Operational Resilience Self-Assessment: Achieving the March 2022 Deadline

In March 2021, The Bank of England, the Prudential Regulation Authority (PRA), and the Financial Conduct Authority (FCA) published policy documents about operational resilience. These were the results of a long-running consultation, which set out the expectations that regulators have for future regulation and compliance in this area.

The publication set the clock running on an initial 12-month period that regulated firms must make an initial self-assessment of the operational resilience status in their organisation. This needs to be followed as soon as possible after 31st March 2022, and no later than 31st March 2025, by a roll-out of operational resilience capabilities.

Within this timescale, firms “must have performed mapping and testing so that they are able to remain within impact tolerances for each important business service. Firms must also have made the necessary investments to enable them to operate consistently within their impact tolerances.” [Source]. 

With the March 2022 deadline advancing, we’ll explore what regulated firms need to provide by the cut-off date and offer some ideas to make the process easier.

What do regulators expect when it comes to operational resilience self-assessment?

There has been a lot of speculation about what UK financial regulators expect firms to deliver by the March 2022 self-assessment deadline, partly due to a decision by regulators to take an outcome-based rather than prescriptive rules-based approach.

Regulators want firms to be demonstrably operationally resilient by the end of the initial build-out process in 2025; however, how firms get to this destination is up to the firms themselves, using some signposting provided. In a nutshell, the PRA sums this up in one sentence: firms need to take action, so they are able to provide their important business services within their impact tolerances.

In terms of self-assessment, regulators do not expect firms to build out a full operational resilience capability; instead, they are looking for a gap analysis. This was explained in May by Lyndon Nelson Deputy CEO of the Prudential Regulation Authority.

In a speech he said, “Yes, we are asking and expecting firms to have done quite a bit by 31 March 2022, but is it ultimately going to be everything that we expect firms to do? No. We understand and expect that tasks such as mapping, and testing will evolve and will grow in sophistication over time. So, by 31 March 2022, I would expect that you will be able to set out a compelling gap analysis. You will know where your major shortcomings are and therefore which areas need more work.”

Get The Getting Started with Operational Resilience Guide

DOWNLOAD NOW

Developing an operational resilience self-assessment gap analysis

It seems clear from Mr. Nelson’s statement that what the regulators expect by March 2022 is an indication that firms understand what is required from them for operational resilience compliance and that they have a clear road map for how to achieve this.

The key elements to report on are:

  • Confirmation of the firm’s important business services
  • Impact tolerances for important business services
  • Severe but plausible scenarios used to ascertain that the organisation can achieve impact tolerances
  • Strategies and capabilities to ensure important business services always remain within their impact tolerances
  • When and how the organisation will provide timely incident information to customers and stakeholders
  • How the organisation will capture and use lessons learned from incidents and near-misses to continually improve the operational resilience program

Using the above as a framework for a self-assessment gap analysis, consider the following for each element:

  • Who needs to be involved in providing information for this area?
  • What information needs to be gathered?
  • What is the most effective way of gathering, storing, and managing this information?
  • Who should assess the information?
  • Who needs to develop strategies using the information?
  • Who will determine the required capabilities to implement the strategies?
  • Who will decide and approve the budget for building the capabilities?
  • Who will develop and manage the capabilities?

When working through the above questions, consider where your organisation needs senior management and board involvement, as well as internal and external stakeholders.

The importance of boards of directors in operational resilience

One of the key elements regulators look for is where and how a firm’s board is involved—and will be involved—in operational resilience oversight. The PRA provided more information on this in its March 2021 Statement of Policy: Operational resilience document, stating it will consider whether boards:

  • Have appropriate management information available to inform decisions that have consequences for operational resilience
  • Have adequate knowledge, skills, and experience to provide constructive challenge to senior management and meet their oversight responsibilities in relation to operational resilience
  • Articulate and maintain a culture of risk awareness and ethical behaviour for the entire organisation, which influences the firm’s operational resilience

Given these expectations, it is sensible to ensure board involvement in the development of the operational resilience self-assessment, and that this clearly describes how the board will provide effective oversight of the future development of operational resilience within the firm.

How to catch up

Some firms will be on top of their self-assessments. Many may be struggling. Recruitment for employees with operational resilience experience is highly competitive currently; partly because this is a new area and there is a limited number of people with the necessary experience. To ramp things up you may need two things:

  • Assistance of a suitable experienced external partner; and
  • Support of software specifically designed to help organisations complete operational resilience self-assessments, such as Castellan

Wherever your firm is in your efforts to meet the March 2022 deadline, remember this is only the starting point. You don’t need to have your operational resilience capabilities built-out by March; but that comes next…

Does your organisation need help preparing for or conducting an operational resilience self-assessment to meet the March 2022 deadline? Contact a Castellan advisor today and we’ll be happy to help you on your self-assessment and gap-discovery journey.

Get The Getting Started with Operational Resilience Guide

DOWNLOAD NOW

Goodbye, uncertainty. Hello, confidence.
Castellan brings every aspect of business continuity and operational resilience together in one place, so you can stop hoping and start knowing.

Now you’re ready.TM

Ready for some hands-on help? Let’s discuss how to best achieve your resilience goals.
BOOK A MEETING