Operational Resilience: The Countdown

29/05/2024

The countdown is on to make sure your firm is ready to comply with the operational resilience rules by 31 March 2025. This date marks the end of the transition period, but the requirement to be operationally resilient is not a once and done activity, or something that should be seen as tick-box regulatory compliance. Instead, this should be a way of working that is embedded into a firm’s overall culture.

The FCA provided feedback to firms on 28 May 2024 which included insights and observations to support firms with their continued implementation of the rules.

In our view, this FCA feedback is helpful as it gives firms time to reflect on approaches taken so far as against the industry as a whole, and where further work might be needed. On this point, there seems in the UK to be a stark contrast to the approach being taken in Europe where the final DORA requirements are still unknown and the timeline of compliance by 17 January 2025 is proving incredibly challenging for firms.

Some of our key takeaways from the FCA feedback are as follows:

  • Important business services: When identifying important business services, all factors identified by the FCA must be considered – firms should not exclude an important business service by considering one factor alone (e.g. based on substitutability only) and should be determined without reference to response or recovery capabilities. The rationale and justification must be evidenced in the self-assessment and firms should consider including the rationale and justification for not having identified other business services as important.
  • Impact tolerances:  The full rationale for impact tolerances must be included in self-assessments to ensure the Board understands what has been set and why. The industry has primarily set these as time-bound tolerances but firms may want to consider other metrics, e.g. types of customers (including consideration of customer harm), values and types of transactions, criticality of transaction and estimated losses. Note that impact tolerances are different from recovery time objectives (which are the max time taken to recover the service) – it is common to see recovery time objectives set well within impact tolerances to ensure firms remain within tolerance.
  • Mapping: Mapping of resources and processes should mature over time to enable understanding of dependencies and interconnectivity required to deliver important business services. In our experience, mapping across teams can show a bigger picture of how things fit together and perhaps highlight vulnerabilities. Mapping is particularly important where third party providers support or deliver important business services - the firm itself is ultimately responsible for remaining within impact tolerances and therefore firms need to ensure that their third party providers are able to, and do, provide effective support in this area.
  • Scenario testing: The FCA expects scenario testing and mapping to have matured and developed in sophistication through the transition period. Effective testing plans incrementally increase the severity of disruption by both increasing the number/type of resources unavailable and the length of time of the disruption period to fully understand the effectiveness of the associated response and recovery plan. Scenario testing should be evolving from judgment, desk-based scenario tests, to a wider range of testing that provides empirical data including penetration tests, disaster recovery tests, simulations, lessons learned etc. In our experience, firms using data from real events, e.g. the LDI crisis or real cyber-incidents, can be helpful to inform scenario testing.
  • Vulnerabilities and remediation: The FCA expects remediation plans to be approved, fully funded, and appropriately governed to ensure delivery, with evidence at closure through repeated scenario tests to verify that the vulnerability has been resolved. Firms should (i) regularly review vulnerabilities, prioritising those that have the greatest potential to impact their ability to remain within impact tolerance; and (ii) mature their testing across severe but plausible scenarios, to enable potential identification of new and additional vulnerabilities – in our view, it is important here to consider all eventualities (e.g. considering the different ways a third party provider might respond in a given scenario).
  • Response and recovery plans: Reviews of self-assessments showed limited evidence of the testing of response plans, and firms primarily relied on recovery to understand if they could remain within their impact tolerance.
  • Self-assessment: The self-assessment should detail a firm’s journey to becoming operationally resilient. These should mature and develop over time as firms develop their resilience, response, and recovery capabilities. Good examples of self-assessment documents allow governing body members to understand their firm’s position and roadmap to resilience. They include an overview of vulnerabilities found, scenarios tested (with the outcome of those tests), remediation plans, and the firm's strategy to ensure they can remain within impact tolerances for all important business services no later than 31 March 2025.
  • Horizon scanning: It is important to ensure that risks from firms’ severe but plausible scenarios are refreshed regularly. Horizon scanning to establish an understanding of new and emerging risks, and the proximity of impact, are key to ensuring testing is appropriate and that controls are in place to detect, respond and recover from operational disruptions, both current and in the future.

We would be very happy to discuss examples of good and bad practices that we have seen in the market in relation to compliance with the rules. Please do contact Joy Davey or Angela Greenough directly to discuss.