Image of glass reflection of RPC building.

Operational Resilience - preparations for 31 March 2022

15 March 2022. Published by Whitney Simpson, Of Counsel and Leigh Gapinski, Associate

The deadline of 31 March 2022 is approaching when new rules on operational resilience come into force.

Financial resilience and business continuity has dominated the boardrooms of many financial services organisations over the last decade, but as this sector seeks to embrace digital transformation, in part assisted by the acceleration due to Covid-19, (and with much reliance on technology, cloud solutions and outsourced IT services) attention has shifted to operational resilience.

What is operational resilience? Think of it as cartilage.

In their 2018 discussion paper, the Bank of England, the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) define operational resilience as the ability "to prevent, respond to, recover and learn from operational disruptions". Clear as mud, right? 

Basically, it's a bit like cartilage. In a healthy human body, cartilage acts as a cushion and provides flexible support to joints and bones. Operational resilience works in the same way and essentially gives structure and processes to a business, enabling it to absorb shocks resulting from volatility and disruptions (whether arising from external or internal events or circumstances).  These may include economic shocks, cyber-attacks, or technological failures. Operational resilience seeks to ensure that organisations are prepared, enabling them to adapt and react quickly to either prevent incidents from occurring or at the very least minimising impact / disruption. 

Operational resilience in the limelight: Why does it matter?

The financial services sector is core to modern day society not only in a domestic context, but also globally. With a globally connected world, the increase in cyber-attacks, (unplanned) system outages, increased reliance on digital services and the increasing complexity of systems and their interactions and interfaces, the shift in focus by regulators isn't surprising. 

COVID has been an example of why robust business continuity and operational resilience is necessary as much of the world moved to home working overnight.  It has also resulted in the rapid adoption of technology to enable and sustain new ways and locations of working.  With these changes come solutions/innovations but also challenges, such as potentially increasing security, data and resiliency risks. 

In respect of cloud-based services, the rapid adoption of these by firms (including in response to the pandemic) carries its own unique risks, as an overreliance on a select few providers can exacerbate the scale of any disruption when issues do inevitably occur; as evidenced by Amazon Web Services' (AWS') most recent high-profile outage in December 2021, which affected everything from delivery operations to mobile banking apps.

It is a matter of record that these "concentration risks" are very much of concern to UK regulators.
The BOE and the PRA, and the FCA all launched consultations in 2019. In light of the pandemic and the conclusions drawn following responses (that disruptions and the unavailability of important business services have the potential to cause wide-reaching harm to consumers and market integrity), the BOE, PRA and FCA have developed in partnership a set of rules aimed at increasing the overall operational resilience of UK businesses. 

Who do these new rules apply to?

The rules apply to the usual subjects (e.g., banks, investment firms, building societies and insurers), but interestingly, also impact the relatively new kids on the block - payment and electronic money institutions. 

Certain rules will become effective from 31 March 2022, so with less than a month to go, let's remind ourselves as to what is expected come 31 March.

What is the expectation come 31 March 2022?

The expectation come 31 March (or shortly thereafter should the FCA come knocking at your door) is that impacted organisations will have (and have an audit trail demonstrating):

  1. Identified their important busines services. These are services, which could, if disrupted, likely cause intolerable harm to their customers/the financial markets within which they operate.
  2. Set impact tolerances to effectively measure/gauge the extent to which said services are able to withstand certain levels of disruption.
  3. Mapped the resources necessary to deliver the important business services and tested their ability to remain within any tolerance levels set against a range of adverse scenarios.
  4. Developed their internal and external communications strategies.
  5. Prepared a self-assessment document showing how they will meet their operational resilience requirements.

So what's next? 

It's important to remember that this is just the first step in building an "operational resilience framework". In-scope firms are encouraged to ensure that sufficient mapping and testing activities have been undertaken to ensure that firms remain in their impact tolerances in respect of each impacted business service as soon as possible but no later than 31 March 2025. 

It is crucial therefore, that firms stay ahead of the curve and are proactive in aligning their business functions with these incoming regulations.  Certainly, for most, growing that cartilage has and will continue to take some considerable time and effort going forward!