In 2018, the Bank of England and the FCA published a discussion paper setting out their expectations that financial institutions and financial market infrastructures (FMIs) should become more ‘operationally resilient.’ There is currently no accepted definition of operational resilience, it is however expected to comprise of the following key elements:
A focus on continuity of service provision over systems and processes. Business services are defined as ‘products and services that an institution or FMI provides to its customers. These will vary by institutions or FMI, but examples could include the delivery and management of particular loan or insurance products.’
"Operational resilience will be put at the forefront of the regulatory agenda, and at a minimum this will be a ‘step change’ in any approach to business continuity"
The development and board approval of new ‘impact tolerances.’ This describe firms’ and FMIs’ tolerance for disruption, under the assumption that disruption to a particular business service will occur. Impact tolerance is expressed by reference to specific outcomes and metrics. Such metrics could include the maximum tolerable duration or volume of disruption, the criticality of ensuring data integrity or the number of customers affected. Impact tolerances are different from risk appetite, in the sense that they presume that a particular risk has crystallized, but they will inform the risk appetite of a firm or FMI’s board and senior management.
As highlighted above, an automatic presumption of the inevitability of failure in any scenario planning. This approach removes probability from risk scenarios and requires planning for extreme events.
An emphasis on the speed and effectiveness of communications with those impacted as an important part of institutions overall response.
A supervisory focus on boards and senior management oversight of resilience of business services.
According to the discussion paper, implementing operational resilience is likely to require actions from institutions including:
Production of clear communication plans, escalation paths and identified decision makers.
Production of communication plans for customers other market participants and supervisory authorities.
Ensuring a detailed knowledge of systems and processes substitutable during any disruption.
Tested plans ensuring continuity of business services when disruptions occurs (the presumption of failure).
A comprehensive understanding and mapping of systems and processes, including outsourced activities and intra group entities globally.
Knowledge of how systems and process impacts provision of key business services.
A clear understanding of the most important business service or services.
The discussion paper does provide a useful framework for institutions to consider as part of the delivery of the above actions. In summary:
Identify: The most important business services and how much disruption could be tolerated in what circumstances.
Map: The systems and processes that support these business services.
Assess: How the failure of an individual system or process could impact the business service.
Test: Using scenarios and by learning from experience, that resilience meets the firm’s tolerance.
Invest: In ability to respond and recover from disruptions through having appropriate systems, oversight and training.
Communicate: Timely information to internal stakeholders, supervisory authorities, customers, counterparties and other market participants.
The discussion paper also highlights some useful guidance on supervisory expectations which includes:
Preparation: Can institutions identify and focus on the continuity of the most important business services, set impact tolerances and demonstrate ‘substitutability.’
Recovery: Do institutions assume disruptions will occur, developed processes and practices in the event of shocks in order to preserve continuity of service.
Communications: Do institutions have strategies for communicating with their internal and external stakeholders.
Governance: Do Boards and senior management demonstrate their role in oversight of operational resilience.
What is clear for institutions and FMI’s in 2020, is that operational resilience will be put at the forefront of the regulatory agenda, and at a minimum this will be a ‘step change’ in any approach to business continuity, if not a paradigm shift in institutions and FMI’s approach to enterprise risk management.