With time running out until new operational resilience rules come into force, we recognise many of our clients are realising how much ground they still need to cover.
In March 2021, UK regulators set out their final rules and guidance on new requirements to strengthen operational resilience in the financial services sector. By March 2022 firms must have identified their important business services, set impact tolerances for the maximum tolerable disruption, and carried out mapping and testing to a level of sophistication necessary to do so.
As soon as possible after 31 March 2022, and no later than 31 March 2025, firms must have completely mobilised the new framework and performed mapping and testing so that they are able to remain within impact tolerances for each important business service.
As the countdown continues and the first deadline looms large, we remind clients that it is important to remember that operational resilience is not Business Continuity Management plus. It requires much deeper thinking from financial services firms. We have been engaging with the regulators explaining already the inherent challenges and pit falls our clients are experiencing as they prepare for the new rules.
Don’t follow a “bolt-on” approach
A common problem we find is that those tasked with this project lack the skills and experience to deal with the sophistication of the analysis required but inherit it as a “bolt-on” to their many other responsibilities. For many COOs there is a temptation to see this as BCP+, which is usually well documented. But this “internal analysis” makes developing a coherent strategic framework extremely problematic, particularly when it comes to keeping within impact tolerance when faced by a really serious but plausible disruptive event.
One of the most challenging aspects of the new framework is to view everything from the customer perspective, articulated through the Important Business Service concept.
In developing your framework, it is important to demonstrate that you can show a clear understanding of how to keep delivering these services, when things are out of your control. This means firms must make an assessment of those services which rely on the services of outsourced providers and stress test their continuity and crisis plan. It is no longer acceptable to take at face value their assurances.
Show your working
Keeping records is always vital in helping to explain why a certain course of action was taken, if subsequently challenged. The framework you build needs to fit your context and so firms must capture what their context is, the rationale for their approach and why it is reasonable “at this moment”. As back-filling information after the fact is likely to be patchy and inaccurate, it is important firms show their working to avoid being caught out by the regulator down the line.
One element that firms struggle with is to show how senior management, who have overseen the process have satisfied themselves that the approach is correct. Without clear evidence of this challenge and review, it will be difficult to substantiate that the process is built on strong foundations.
Test and Train
The same applies to stress-testing. Firms should be testing their methodology now to ensure it is effective. Without that level of assurance early in the process, there is a risk of running into significant challenges further along the journey once the rules come into force.
Our GHOST approach to exercising is the market leading way to run these early tests, getting the validation the regulators are looking for, as well as training your leaders in crisis management.
Seize the opportunity
The new operational resilience rules must be taken seriously and work to meet them undertaken carefully. Firms have a few months left to ensure they have properly delegated tasks and resources, applied adequate stress-testing and a completed audit trail.
We stress to our clients that this is an opportunity to significantly increase their understanding of their business, reassess strategy and priorities, and to enhance their competitive advantage in the process.