial services sector.
Discussion period closes
The deadline for firms to submit their representations to the regulator.
Discussion Paper released
Building the UK financial sector’s operational resilience
- Bank of England DP01/18
- Prudential Regulation Authority (PRA) DP01/18
- Financial Conduct Authority (FCA) DP18/04