In recent months, regulators have been cracking down on operational risk management and governance failures relating to Operational Resilience. Fines have already been handed out to large market institutions, with penalties even targeted to accountable individuals at these organisations for their breach of PRA Senior Manager Conduct Rule 2.
Contributor
Liliana joined Delta Capita in September 2021. She is a highly motivated; multilingual operations professional with a broad range of knowledge and experience within the Financial Services industry.
In recent months, regulators have been cracking down on operational risk management and governance failures relating to Operational Resilience. Fines have already been handed out to large market institutions, with penalties even targeted to accountable individuals at these organisations for their breach of PRA Senior Manager Conduct Rule 2.
Firms have been busy mobilising resources and launching large scale implementation programmes to comply with the new requirements since the publication of the operational resilience policy statements (PS21/3 and PS6/21) in March 2021. Despite this, and even with the next compliance deadlines not for another 24 months, regulators continue to scrutinise firm’s progress in addressing the subject.
Regulators are on the lookout for tangible evidence of progress in building resilience measures, and to reacting to the findings of the original assessments conducted by firms. Continuous evolution of a firm’s Operational Resilience framework is key to limit additional regulatory scrutiny. To achieve this, firms must take into consideration the fact that:
1) Firms are expected to review the number of Important Business Services subject to changes in offering or strategy, ensuring a holistic approach is taken during each annual review cycle.
2) Previously determined Impact Tolerances are expected to be tightened. Firms are expected to assume that a disruption will occur and for the metrics to be well defined and time-based. Further detailed comparisons should be undertaken across peer groups with further dialogue amongst industry participants is expected.
3) In carrying out the ongoing Scenario Testing, firms must identify new appropriate adverse circumstances, relevant to the overall risk profile and business. Significant follow-on work is required for firms to coherently test their frameworks.
However, Operational Resilience is no longer the only regulation that firms need to be conscious of when addressing this subject area. The development of new frameworks could end up complicating compliance efforts for firms who aren’t thorough in their approach to each regulation. Two key frameworks in this space are DORA and the CTP Oversight Framework:
Digital Operational Resilience Act (DORA):
Critical Third-Party (CTP) Oversight Framework:
How can Delta Capita help?
The Delta Capita team offer a comprehensive end-to-end Operational Resilience Health Check, performing quality assurance assessments and benchmarking against industry best practice, to ensure your organisations Operational Resilience programmes’ maturity and detail aligns to regulatory expectations. Our experienced team of Operational Resilience experts also provide remediation support and ongoing impact tolerance and scenario testing verification in accordance with the Self-Assessment requirements. Backed by technology partnerships, experienced industry SMEs, and project and programme delivery capabilities, the Delta Capita team provide support across the full lifespan of Operational Resilience, delivering industry best practice in regulatory compliance and project and programme delivery capabilities.
To learn more about our range of Operational Resilience services, please contact:
Karan Kapoor (Global Head of Regulatory Consulting), karan.kapoor@deltacapita.com or Michael Robertson (UK Head of Consulting), michael.robertson@deltacapita.com.