Navigating the road to operational resilience: A critical milestone for financial firms

The regulatory environment, as outlined in supervisory statement SS1/21 (Operational resilience: Impact tolerances for important business services), mandates that by March 2025, financial institutions must demonstrate their ability to remain within impact tolerances for all their important business services (IBS).

The opinions expressed here are those of the authors. They do not necessarily reflect the views or positions of UK Finance or its members.

This article explores the key elements and challenges involved in meeting these operational resilience requirements. 

Building a clear plan: To prepare for the March 25 deadline, financial firms must create or review their list of IBS. Next they must build a clear plan to identify and remediate vulnerabilities that could potentially impact the delivery of their IBS. This involves a comprehensive understanding of the resources required for each IBS and running tests using severe, yet plausible scenarios to identify any vulnerabilities. Plans are then developed to remediate these areas. Firms must consider cyber-related disruptions  are highlighted as essential scenarios for testing to ensure both the ability to withstand and recover from such incidents. 

Role of boards and senior management: Boards and senior management play a pivotal role in overseeing the delivery of their firms' operational resilience programmes. Under SMF 24 the chief operating officer should hold overall responsibility for implementing operational resilience policies (Prudential Regulation Authority, March 2021). Their leadership is essential in ensuring that the plan is not only established, but effectively implemented and continually improved. The lessons learned from responding to operational disruptions, whether through cyber incidents or other challenges, are invaluable in refining and strengthening the overall resilience framework. 

Evolving maturity and sophistication: Over time it is anticipated that regulation in this area will become more prescriptive. Firms must consider how they will demonstrate the continued improvement in maturity and sophistication of their operational resilience management systems, processes and capabilities.  

International collaboration: Recognising the global nature of the financial industry, the regulatory framework emphasises collaboration with home state supervisors for subsidiaries and branches. This means that all area of a business that support the delivery of IBSs need to be covered by a single, uniform operational resilience approach and subjected to an appropriate level of testing. 

Third-party engagement: As financial firms increasingly rely on third-party providers (who may themselves have dependencies and undergo significant change), the importance of actively managing these relationships cannot be overstated. Compliance with supervisory statement SS2/21 (outsourcing and third-party risk management) is crucial in mitigating the risks associated with third-party engagements, including those providing or utilising cloud computing capabilities. Firms must notify the PRA of material arrangements and actively consider the impact of outsourcing and third-party relationships on IBS, aligning with the directives of SS1/21. Furthermore, firms must ensure that they are giving adequate consideration to the interplay between the requirements of SS1/21 and SS2/21 such that their approach to managing third parties meets the requirements of both supervisory statements.   

RTGS core ledger replacement: The replacement of the real-time gross settlement (RTGS) core ledger scheduled for June 2024 adds another layer of complexity to the operational resilience landscape. All RTGS account holders, particularly participants in payment schemes, are expected to manage these changes appropriately. Participation in the Bank of England's testing and go-live activities becomes imperative to ensure a seamless transition. 

Summary: 

With the operational resilience deadline just over a year away, a proactive approach is essential for firms to meet regulatory requirements. By embracing the principles outlined in the supervisory statements, managing third-party engagements diligently, and navigating the upcoming RTGS core ledger replacement, financial institutions can solidify their operational resilience, safeguarding their ability to continually deliver crucial business services. The collaboration between regulators, boards, and senior management will be instrumental in shaping a resilient future for the financial sector. 

For firms that are currently implementing SS1/21 Be UK have a proven health check tool which is typically executed in four to six weeks. It provides insight into where operational resilience gaps may exist, highlighting IBS that maybe still be outside impact tolerances and where there is risk to delivery. The tool also provides a roadmap to ameliorate any gaps.  

Notes to editor

References:

Prudential Regulation Authority, Bank of England. March 2021. "Operational resilience: Impact tolerances for important business services." Supervisory Statement | SS1/21 15.