Operational Resilience: Preparing your first self-assessment
The UK supervisory authorities (the Bank of England, PRA and FCA) published policy statements in March 2021 aimed at building the UK financial sector’s operational resilience. These policies followed a lengthy discussion and consultation period (2018-2021) between the regulators and the financial services industry on the ability of individual firms, and the financial sector collectively, to prevent, adapt, respond to, recover from, and learn from operational disruptions.
The objective of the Operational Resilience regulation is to build the resilience of the financial sector so that it is better able to absorb operational shocks and continue to provide ‘important business services’ during periods of disruption.
While the policies are largely principles-based, there are some minimum requirements that all firms need to meet ahead of the implementation deadline (31st March 2022), the culmination of which needs to be reported in a board-approved self-assessment.
With only five months to go, the deadline for policy implementation is looming. Firms have already had three years to prepare for this, but how many are actually ready to submit their first regulatory self-assessment?
What is the self-assessment?
The supervisory authorities require that firms make, and keep up to date, a written record of their assessment of their compliance with the rules.
The self-assessment document should show firms’ resilience journey, including the steps that they have taken to assess the impact of the regulatory policies, enhance frameworks, and embed the required methodologies to fulfil the regulator’s expectations. This should include, but is not limited to:
1.The Important Business Services identified by the firm and the justification for the determination made. These are the services that, if disrupted, would most likely cause intolerable levels of harm to organisations, consumers, or the integrity of the wider market.
2.The firm’s impact tolerances and the justification for the level at which they have been set by the firm. This is the maximum level of disruption to an Important Business Service that could be endured before intolerable harm is caused.
3.The firm’s approach to mapping, including how the firm has used mapping to:
a) identify the people, processes, technology, facilities, and information necessary to deliver each of its Important Business Services;
b) identify vulnerabilities; and
c) support scenario testing.
4. The firm’s testing plan and approach (using severe/extreme yet plausible scenarios) and a justification for the plan/approach adopted; to assess whether Important Business Services can be resumed within impact tolerances.
5. Details of the scenario testing carried out.
6. Details of any lessons learned exercises conducted, along with any findings.
7. An identification of the vulnerabilities that threaten the firm’s ability to deliver its Important Business Services within the impact tolerances set, including planned remediation actions with prioritisation and justification for the priority assigned.
8. A communication strategy and an explanation of how it will enable a reduction of the anticipated harm caused by operational disruptions.
9. The methodologies used to undertake the above activities.
10. Details of the ongoing strategy, roadmap and plan to implement and embed the operational resilience requirements into the organisation.
Self-assessment documents will differ for each firm depending on their size, the markets in which they operate, the clients they serve, etc. Figure 1 below sets out an example Table of Contents for the self-assessment.
When does the self-assessment need to be submitted?
The self-assessment document does not need to be submitted on a specific date or in a particular format. It only needs be provided to the supervisors on request or made available for inspection as part of firm engagement. The supervisory authorities have said that the earliest date at which they will formally request the completed self-assessment document will be 31st March 2022.
The self-assessment should be reviewed and updated regularly or following significant changes to the business. During the transition period, it would be sensible to review the self-assessment annually.
Firms must also retain each version of their self-assessment for at least 6 years and, on request, provide these to the supervisory authorities.
How involved does the Board need to be?
Board members do not need to be experts in operational resilience. They should, however, be able to challenge management teams to ensure that the right culture is in place to support the delivery of operational resilience and to certify that investment is being targeted at areas that, if disrupted, would cause the greatest harm to customers, the firm, or the market.
Boards have the explicit remit of ensuring the effective governance of their organisations, including full oversight on matters affecting financial and operational resilience. Indeed, the policy statements clearly state that “Boards, or the firm’s management body, should review and approve the self-assessment document regularly.” This includes the review and approval of important business services and the associated impact tolerances.
Clearly, senior management will require early engagement prior to the approval of the first self-assessment. This could take the form of comprehensive dashboards that outline the resilience of end-to-end services, as well as the resilience of underlying resources (people, processes, technology, facilities, information, and third parties). Effective top-down governance will help to break down siloes between risk, IT and operations and encourage a holistic approach to improving operational resilience across the firm.
Self-assessments are, by their very nature, designed to encourage self-evaluation and continuous improvement through lessons learned. Operational Resilience self-assessments are no exception and should reflect a true and fair account of the operational resilience journey that firms are on.
Firms should share their recent achievements (e.g. by setting out a clear vision and strategy for operational resilience, identifying important business services, etc.), but should also reflect on areas for development (e.g. important business service maps might need to be enriched; impact tolerances might need to be recalibrated during the transition period; the Operational Resilience framework may still need to be embedded into BAU, etc.)
Done badly, operational resilience self-assessments are just another burdensome regulatory reporting task, requiring significant time and energy but adding little value. Done well, self-assessments can be used as a strategic tool to drive efficiencies to key operational processes, identify opportunities to accelerate automation, enhance risk management and control testing activities, and improve information and reporting to top-level governance.
Being truly operationally resilient may even become a market differentiator as customers proactively seek out firms that can deliver better efficiencies, drive better performance, and improve customer outcomes. The self-assessment can again be used as a vehicle here to drive continuous improvements in performance and customer outcomes.
For practical advice on how to write your firm’s self-assessment, please get in touch with Ben Mason, Eleanor Birt or Rob Haywood.