It's here.  On Thursday 5 December the UK authorities published their long-awaited operational resilience consultation papers. The proposals further develop many of the concepts originally put forward in the 2018 joint discussion paper, and represent a clear statement of intent by the Bank of England, Prudential Regulation Authority (PRA) and Financial Conduct Authority as to what is expected of firms going forward. Firms that fail to recognise and respond to this message can no doubt expect to be held to account by their supervisors, customers and clients. 

Three papers addressing operational resilience were published, each laying out the authorities? expectation that firms understand their vulnerabilities and take active steps to protect firms, consumers and the market from an operational disruption.  A fourth paper addressing outsourcing was also published and should be read in conjunction with those focused on operational resilience. What is different from the 2018 joint-discussion paper is that only one of these papers is a joint publication between the PRA, BOE and FCA; the remaining two are stand-alone publications by the FCA and the BoE/PRA respectively, with each approaching the key principles through the prism of their respective strategic objectives. 

Navigating these proposals and understanding how they fit within existing frameworks will be key if firms are to successfully implement the proposals, but there is no doubt that many UK Finance members will find some of the consultation papers? concepts more familiar than others. Whilst still thematically aligned with the 2018 discussion paper's principles of business services, impact tolerances, and the importance of a customer-centric definition of harm, the consultations take many of them one level further. These include:

• Business services: The authorities have further defined a ?business services? as being a service that a firm provides to an external end user or participant which should be distinguished from lines of business (e.g. ?retail and commercial mortgages?). It goes on to define what is an ?important business service? and links this concept specifically to whether a disruption would cause an ?intolerable? level of harm to a customer.
• Impact tolerances: The CPs specify that firms are required to set impact tolerances for each important business services at the first point that a disruption poses an intolerable risk of harm to consumers or market participants; harm to market integrity; policy holder protection; the firm's safety and soundness; or financial stability. The documents go on to clarify the relationship and differences between a firm's risk appetite and impact tolerances - impact tolerance is not a recovery time objective or a recovery point objective. It also outlines how a board could chose to decide their impact tolerance through things such as scenarios specification and testing.
• Firms must take action to address identified threats to operational resilience:  The CPs establish that firms must proactively address operational resilience through the identification and mitigation of threats to their resilience, whether they be people, processes, resources, third party suppliers etc.  This explicitly requires firms to make operational resilience considerations a factor when considering investment and upgrade programmes.   To meet this obligation, firms will be required to undertake rigorous mapping exercises and ensure that the information flowing to boards allow them to make informed, demonstrable decisions as to how they ensured their firm is operationally resilient.

The PRA and FCA consultations delve deeply into these and other areas and seek to establish clear expectations as to how firms can meet these standards. 

Banks, building societies, PRA designated investment firms, Solvency II firms, Recognised Investment Exchanges, Enhanced scope Senior Managers & Certification Regime firms, entities authorised or registered under the Payment Services Regulations 2017 (PSRs 2017), and Electronic Money Regulations 2011 are all in scope of what is a determined effort by the UK's regulatory authorities to put operational resilience considerations at the forefront of firms? investment decisions.  While the principles underpinning these changes are not new - firms have long been subject to rigorous operational resilience requirements via a combination of legislation, FCA and PRA rules and practical supervisory expectations - they do represent the first concerted attempt by regulators and policy makers to address operational resilience holistically.  

Customer interests are paramount, and a resilient, robust financial system is critical to the health of the UK economy. UK Finance looks forward to working with members and the authorities in in responding to these consultations and their eventual implementation.  

UK Finance and EY are running a free webinar on the consultation papers on Thursday 19 December. Join us as we unpack the consultations and delve into what's driving them, what it means for you, and how you can best prepare your firm for what's coming -  book your place on the webinar today.