Castellan brings every aspect of resilience management – from readiness to response – together in one place, so you can stop hoping and start knowing.
Now you’re ready.TM
In March 2021, The Bank of England, the Prudential Regulation Authority (PRA), and the Financial Conduct Authority (FCA) published policy documents about operational resilience. These were the results of a long-running consultation, which set out the expectations that regulators have for future regulation and compliance in this area.
The publication set the clock running on an initial 12-month period that regulated firms must make an initial self-assessment of the operational resilience status in their organisation. This needs to be followed as soon as possible after 31st March 2022, and no later than 31st March 2025, by a roll-out of operational resilience capabilities.
Within this timescale, firms “must have performed mapping and testing so that they are able to remain within impact tolerances for each important business service. Firms must also have made the necessary investments to enable them to operate consistently within their impact tolerances.” [Source].
With the March 2022 deadline advancing, we’ll explore what regulated firms need to provide by the cut-off date and offer some ideas to make the process easier.
What do regulators expect when it comes to operational resilience self-assessment?
There has been a lot of speculation about what UK financial regulators expect firms to deliver by the March 2022 self-assessment deadline, partly due to a decision by regulators to take an outcome-based rather than prescriptive rules-based approach.
Regulators want firms to be demonstrably operationally resilient by the end of the initial build-out process in 2025; however, how firms get to this destination is up to the firms themselves, using some signposting provided. In a nutshell, the PRA sums this up in one sentence: firms need to take action, so they are able to provide their important business services within their impact tolerances.
In terms of self-assessment, regulators do not expect firms to build out a full operational resilience capability; instead, they are looking for a gap analysis. This was explained in May by Lyndon Nelson Deputy CEO of the Prudential Regulation Authority.
In a speech he said, “Yes, we are asking and expecting firms to have done quite a bit by 31 March 2022, but is it ultimately going to be everything that we expect firms to do? No. We understand and expect that tasks such as mapping, and testing will evolve and will grow in sophistication over time. So, by 31 March 2022, I would expect that you will be able to set out a compelling gap analysis. You will know where your major shortcomings are and therefore which areas need more work.”
It seems clear from Mr. Nelson’s statement that what the regulators expect by March 2022 is an indication that firms understand what is required from them for operational resilience compliance and that they have a clear road map for how to achieve this.
The key elements to report on are:
Using the above as a framework for a self-assessment gap analysis, consider the following for each element:
When working through the above questions, consider where your organisation needs senior management and board involvement, as well as internal and external stakeholders.
One of the key elements regulators look for is where and how a firm’s board is involved—and will be involved—in operational resilience oversight. The PRA provided more information on this in its March 2021 Statement of Policy: Operational resilience document, stating it will consider whether boards:
Given these expectations, it is sensible to ensure board involvement in the development of the operational resilience self-assessment, and that this clearly describes how the board will provide effective oversight of the future development of operational resilience within the firm.
Some firms will be on top of their self-assessments. Many may be struggling. Recruitment for employees with operational resilience experience is highly competitive currently; partly because this is a new area and there is a limited number of people with the necessary experience. To ramp things up you may need two things:
Wherever your firm is in your efforts to meet the March 2022 deadline, remember this is only the starting point. You don’t need to have your operational resilience capabilities built-out by March; but that comes next…
Does your organisation need help preparing for or conducting an operational resilience self-assessment to meet the March 2022 deadline? Contact a Castellan advisor today and we’ll be happy to help you on your self-assessment and gap-discovery journey.
Now you’re ready.TM
Get resilience insights delivered to your inbox.