PRA’s Operational Resilience Roadmap: Looking Ahead to the March 2025 Compliance Deadline
Michael Bratton
share
With the initial deadline of March 2022 in the rearview mirror, many firms are asking “what’s next” as they continue to build operational resilience programs in alignment with the Bank of England, the Prudential Regulation Authority (PRA), and the Financial Conduct Authority (FCA) published policy documents on operational resilience policy that applies to regulated organizations in the UK or firms providing services to the UK market.
As we look toward the full compliance deadline of March 2025, many firms are anxious to understand what other organizations are doing, what feedback is being provided from the FCA and PRA, and what they should be doing now to progress toward the next deadline.
Recently, David Bailey – who is the Executive Director, UK Deposit Takers Supervision, and responsible for PRA’s supervision of the UK’s banks, building societies, and credit unions – made a speech surrounding his initial observations and a few challenges organizations are facing. I wanted to take this opportunity to share some of the highlights from this speech as well as highlight some of the trends we’re seeing from our clients and customers.
Level-Setting
For those that may not be well-versed in operational resilience or the finer points of regulation in the United Kingdom, let’s take a moment to level-set. As outlined by the FCA and PRA, there are a couple key checkpoints.
I won’t provide a lengthy explanation of those because some of the initial feedback will be the focus of this article. Let’s also look at what’s on the horizon:
2. Performing mapping and then stress testing an organization’s ability to remain within impact tolerances is the next major milestone with compliance dates set for March 31, 2025.
Mapping seeks to help an organization understand how an IBS is ultimately delivered to end-customers and markets, as well as understand all the required resources to deliver the IBS. Stress testing is just that, designing various exercising and testing strategies that can help prove that an organization can maintain operations within set impact tolerances.
Get The Getting Started with Operational Resilience Guide
Now I want to summarize a few key themes that are highlighted in this recent speech, as well as themes that we are seeing from our customers.
Topic 1: There’s significant variance in terms of how organizations are identifying and setting their IBSs and there really isn’t a “right” answer
The PRA uses an example from payment services and highlights the different ways organizations have defined a business service. These can range from the general, such as “Providing payment services,” to the specific “Provide payment services via the Faster Payments network.” The reality here is that there is no true answer, only an appropriate answer for your organization. Let’s look at some of the checks you can perform:
An IBS should be defined in a way that aligns to the value that is delivered Or in other words, how you define the outputs from a service informs the level of granularity required. If the output is simply “Process a money transfer,” it may be ok to keep it at a high-level. Be careful though, guidance does state that we shouldn’t bundle disparate outcomes.
End-to-end mapping will inform how an IBS is defined A huge part of operational resilience is understanding all the resource pillars necessary to deliver a service. If the processes and resources to deliver one part of an IBS is similar for different methods and there are only marginal differences, that may help the case in having the IBS be at a higher-level. For example, a firm processing payments may process both debit and credit payments; however, transactions for both payment types may use the same infrastructure, resources, and network providers. It may be ok to have one IBS in this example.
Plausible scenario development and stress testing can also help validate your IBS list Additionally, once you have an IBS identified, set an impact tolerance, and performed some level of mapping, applying severe yet plausible scenarios and using those scenarios as an input to developing your testing approach can also serve as a check and balance. As long as an IBS is susceptible to similar scenarios and the testing approach would be the same, it may also make the case to have the IBS defined at a higher-level.
The considerations above can help you determine if your IBS are set at the right level. And if you need assistance defining your organization’s important business services, download our Getting Started with Operational Resilience Guide or Book a Meeting with our team to discuss possibly leveraging a Frame Meeting to determine your important business services.
Topic 2: Setting Impact Tolerances is Difficult
One of the key challenges we’ve been hearing from clients (and is echoed in the statement from David Bailey) is that organizations are struggling with figuring out how to set impact tolerances. Different data points are likely to yield different conclusions and organizations seem to be preferencing certain types of impact over others. Let’s examine a few trends and sticking points below.
Firms are doing pretty well with evaluating customer and market impacts but struggle when considering safety & soundness and broader financial stability The recent speech highlighted that most firms have performed analysis for customer and market impact but analysis of other domains is lacking. There is some conflicting guidance at face-value which I am certain has played into how firms are assessing these areas. We keep hearing that impact tolerance is driven by external effects and firms should be less concerned with internal impact. Safety & soundness of a firm is seemingly measuring internal impact. The reality is that we want to look at this area to the extent that disruption creates catastrophic impact or knock-on effects that would eventually affect customers, markets, and financial stability. It isn’t just a driver of purely internal impacts.
Looking at all the different impact domains is yielding different results With the different high-level categories and domains (customer, market, safety & soundness, and financial stability), clients and participants are seeing different results. Generally, customer and market impacts are occurring fairly early, but safety & soundness impacts are occurring later. This makes total sense, given that we are worried about impacts to safety & soundness at the point they could create external issues. With these differences, it makes setting impact tolerances more of an art than a science and firms will need to employ some level of qualitative analysis to sort through disparate findings. However, there are expectations to be able to justify your decisions, so it remains a balancing act.
Most firms seem to be looking at days or weeks for impact tolerance If we look at RTOs in the business continuity discipline, we often think in terms of minutes, hours, or days; especially when we look at IT recovery. However, when we look at impact tolerances, we are seeing timeframes in terms of days, weeks, and beyond. This also makes logical sense, given that IBS are a combination of activities, processes, and resources; all of which are likely to have their own RTOs which, in aggregate, would need to be recovered in alignment with an impact tolerance. The word of caution here is to make sure that your stakeholders understand that there is a difference between RTO and impact tolerance and this difference can help you avoid timeframes that are too aggressive.
If you’re stuck and need a little help, download our Impact Tolerance Builder. It’s designed to help you effectively navigate this effort by offering a five-step framework to define impact tolerances and prepare to stress test them.
Next Up
As we see feedback and trends emerging, it will be important to understand how these will influence mapping and testing activities. While the next major checkpoint and full compliance deadline is March 31, 2025, I urge firms to start mapping and testing activities now to validate their IBS and help further confirm impact tolerances. Many are working to race to the finish line, but the reality is that all core activities, including setting IBS, establishing impact tolerances, conducting mapping, and stress testing, should be informing each other. There will likely be hiccups and changes along the way but acknowledging these realities can help your organization focus on what really matters and help identify the single points of failure, hidden cracks, and vulnerabilities that really need to be remediated.
Need Help?
If you find yourself stuck on your operational resilience journey, Castellan is here to help. Book a Meeting with our team and let’s discuss how to best achieve your resilience goals. In addition, check out our library of operational resilience resources.
Michael Bratton is Director of Consulting for Castellan. Michael has consulted with a diverse range of clients spanning numerous industry verticals and sizes. He specializes in translating business and organizational requirements into recovery strategies and response frameworks that help organizations effectively respond to disruptions. Michael has worked with numerous organizations to implement new programs, but also has a long-standing base of clients where he continues to serve as an active and trusted advisor.
Get resilience insights delivered to your inbox.
Ready for some hands-on help? Let’s discuss how to best achieve your resilience goals.
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
Cookie
Duration
Description
cookielawinfo-checbox-analytics
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional
11 months
The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy
11 months
The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
