Operational resilience rules and guidance come into force on 31 March 2022 as published in the Prudential Regulatory Authority (PRA) Supervisory Statement 1/21¹ (SS1/21) and the Financial Conduct Authority (FCA) Policy Statement 21/3 (PS21/3). ² Despite the proximity of the deadline, there is still uncertainty around some aspects of the regulations; particularly between the application of the PRA and FCA requirements for dual-regulated firms.

What is clear is that operational resilience is front of mind for the UK regulators, appearing in both the PRA's³ and FCA’s⁴ business plans for 2022. The PRA has communicated that enhancing the operational resilience of the financial sector remains a strategic priority and that over this year it will continue to review firms’ programmes and implementation. Meanwhile, the FCA has indicated that it expects firms to be operationally resilient against multiple forms of disruption to minimise the harm caused to consumers and markets. Additionally, the FCA has indicated that it will be assessing firms’ progress in implementing operational resilience requirements and identifying areas for improvement, as well as how able firms are to remain within their impact tolerances.

This paper compares the PRA and FCA requirements, both of which need to be satisfied for dual-regulated firms, and highlights the tasks that need to be completed for the March 2022 deadline. Thus, the information below serves as a final checklist for the beginning of the transition period, and not as a detailed guide on how to implement operational resilience. This paper also does not discuss the related PRA Supervisory Statement 2/21⁵ on outsourcing and third-party risk management, which also comes into force on 31 March 2022.

Important business services and impact tolerances

By the end of March 2022 both the PRA and FCA are expecting firms to have identified their important business services and to have set impact tolerances for the maximum tolerable disruption. In finalising the regulations, the regulators have aligned the definition of "important business services," which were not well aligned in earlier consultations.

Figure 1: PRA and FCA definitions of "important business services"

Source: PS6/21, available at https://www.bankofengland.co.uk/-/media/boe/files/prudential-regulation/policy-statement/2021/march/ps621.pdf?la=en&hash=A15AE3F7E18CA731ACD30B34DF3A5EA487A9FC11.

It is worth noting the different subjects highlighted by the definitions in the table in Figure 1. This may be of particular interest to firms like reinsurers that do not have direct contact with policyholders; the regulations are clear that important business services also need to be considered from the perspective of disrupting the firm’s own safety and soundness as well as the UK financial system and potential policyholders, where PRA-regulated, and the firm’s clients in general, where FCA-regulated. However, the PRA has removed the requirement to consider the impact on financial stability of the UK markets for small and medium firms in its final policy statement. Therefore, a business service should be thought through to an underlying consumer even if the contact is not direct.

Another area the regulators have been clear and aligned on is that important business services should not include internal services, such as payroll, and should consider services that deliver a specific outcome as opposed to a business line which represents a collection of services. For example, protection insurance would not be considered an important business service as it is made up of several underlying business services such as claims services, quote services and complaints handling, to name a few.

The FCA Handbook goes into significantly more detail on the types of questions to ask when determining whether a service is considered important. They may be useful considerations even from a PRA regulation perspective in determining whether a business service is important. For example:

• The substitutability, availability and accessibility of your service from other providers
• Time criticality of the service to clients, with the potential of creating knock-on effects in the financial system
• Potential to cause reputational damage and hence damage the firm’s safety and soundness

For some of these points the PRA goes into more detail within SS1/21,¹ but not in the PRA Rulebook itself.

Each important business service is expected to have an impact tolerance level set. However, for dual-regulated firms there may be business services that require different impact tolerance levels to satisfy both PRA and FCA statutory objectives. In this case, one impact tolerance should be set at the first point at which there is an intolerable level of harm to consumers or risk to market integrity, to meet FCA objectives. Another separate tolerance is expected to be set at the first point at which financial stability or a firm’s safety and soundness is put at risk or where policyholder protection is affected, in order to meet PRA objectives. It may be that both objectives can be met with the same impact tolerance level. However, expect to be able to justify the appropriateness of this decision to the regulators.

Another scenario may emerge where an important business service is identified to pose a risk only to the FCA consumer harm objectives, for example. In this case, the identified important business service would not be in the scope of PRA policy and would not require an additional impact tolerance considering PRA objectives.

Figure 2: PRA and FCA definitions of "impact tolerance"

Source: PS6/21, available at https://www.bankofengland.co.uk/-/media/boe/files/prudential-regulation/policy-statement/2021/march/ps621.pdf?la=en&hash=A15AE3F7E18CA731ACD30B34DF3A5EA487A9FC11.

An interesting point is raised in the regulators’ responses to feedback on their earlier consultation papers. Although it is plausible that a particular important business service could be affected by multiple disruptions over a short period, or multiple services disrupted by the same disruption, the regulator still expects impact tolerances to be set at one level per business service and regulatory objective. This is a welcome bit of clarity that allows the focus to be on one business service and one impact tolerance at a time instead of conducting an exercise that could very easily balloon into becoming unmanageable. However, the ultimate aim, by no later than March 2025, would be for firms to demonstrate that they are able to remain within impact tolerances; even where multiple events impact one important business service, or multiple business services are disrupted at the same time. Thus, it remains necessary to consider aggregations and contagion when setting an impact tolerance level for each important business service. For example, multiple important business services could be impacted by a weather event that affects power lines and communication channels at the same time; it is necessary to consider how the interaction of such a disruption could be amplified and tolerance levels set accordingly.

PRA-regulated firms are expected to have their important business services and impact tolerances approved by their board. Boards are expected to ensure they have the appropriate management information and adequate knowledge, skills and experience to provide constructive challenges to senior management and to inform decisions that have consequences for operational resilience. This is not a formal requirement within the FCA Handbook; however, for both regulators the self-assessment document (see below) needs to be board-approved. This approval should contain a written record of the firm’s important business services and impact tolerances along with justification. Additionally, the FCA require boards to be able to demonstrate appropriate and effective oversight of a firm’s operational resilience and to be able to evidence that they are satisfied that the firm is meeting its responsibilities. Therefore, it would be prudent for FCA-regulated firms to follow a similar approach.

However you decide to set your important business services and corresponding impact tolerances, be prepared to be able to justify your decisions with detailed customer analysis and market data to substantiate the assessment. Even your definition of "intolerable harm" may be scrutinised by the regulators. Therefore, we recommend that all decisions are well documented. The regulators are not expecting this information to be submitted; however, it should be available on request from end-March 2022.

Mapping and scenario testing

For each important business service, a mapping exercise is required to identify the people, processes, technology, facilities and information required to deliver on it. Additionally, regular scenario testing is required to demonstrate a firm’s ability to remain within the set impact tolerances.

Both the mapping and testing exercise are not required to be completed “to the full extent of sophistication”⁶ by March 2022, but should be completed to a level of granularity to sufficiently identify key areas to support the resilience of important business services. The regulators expect these analyses to mature over time and to be fully sophisticated by no later than March 2025. This requirement is detailed by the FCA within the FCA Handbook as a transitional provision and by the PRA within SS1/21.¹

Reading between the lines, our interpretation is that the regulators expect firms to have considered their mapping and scenario testing exercises sufficiently to be able to understand where the knowledge gaps are to enable the development of a prioritised plan to close these gaps over the transition period. The goal is for the mapping and scenario testing exercises to help identify vulnerabilities in operational resilience; if they do not it is very likely that the exercises have not been performed at the correct granularity. Scenario testing against severe but plausible operational disruption should be considered and completed for at least some of the important business services identified by March 2022. We would encourage firms to consider a cyberattack scenario as a priority, as the PRA have indicated that this is a particular area of concern, within their business plan as well as at industry events. Any plans to close the gaps should be put into effect before 31 March 2022.

Self-assessment

Both the FCA and PRA require a self-assessment to be available on request from the start of the transition period at the end of March 2022. It is important to note that the regulators are expecting this document to be fully operationalised at that time. While two self-assessment documents are not explicitly required, dual-regulated firms should bear in mind that this document will need to address both PRA and FCA statutory obligations.

On this topic, the PRA Rulebook and FCA Handbook are aligned in that both require the self-assessment document to be approved and regularly reviewed by the board. While PRA guidance on what a self-assessment document should look like is minimal (instead leaving it up to firms to define what works for them), the FCA Handbook provides a list of the information that should be included. This can be used as a final checklist for firms that have already started their self-assessment reports, or as a prompt for those still needing to complete this document by end-March 2022.

Conclusion

There are a number of items that need to be in place with regards to operational resilience for the transition period, which starts at the end of March 2022. For dual-regulated firms this is complicated by needing to consider the statutory obligations of both the PRA and FCA. Apart from the regulatory checklist exercise, it is important to bear in mind that to be truly operationally resilient a change in perspective is really what is required.

Operational resilience regulations are intended to be a lens on business operations that is completely different from business continuity approaches of the past. The thought process needs to move away from considering what could go wrong and instead accepting disruption as inevitable rather than an excuse to not continue delivering on a firm’s purpose. This is also a shift away from operational risk management, which focusses on likelihood, and towards an outcomes-based approach that focusses on firms building their operational strength, which is indifferent to likelihood.

¹ PRA Supervisory Statement 1/21. See https://www.bankofengland.co.uk/-/media/boe/files/prudential-regulation/supervisory-statement/2021/ss121-march-21.pdf?la=en&hash=C69464DA1603A288F387ADF55F2596004D8640FC.

² FCA Policy Statement 21/3. See https://www.fca.org.uk/publication/policy/ps21-3-operational-resilience.pdf.

³ PRA (12 January 2022). International Banks Active in the UK: 2022 Priorities. Dear CEO letter. Retrieved 27 February 2022 from https://www.bankofengland.co.uk/-/media/boe/files/prudential-regulation/letter/2022/january/artis-2022-priorities.pdf.

⁴ FCA Business Plan 2021/22. See https://www.fca.org.uk/publication/business-plans/business-plan-2021-22.pdf.

⁵ PRA Supervisory Statement 2/21. See https://www.bankofengland.co.uk/-/media/boe/files/prudential-regulation/supervisory-statement/2021/ss221-march-21.pdf.

⁶ FCA Handbook. See https://www.handbook.fca.org.uk/.