Operational Resilience and Third-Party Risk Management

The operational resilience framework has occupied many waking moments of senior managers at UK financial institutions for the past three years. It has been a compliance requirement since March 2022. Institutions have invested significant time and effort in reviewing the requirements and working out how best to implement them.

While institutions have been working on the provisions of SS1/21 and SS2/21 regulators, including the Bank of England, the Prudential Regulatory Authority (PRA), and the Financial Conduct Authority (FCA), have been working with the organisations they regulate to understand how they are progressing towards the full compliance deadline at the end of March 2025. Regulators are also looking ahead to know how best to develop operational resilience in the context of its real-world application.

In a recent overview of the supervisory regulatory position, Duncan Mackinnon, the executive director for supervisory risk specialists at the Bank of England, highlighted the PRA’s expectations for progress towards operational resilience by March 2025. By this date, institutions need to be able to provide regulators with the assurance that they are operationally resilient.

Institutions are making solid progress towards implementing all the requirements, with many having already defined their core business processes and their impact tolerances. The regulators will continue to engage with their businesses to review their progress and challenge their plans and decisions in the coming months.

With these foundations laid down and refined further, the next step is scenario planning. Institutions must create and justify challenging but realistic scenarios that they can use to plan practical and realistic resiliency models, to show how their mapped resources – internal and third parties – would meet the demands of these scenarios. These need to incorporate data integrity issues and the potential for failures amongst third-party suppliers.

Regulators are less interested in how banks and insurers achieve their compliance; they are more focused on their outcomes. They expect institutions to use the remaining time to deliver complete compliance by March 2025.

From working with a range of institutions, it seems clear that the issue of Third-Party Risk Management (TPRM) is a significant challenge for many firms. This is driven by the siloed nature of many business processes and the explosion in the use of third-party suppliers within core business processes.

Third-party suppliers have been used by banks and insurers for many years, whether it be providing payroll services, security services, or other non-core activities. However, in recent years, the widespread adoption of cloud computing-based services has meant that several core banking services are now dependent on third parties. For example, these can cover delivering computing services, application development, provision and support, data collection and analytics, and decision support.

These issues touch on the core challenge of managing third parties for banks. The services they deliver will likely be of interest to the operations, risk, compliance, audit, product development and procurement teams, as well as the board. So, who owns the relationship on a day-to-day basis? And how do you best manage this complex array of relationships and touchpoints to ensure that everyone’s needs are met simultaneously?

While companies have been adept at managing these complex relationships, it often means one team – for example, an operations team ‘owns’ a specific third-party relationship and have to expend time and effort enforcing and monitoring the contract. They also need to comply with the numerous policies at their institution, on top of an already hectic ‘day job.’ Equally, they must spend  time and effort responding to the demands of other teams, who need to ensure that their relevant policy, procurement, security, ESG, risk and so on is being followed properly and is up to date.

This approach can lead to inconsistencies across the business and make it difficult to get a holistic perspective of resilience that is at the core of the critical regulations SS1/21 and SS2/21.

An alternative approach is to take a more decentralised approach to TPRM. Third-party relationship owners can define the third-party relationship from a risk, contractual and operational perspective so that those in compliance, audit, and risk can understand what they need to see. It also ensures that these teams can influence and direct the relationship owners to ensure they follow the broader corporate direction and policies. This approach also allows for automated reporting and analytics so that corporate risk management dashboards are accurate and up to date from a TPRM perspective.