What’s Next After Completing Your Operational Resilience Self-Assessment?

By now, if you’re a financial institution in the UK, you should be well aware of the new requirements for operational resilience that went into effect earlier this year.

The Financial Conduct Authority (FCA), the Bank of England (BoE), and the Prudential Regulation Authority (PRA) announced these new requirements a year ago to improve the operational resilience of financial services in the UK.

The requirements include reviewing operational resilience capabilities, including mapping and testing for impact tolerances for important business services. Going forward, organisations are expected to operate within those impact tolerances.

The new guidelines are applicable to organisations such as banks and investment firms, but also payment services, insurers, investment exchanges, electronic money services, building societies, and others.

While the first deadline for self-assessments has come and gone, the resilience journey for these organisations is just beginning. Organisations must now look forward to ensuring compliance and readiness by the 2025 deadline. As of now, that’s the most important date on the calendar for these FCA requirements.

The Impact of Resilience Management

Looking forward, how do you sustain compliance now and in the years ahead? These new requirements aren’t about being at a full operational resilience capability immediately. Instead, it’s driving financial institutions to identify and remediate resilience gaps for those important business services, a process that will likely evolve and become more complex over time.

In terms of operational resilience compliance, it’s about identifying important business services, understanding impact tolerances for those services, and understanding which severe, but plausible, scenarios may affect working within those impact tolerances.

Going forward, organisations should develop and mature strategies and capabilities to keep their services within impact tolerances, including a plan for when and how to alert customers and stakeholders to incidents, and how, if a disruption occurs, to draw on lessons-learned for continuous operational resilience improvement.

What is operational resilience?

When we’re talking about operational resilience, whether specifically relating to these financial services regulations or across all industries, it’s about enabling your organisation to bend, but not break, when faced with a disruption.

Why is this important? Because being able to successfully conduct business services, no matter the disruption type, scale, or length, is a critical component of business success that not only impacts your internal operations, but also your customers and your market.

In short, the UK financial services guidelines direct organisations to:

1. Identify important business services and understand which of these services could negatively impact your customers and the market.
   1. Ask:
      1. If our organisation lost the ability to perform this service, would the disruption:
         1. Cause a market disruption with catastrophic consequences for large groups of people?
         1. Cause catastrophic consequences and unacceptable harm to your most vulnerable customer(s)?
         1. Potentially threaten your organisation’s viability?
2. Establish impact tolerances for severe, but plausible, disruptions that could affect these services.
3. Conduct mapping exercises to understand who (people, technology, processes, etc.) delivers these important services.
4. Conduct testing/exercises to ensure your organisation remains within impact tolerance during a severe but plausible disruption.
5. Identify lessons learned from the testing/exercises to identify gaps or other issues that might prevent your organisation from operating within your impact tolerances and remediate them.
6. Strengthen response and recovery planning based on those lessons.
7. Create internal and external communication strategies for managing and responding to disruptions.
8. Complete an ORQUEST, which is an FCA operational resilience self-assessment about operational resilience capabilities.

Post-Assessment, What Now?

By the end of March 2002, UK financial services organisations were directed to have their boards approve their operational resilience self-assessments, as well as action plans to ensure implementation of all of the new operational resilience requirements before March 31, 2025.

In early May, David Bailey, Executive Director for UK Deposit Takers Supervision, gave updates about how financial institutions are faring on this resilience journey, as well as what to expect moving forward.

A point of clarity made relates to the use of third-party services to help organisations with these new requirements. While permitted, he indicated it’s important for organisations to understand that their boards and senior executives are still responsible and accountable for these resilience requirements—not the third parties. As such, he advised that those key stakeholders take a close look at the dependencies they have related to working with those third parties.

Also included in the update was a review of progress so far. While this is still within a relative stage of infancy, he noted generally positive movement for organisations effectively identifying their important business services. However, many organisations are struggling with defining impact tolerances.

Going forward, UK-based financial institutions can expect they will need to do the work to gather information about judgments they make as part of these processes. This will likely include peer group reviews and comparisons to gain a better understanding of how firms operate in terms of resilience management.

Organisations are also expected to move beyond the first stage of IBS testing, mapping, and setting impact tolerances, to adopting relevant frameworks and controls by that 2025 deadline, and also making plans to remediate vulnerabilities those testing processes identify.

Meeting and Maintaining Compliance

By now, your organisation should have completed your self-assessment and are now likely thinking about what you have to do to achieve and maintain compliance.

But, how do you do that? How do you ensure your organisation matures your operational resilience program while meeting all of the FCA requirements?

One important piece of this puzzle going forward will be to ensure your organisation has processes established to routinely carry out mapping and testing related to your important services, ensuring your important services list remains accurate and up-to-date, while also establishing that you’re continuously operating within your established impact tolerances.

While doing so, your organisation may identify a range of vulnerabilities, weaknesses, and other performance gaps that introduce known or new risks into your environment. This is especially important as your organisation has any significant changes, as well as when there are events or issues that directly affect the financial services market. If there aren’t any known significant changes, still undertake this process at a minimum of once a year.

You might also find it beneficial to partner with a third-party consultant who can conduct an assessment of your program for you. It can often be helpful to have an outside perspective, especially from a professional who specializes in operational resilience, evaluate your program with fresh eyes to identify gaps or challenges your team may overlook. A consultant can also help build a short- and long-term roadmap to ensure you stay on track for your compliance requirements, including remediation actions, even if your requirements or your environment changes or becomes more complex over time.

Also, be sure that you have a flexible and well-established communications plan that can help your organisation react and respond—and ultimately recover from—any disruptions that may happen.

Remember, if you do have to make program changes that affect your important services and impact tolerances, don’t forget you’ll need to keep that FCA self-assessment updated to reflect those changes. Consider that a living document that should always reflect your program’s current state and where you are on your framework roadmap.

Does your organisation need help with establishing or maintaining an operational resilience program? Contact a Castellan advisor today and we’ll be happy to help.