As the UK regulators impose deadlines around the Operational Resilience legislation, firms must act quickly to establish a compliance strategy.
Our first article discussed the anticipated changes presented by the FCA and PRA consultation papers on Operational Resilience. Now that both regulators have published their policy statements, a more definitive illustration of the impact on financial institutions can be drawn. This article dives into the specificities of the requirements and demands immediate attention, given that the deadline is as soon as March 2022.
Focusing on Consumer Harm
The Operational Resilience regulatory supervisory statement was published on 29th March 2021, expecting firms to urgently launch strategies to ensure regulatory readiness. In addition to ensuring resilience to internal operations, regulators now require firms to guarantee that a firm’s clients and operating market is also safeguarded against adverse impacts caused by disruptions to their business.
The new regulation extends Business Continuity Planning and Disaster and Recovery Resolution guidelines, to focus on end consumer harm. It heavily emphasises three core themes that make it vary significantly from the existing regulatory environment:
- The new framework mandates focus on conduct risk and consumer harm, in addition to prudential risk management.
- There is a stronger emphasis on 3rd party risk management, including cloud, core tech and services providers, and distributors.
- Regulators see Operational Resilience differently from Operational Risk and Recovery and Resolution Planning. Resilience preparation needs to happen based on a risk event already having occurred rather than a risk that might occur in the future.
Requirements at a Glance
Firms must integrate the above themes into their approach as they address the four primary pillars of the Operational Resilience regulatory requirements:
Understanding the Timeline
The policy specifies two regulatory deadlines, 31st March 2022 and 31st March 2025. The primary difference between the requirements for these dates is that of planning and implementation.
The regulators expect firms to have completed scoping and planning by 2022. Firms must have defined their methodology for identifying important business services and their vulnerabilities, determined testing scenarios, and understood what gaps exist and what remediation plans will look like. In addition, testing must be run on a subset of the important business services to a level of sophistication that could be easily articulated to the regulators.
By 2025, the expectation is that firms have reached demonstrable readiness. This includes implementing the majority of a firm’s Operational Resilience roadmap and being able to demonstrate Operational Resilience has been considered in investment decisions.
Industry Talking Points
As UK financial institutions swiftly mobilise their operational resilience programmes in response to the policy statements, common questions are being raised by players across the industry. Delta Capita provide our insights on what we believe to be key challenges.
How Delta Capita can help
Delta Capita has a team of C-Level banking executives and former SMFs with unparalleled expertise, allowing us to help advise and shape our clients’ strategy across all aspects of Operational Resilience compliance, supporting activities such as governance and framework development, important business services mapping, operating model design and testing strategy definition.
Our team comes equipped with project accelerators such as business service mapping best practices, success criteria checklists, draft communication plans, and delivery frameworks which can all be adapted to our clients’ requirements to further accelerate delivery speed.
If you are interested in finding out more, contact us here to speak directly with our experts.
Karan Kapoor – Head of Regulatory Change and Regtech
Gideon Ezra – Graduate Consultant