The FCA’s Policy Statement on Operational Resilience Has Been Published – Here’s What The Aldbury International Team Have to Say
The FCA, in partnership with the Bank of England and the PRA, yesterday released its long awaited and ironically, COVID-19 delayed, Policy Statement on Operational Resilience. This Policy Statement followed on from the Consultation released in December 2019 (CP 19/32) which itself followed on from a Discussion Paper (DP 18/04) released in July 2018. This long gestation period, interrupted by the mind concentrating global pandemic, has resulted in a well-balanced and much needed review of the way firms handle and cope with significant disruptions to their business.
A New Perspective
The new rules concentrate on ensuring firms can provide their “important business services” to clients rather than concentrating on how a firm survives the “event”. While superficially the same thing, this is a reciprocal way of approaching the issue and ensures the outcomes are concentrated upon rather than inputs. This is very much in line with the FCA’s concentration on potential impacts to its statutory objectives and therefore does lead to a coherence in the new rules (and there are a lot of them) that would not have been possible if it had stuck to the old Business Continuity Plan formula.
“Game-Changer” Moment
Aldbury International welcomes this approach and with some minor quibbles, we believe the Policy Statement is a game changer that will, when put into practice, substantially improve the approach to Operational Resilience within the financial services sector as a whole. While this Policy Statement is aimed at larger firms, it is very clear that the FCA expects smaller firms to take on board the key tenets and apply them as appropriate to their businesses.
31st March 2022 Deadline
Firms have a grace period until 31st March 2022 in which to implement the new rules. This is not a long time and action, if it hasn’t already begun, needs to start immediately. The rules themselves are not prescriptive in what firms have to do but rather in the steps to be taken in approaching the issue and the evidence available to show that firms have taken them.
The Policy Statement provides a degree of flexibility and scope to allow different firms of differing size with different business models to all follow the rules. For that reason, in this note we will not cover all eventualities as there is a literally infinite number of options. We will merely review some of the highlights and key messages. Every firm will need to take a close look at the new rules to work out how to apply them in detail given their own circumstances.
In the final draft of the rules as published yesterday, there are barely any changes from the original Consultation from 2019. There are some enhanced definitions and some additional guidance but the changes in the rules as originally drafted, are minimal. The main points within the main document are therefore no great surprise and we will briefly describe them below.
As ever with the FCA, it would be foolish to ignore the commentary around the main points, for in this, one can find some little nuggets that give a clear indication of the FCA’s thinking and their expectations of firms over the implementation period and beyond.
A Summary of the Main Points
The initial work relates to the identification of firms’ important business services (services whose disruption would cause intolerable levels of harm to clients and/or the FCA’s statutory objectives). The FCA expect that “Firms should, from 31 March 2021, begin identifying their important business services”. That means tomorrow.
Having identified the important business services, their respective impact tolerances should be set at “..the first point at which a disruption to an important business service would cause intolerable levels of harm to consumers or risk to market integrity.” Impact tolerances will usually be measured in the time or duration of an event.
These are the two key projects in the first year (to 31 March 2022) and requirements for mapping processes, people, technology, facilities and information resources together with scenario testing are only expected in so far as they aid these two tasks and to “…identify any vulnerabilities in their operational resilience.” In practice however, it would be very difficult to complete these aspects of the project without effective mapping and testing while the requirement to identify “any vulnerabilities” is a significant requirement.
A further transitional period of three years (until 31 March 2025) is allowed to ensure that firms can operate within their impact tolerances at all times. This timescale indicates that the FCA tacitly understand that this is no small task.
There are further rules concerning mapping, testing, lessons learned exercises, governance and self-assessment. These are important but are details against the initial tasks.
Don’t Ignore the Commentary…
As previously mentioned, the commentary within the document is very revealing and it would be wise to take the broad hints (and frankly, some instruction) contained within the text.
The regulators recognise that COVID is not the only game in town and that however well firms may have handled this, future situations could well have very different characteristics.
The FCA expects to see a “positive change” in the numbers and types of incidents reported (under Principle 11). It would seem that they expect firms to identify more operational issues when there is an effective framework in place and report accordingly.
There is a recognition (or is it a hint of a carrot) that good operational resilience will provide firms with a competitive advantage.
There is a reminder that the real test is how firms respond to incidents that are completely out of their control.
Third-party service providers - particularly where they are involved in providing important business services are frequently discussed. The paper does not however ignore “..4th/5th party providers..” Firms in other words must absolutely understand their supply chain and how it operates. If they can’t get to the bottom of this they will be expected to change their providers.
It is clear that while there are deadlines in place, there is an expectation that firms should be trying to be compliant as soon as possible. This makes sense on a business level anyway.
It is accepted that key individuals will not always be available. As such the FCA has said that plans need to be in place to cover this. You will need to not only train your key individuals on crisis management but also the 2nd XI.
Several of the respondents to the Consultation requested templates for various parts of the exercise. The FCA turned this down as it would be too complex given the diversity of firms covered by the rules. They also commented in response to these requests that it would potentially lead to a box ticking mentality. Counters of beans be warned - this is a very real project and the regulator expects it to be carried out with a high degree of diligence.
What Next?
Aldbury International responded to the Consultation, has been in dialogue with the FCA since submitting its response and had a number of its points specifically referred to in the Policy Statement. We are very well placed to help firms through this process.
To discover how Aldbury International can help your organisation comply with the new Organisational Resilience policy from the FCA, contact the team on 0203 475 2953 or email enquiries@aldburyinternational.com.
For the FCA full Policy statement, follow the link below: