Director of Consulting
Get The Getting Started with Operational Resilience Guide
With the initial deadline of March 2022 in the rearview mirror, many firms are asking “what’s next” as they continue to build operational resilience programs in alignment with the Bank of England, the Prudential Regulation Authority (PRA), and the Financial Conduct Authority (FCA) published policy documents on operational resilience policy that applies to regulated organizations in the UK or firms providing services to the UK market.
As we look toward the full compliance deadline of March 2025, many firms are anxious to understand what other organizations are doing, what feedback is being provided from the FCA and PRA, and what they should be doing now to progress toward the next deadline.
Recently, David Bailey – who is the Executive Director, UK Deposit Takers Supervision, and responsible for PRA’s supervision of the UK’s banks, building societies, and credit unions – made a speech surrounding his initial observations and a few challenges organizations are facing. I wanted to take this opportunity to share some of the highlights from this speech as well as highlight some of the trends we’re seeing from our clients and customers.
For those that may not be well-versed in operational resilience or the finer points of regulation in the United Kingdom, let’s take a moment to level-set. As outlined by the FCA and PRA, there are a couple key checkpoints.
1. Defining Important Business Services (IBS) and Impact Tolerances were the first major milestones with initial compliance dates of March 31, 2022.
I won’t provide a lengthy explanation of those because some of the initial feedback will be the focus of this article. Let’s also look at what’s on the horizon:
2. Performing mapping and then stress testing an organization’s ability to remain within impact tolerances is the next major milestone with compliance dates set for March 31, 2025.
Mapping seeks to help an organization understand how an IBS is ultimately delivered to end-customers and markets, as well as understand all the required resources to deliver the IBS. Stress testing is just that, designing various exercising and testing strategies that can help prove that an organization can maintain operations within set impact tolerances.
Now I want to summarize a few key themes that are highlighted in this recent speech, as well as themes that we are seeing from our customers.
Topic 1: There’s significant variance in terms of how organizations are identifying and setting their IBSs and there really isn’t a “right” answer
The PRA uses an example from payment services and highlights the different ways organizations have defined a business service. These can range from the general, such as “Providing payment services,” to the specific “Provide payment services via the Faster Payments network.” The reality here is that there is no true answer, only an appropriate answer for your organization. Let’s look at some of the checks you can perform:
The considerations above can help you determine if your IBS are set at the right level. And if you need assistance defining your organization’s important business services, download our Getting Started with Operational Resilience Guide or Book a Meeting with our team to discuss possibly leveraging a Frame Meeting to determine your important business services.
Topic 2: Setting Impact Tolerances is Difficult
One of the key challenges we’ve been hearing from clients (and is echoed in the statement from David Bailey) is that organizations are struggling with figuring out how to set impact tolerances. Different data points are likely to yield different conclusions and organizations seem to be preferencing certain types of impact over others. Let’s examine a few trends and sticking points below.
If you’re stuck and need a little help, download our Impact Tolerance Builder. It’s designed to help you effectively navigate this effort by offering a five-step framework to define impact tolerances and prepare to stress test them.
As we see feedback and trends emerging, it will be important to understand how these will influence mapping and testing activities. While the next major checkpoint and full compliance deadline is March 31, 2025, I urge firms to start mapping and testing activities now to validate their IBS and help further confirm impact tolerances. Many are working to race to the finish line, but the reality is that all core activities, including setting IBS, establishing impact tolerances, conducting mapping, and stress testing, should be informing each other. There will likely be hiccups and changes along the way but acknowledging these realities can help your organization focus on what really matters and help identify the single points of failure, hidden cracks, and vulnerabilities that really need to be remediated.
If you find yourself stuck on your operational resilience journey, Castellan is here to help. Book a Meeting with our team and let’s discuss how to best achieve your resilience goals. In addition, check out our library of operational resilience resources.
Director of Consulting
Get resilience insights delivered to your inbox.