The FCA published in December 2019 consultation paper (CP) 19/32 “Building operational resilience: impact tolerances for important business services”. The consultation affects firms such as banks, Prudential Regulation Authority designated investment firms and enhanced scope Senior Managers & Certification Regime firms (SM&CR). Core SM&CR investment firms are not in scope of the rules proposed in the CP. However, the thinking articulated therein, summarized below, may be of interest to core SM&CR firms, given recent experiences in relation to the COVID 19 pandemic.
The CP proposes new requirements aimed at enhancing operational resilience, which do not conflict with existing requirements in relation to operational risk or business continuity planning. The FCA believes that focusing on the possible impact of disruption to business services, by setting impact tolerances, should help firms make better-informed strategic, operational and investment decisions. Identifying important business services also allows firms to consider alternative ways the services may be delivered to facilitate business continuity, in a way that monitoring individual processes cannot.
Important business services should be clearly identifiable as a separate service, and not a collection of services. The users of the service should be identifiable so that the impacts of disruption of the service are clear. Firms should identify their important business services at least annually. The CP proposes that in-scope firms identify their important business services that if disrupted could cause intolerable levels of harm to consumers or market integrity.
Firms should set impact tolerances at the first point at which a disruption to an important business service would cause intolerable levels of harm to consumers or market integrity. Setting impact tolerances forces firms’ senior management to accept that disruption to business services is inevitable, which needs to be actively managed. Impact tolerances are expressed by reference to specific outcomes and metrics, which should always include the maximum tolerable duration and could also include other metrics of disruption, such as the number of customers affected or the level of reputational damage. In-scope firms are expected to remain within their impact tolerances.
Furthermore, firms should map the people, processes and technology which support a firm’s important business services. Mapping an important business service helps identify vulnerabilities in the delivery of that service and enables firms to act to remedy these weaknesses.
Firms should test their ability to remain within their impact tolerances through a range of severe but plausible disruptions to services, and document the lessons learnt from such testing. Firms should focus on the response and recovery actions required to continue the delivery of an important business service, assuming a disruption has occurred. Testing plans should be accompanied by a lessons learned exercise, so that firms can learn from their experiences as their operations and technology changes over time.
In-scope firms should also have in place internal and external communication plans to guide them in the case of disruption. Such plans help firms to reduce the harm caused by operational disruptions by providing clear and timely communications.
Firms should establish clear lines of responsibility for the management of operational resilience from an SM&CR perspective. Firms should also be able to demonstrate to supervisory authorities that they are meeting their responsibilities in respect of operational resilience, through a self-assessment document setting out for example the firm’s;
- important business services,
- impact tolerances,
- approach to mapping,
- strategy for testing its ability to deliver important business services,
- lessons learned exercise.
The consultation paper consultation period was due to close in April 2020 but has been extended as a result of the Coronavirus crisis until October 2020.