Is the 25th March 2025, by which date those in scope of the new PRA and FCA rules must be able to operate within their Impact Tolerances, actually a deadline? As of the time of writing, it is a mere 8 months away.
The FCA’s missive on 28th May this year makes it obvious that they know that firms are not up to speed yet. “Firms appropriately identifying their important business services remains varied within the sector” and “We’ve seen a wide range of impact tolerances identified by firms, with limited rationale for when intolerable consumer harm or a risk to market integrity is reached”.
The FCA also made it clear in the same document what they expect, with statements such as “We expect remediation plans to be approved, fully funded, and appropriately governed to ensure delivery, with evidence at closure through repeated scenario tests to verify that the vulnerability has been resolved” and “You should mature your testing across severe but plausible scenarios, to enable potential identification of new and additional vulnerabilities”.
The 25th March 2025 is most certainly a deadline in so far as all in-scope firms must have achieved a set level of operational resilience by this date. This however leaves the gaping chasm of what happens after that. A close inspection of the Good Book does show that there are lots of awkward “at least every 12 month” reviews and updates required for just about everything in the exercise.
Does this mean the deadline is actually not really a deadline, but simply a way-point on a much longer and more uncertain journey? Together with the EU’s DORA (effective date 17th January 2025), this is giving firms a lot to think about.
In practice, these two dates look more like starting points rather than deadlines. Firms must get up to a set level by the starting point. Regulators, as we have seen, understand that firms are not there yet. If they were really upset that firms were not ready, you can be sure that they would already have clobbered them under SYSC 3 (A firm must take reasonable care to establish and maintain such systems and controls as are appropriate to its business). Post these start dates however, all bets are off and it is highly probable that the regulators will be looking for an example “pour encourager les autres”.
Given this is an Olympic year, a reasonable analogy is that of athletes. Some of them train for years to get to the start line of their race. Without that training they would never even get considered for a place in the team. The medal tables only show what happens after the gun goes off but both that initial training and performance on the day are the combination that produces the result. The analogy ends there though – this is not the 100m or the 400m hurdles – this is a race that goes on as long as you want to remain in business. This makes the Marathon des Sables seem like a stroll on the beach.
So, the question remains as to how best to a) get to the start line, and b) keep going when the gun has gone off. Aldbury International is well placed to help you with both parts of this exercise. Our highly experienced team, our ability to view the situation holistically and our understanding of the challenges being faced by firms, large and small, make us an invaluable part of your Operational Resilience team.
Contact us via our website or telephone 020 3475 2953.
Comments