The deadline for complying with new operational resilience rules set out in PS21/3: Building Operational Resilience is March 31, 2025, and the FCA has published some “observations and insights” to help firms as they prepare to meet that deadline. The changes were prompted in part by the disruptions caused by the coronavirus pandemic which, said the FCA, “has shown why it is critically important for firms to understand the services they provide and invest in their resilience.”
The rules apply to;
- banks;
- building societies;
- PRA-designated investment firms;
- insurers;
- Recognised Investment Exchanges;
- enhanced scope Senior Managers and Certification Regime firms and entities authorised and registered under the Payment Services Regulations 2017 and Electronic Money Regulations 2011.
Businesses covered are expected to review their approach and assess readiness in a number of key areas.
Important business services
All factors set out in the FCA’s Handbook must be considered when identifying important business services.
Evidence of why a business service has been identified as important must be provided in the firm’s self-assessment, as must the rationale for identifying other businesses as not important. The FCA has observed a number of firms excluding certain services on the basis of a belief that competitors will be able to service client need in the event of an outage.
Impact tolerance
Impact tolerances must be set for each business service, and kept under regular review. Full rationale for impact tolerance setting must be included in the self-assessment.
While standard practice seems to be to set impact tolerances as time-bound, the FCA advises the use of other metrics to compliment this measure. These could be customer type, value and type of transaction, criticality of transaction or losses. When recovery is not feasible within a time-based impact tolerance, a response plan of mitigating actions should be implemented to ensure the additional metrics aren’t breached.
The FCA also emphasises that impact tolerances are different from recovery time objectives. Recovery time relates to the maximum time taken to recover a service, so recovery time objectives are often set well within impact tolerances.
Mapping and third parties
The people, processes, technology, facilities, and information necessary to deliver each important business service need to be identified and documented. The FCA said it expects this process to “mature over time”.
Particular emphasis is given to relationships with third-party providers, which should be actively managed, and firms should remember it is their responsibility to ensure third parties remain within impact tolerance.
Scenario testing
The FCA advises that a good starting place for constructing “severe but plausible” scenarios is the FCA Handbook. Testing should also mature over time, enabling greater understanding of resilience capabilities.
Testing should incrementally increase levels of disruption, and include a wide range of testing that includes empirical data including, but not limited to;
- penetration tests;
- disaster recovery/fail over tests;
- simulations;
- lessons learned from real scenarios.
Third parties should also be included in such testing, but firms need to satisfy themselves that the methodology and tested scenarios are appropriate.
Vulnerabilities and remediation
Mapping and scenario testing should be sufficient to identify vulnerabilities that may mean firms cannot remain within impact tolerance. Vulnerabilities should be reviewed regularly, and testing constructed to enable potential identification of new vulnerabilities.
The FCA specifies that: “We expect remediation plans to be approved, fully funded, and appropriately governed to ensure delivery, with evidence at closure through repeated scenario tests to verify that the vulnerability has been resolved.”
Response and recovery plans
“Response plans provide alternative actions you can take during a disruption to buy time for recovery plans to complete.,” says the FCA. “They can also help you avoid breaching your impact tolerance.”
The regulator says reviews of self-assessments “showed limited evidence of the testing of response plans, and firms primarily relied on recovery to understand if they could remain within their impact tolerance.”
Governance and self-assessment
Self-assessments “should detail your journey to becoming operationally resilient” says the FCA. Governing bodies must approve self-assessments, so plans must include sufficient information on and justification of decisions taken. And, says the regulator: “Good examples of self-assessment documents allow governing body members to understand their firm’s position and roadmap to resilience.”
Embedding operational resilience
Firms are encouraged not to see operational resilience requirements as a tick-box exercise, but as something to be embedded with organizational culture. “Operational resilience is a core consideration when assessing risks of transformation and change,” says the FCA, and it refers firms to its Building operational resilience policy statement.
Horizon scanning
Understanding new and emerging risks and the proximity of their impact are seen as key to a proper understanding of what testing is appropriate and whether sufficient controls are in place to detect, respond to and recover from operational disruptions.