The Prudential Regulation Authority (PRA) has announced that the deadline for starting the implementation of the Operational Resilience Framework for UK financial institutions is 31 March 2022. The final deadline for implementing all aspects on operational resilience is 31 March 2025.

This should at least provide clarity, if not more work, for risk, compliance and operational teams at firms that are affected. However, this being 2021, nothing is straightforward anymore.

Operational resilience was originally conceived in a comparatively simpler world, one where everyone assumed that systems, processes and people were essentially office-based with occasional remote working.

The presumption now for most institutions is that hybrid home/office working is going to be, post-Covid-19, the standard working model for the foreseeable future. The benefits for staff, firms and governments are too great to ignore.

For firms, the good news is that the principles-based approach of Operational Resilience (SS1/21) and of Outsourcing and Third-party Risk Management (SS2/21) means that they can accommodate the challenges of hybrid working. The challenge is that this will necessarily be an area that regulators will scrutinise closely in future.

As well as accommodating hybrid working, there are other developments that have need to be mastered in the final publication based on feedback from the consultation process.

Firstly, the requirements for Impact Assessments are now much more defined. They now focus on a timed measure based on a business interruption's impact on a firm's 'safety and soundness?. Some firms are also subject to measures that reflect their greater potential impact on the wider UK financial service system should they encounter an interruption. The working assumption of these Impact Assessments is there is a failure of one asset, which impacts multiple business processes where management need to prioritise their investment and oversight to mitigate the risk and impact. Other variables like trading volumes or asset value can be used to give a more rounded assessment of the impact of a business interruption.

Based on feedback from the consultation phase, the inclusion of third-party outsourcing in the resilience mix is now more explicit. SS1/21 and SS2/21 were published together, each with a compliance date of 31 March 2022. The SS1/21 text specifically references SS2/21.  

This recognises that the outsourcing of a range of services has accelerated in recent years in financial services. It also recognises that outsourcing will underpin many hybrid working models, as companies automate many manual processes, that support working from multiple locations.

SS2/21 focuses on ?classic? outsourcing, where a third party delivers a service that would otherwise be delivered by the company itself. It also covers non-outsourcing third party arrangements where, for example, data providers, software and hardware providers, systems designers, providers of on-premise IT services and other key third parties are central to key business services.

Whatever the nature of the relationship, the PRA expects firms to perform and maintain their due diligence of their suppliers and perform risk and materiality assessments in relation to the provision of core services. In addition, SS2/21 ties third-party service provision into the Senior Managers and Certification Regime (SMCR), to ensure that the standards of governance in managing these services are consistent with the governance standards across the business.

There are a range of issues facing firms complying with SS1/21 and SS2/21. By and large, major corporate IT systems are well defined and are already extensively mapped to business processes. However, third party risk management is now a more significant issue, as this is being brought more fully into the regulatory spotlight. There is now a much stronger requirement for enterprise-wide supply chain management capabilities that map and manage third party risk to core business processes. 

One other area that institutions must not ignore is the weak points that come from informal business applications developed by users, for example spreadsheet-based applications. These are already facing every greater scrutiny from regulators and should be incorporated in SS1/21 plans.

To help banking professionals understand the final regulations, and explore some of these possible pitfalls, UK Finance and Mitratech are hosting an online panel discussion  on 19 May 2021, 1:15 - 2:30 pm. Click here to register.

UK Finance Risk and Resilience Academy - 25 May
This comprehensive training academy explores the principles involved in managing risk and enabling a resilient culture. The academy will help delegates to develop frameworks, practices, and behaviours that instil operational resilience disciplines across their firm. Delegates will have access to dedicated forums to discuss their experiences and will receive advice from experienced risk professionals. Learn more here.