Thu, Dec 5, 2019
FCA Consultation Paper 19/32 – Building Operational Resilience
Executive Summary
Dec 05, 2019
Guidance for Firms on COVID-19
Mar 31, 2020
FCA Consultation Paper 19/32 – Building Operational Resilience
Dec 05, 2019
ESMA Launches a Common Supervisory Action with NCAs on MiFID II Suitability Rules
Feb 05, 2020
Post Brexit – Provision of Services in the EU
Jan 31, 2020
ESMA Consults on Guidelines on the Assessment of Leverage Related Systemic Risks and Leverage Limits
Mar 27, 2020
Two Non-Executive Directors Appointed to the Financial Conduct Authority (FCA) Board
Feb 06, 2020
ESMA Publishes the Final Report on MiFIR Alignments Following the Introduction of EMIR Refit
Feb 07, 2020
Sustainable Financial Markets – Translating Changing Risks and Investor Preferences into Regulatory Action
Feb 12, 2020
Sheldon Mills Appointed as Interim Executive Director of Strategy and Competition
Feb 13, 2020
ESMA Finds Continued High Risks as Markets Remain Highly Volatile
Feb 19, 2020
FCA Publishes the Number of STORs Received in 2019
Feb 28, 2020
FCA Speech – Enforcement Penalties and Remediation
Feb 13, 2020
- View all articles

The FCA published in December 2019 consultation paper (CP) 19/32 “Building operational resilience: impact tolerances for important business services”. The consultation affects firms such as banks, Prudential Regulation Authority designated investment firms and enhanced scope Senior Managers & Certification Regime firms (SM&CR). Core SM&CR investment firms are not in scope of the rules proposed in the CP. However, the thinking articulated therein, summarized below, may be of interest to core SM&CR firms, given recent experiences in relation to the COVID 19 pandemic.
The CP proposes new requirements aimed at enhancing operational resilience, which do not conflict with existing requirements in relation to operational risk or business continuity planning. The FCA believes that focusing on the possible impact of disruption to business services, by setting impact tolerances, should help firms make better-informed strategic, operational and investment decisions. Identifying important business services also allows firms to consider alternative ways the services may be delivered to facilitate business continuity, in a way that monitoring individual processes cannot.
Important business services should be clearly identifiable as a separate service, and not a collection of services. The users of the service should be identifiable so that the impacts of disruption of the service are clear. Firms should identify their important business services at least annually. The CP proposes that in-scope firms identify their important business services that if disrupted could cause intolerable levels of harm to consumers or market integrity.
Firms should set impact tolerances at the first point at which a disruption to an important business service would cause intolerable levels of harm to consumers or market integrity. Setting impact tolerances forces firms’ senior management to accept that disruption to business services is inevitable, which needs to be actively managed. Impact tolerances are expressed by reference to specific outcomes and metrics, which should always include the maximum tolerable duration and could also include other metrics of disruption, such as the number of customers affected or the level of reputational damage. In-scope firms are expected to remain within their impact tolerances.
Furthermore, firms should map the people, processes and technology which support a firm’s important business services. Mapping an important business service helps identify vulnerabilities in the delivery of that service and enables firms to act to remedy these weaknesses.
Firms should test their ability to remain within their impact tolerances through a range of severe but plausible disruptions to services, and document the lessons learnt from such testing. Firms should focus on the response and recovery actions required to continue the delivery of an important business service, assuming a disruption has occurred. Testing plans should be accompanied by a lessons learned exercise, so that firms can learn from their experiences as their operations and technology changes over time.
In-scope firms should also have in place internal and external communication plans to guide them in the case of disruption. Such plans help firms to reduce the harm caused by operational disruptions by providing clear and timely communications.
Firms should establish clear lines of responsibility for the management of operational resilience from an SM&CR perspective. Firms should also be able to demonstrate to supervisory authorities that they are meeting their responsibilities in respect of operational resilience, through a self-assessment document setting out for example the firm’s;
- important business services,
- impact tolerances,
- approach to mapping,
- strategy for testing its ability to deliver important business services,
- lessons learned exercise.
The consultation paper consultation period was due to close in April 2020 but has been extended as a result of the Coronavirus crisis until October 2020.
Financial Services Compliance and Regulation
End-to-end governance, advisory and monitorship solutions to detect, mitigate, drive efficiencies and remediate operational, legal, compliance and regulatory risk.
Compliance Consulting
Expert compliance support for a variety of firms including hedge funds, private equity firms, wealth managers, corporate finance and broker-dealers.
UK Compliance Services
Comprehensive compliance and regulatory support for FCA authorized firms.
European Compliance Services
Comprehensive compliance and regulatory support for EU firms.