On 29 March 2021 the Financial Conduct Authority (FCA), Prudential Regulation Authority (PRA) and the Bank of England released their policy statements on operational resilience. This follows the initial consultation paper in 2019 which set out proposals for improving operational resilience of Financial Market Infrastructures (FMIs). The policy statements provide details of recommendations for an operational resilience approach which firms have until March 2022 to fulfil. The recommendations from this policy statement align with the course content and learning objectives within the Risk and Resilience Academy provided by KRisk and UK Finance.

There were four key areas of the policy statement which look at the relationship between operational resilience and:

• Governance
• Operational risk policy
• Business Continuity Planning (BCP)
• Outsourcing.

The first section of the statement looks at governance and the role of a firm's board and senior management in operational resilience including general understanding, information for decision making and creating and maintaining a risk aware culture within the firm. In addition to the policy statement, the Department of Business, Energy and Industrial Strategy (BEIS) recently published a consultation paper with recommendations for restoring trust in corporate governance. This includes a requirement for companies to produce a resilience statement detailing short, medium- and long-term assessments of uncertainties, prospects and resilience strategies.

As operational risk management supports operational resilience, the second section of the policy states that firms require an effective risk management system in place to manage operational risks. In addition, firms need to reduce the likelihood of incidents occurring as well as having incident management procedures to limit the impact when they do.

The third section of the policy statement looks at the relationship between operational resilience and business continuity planning. The communications involved in planning for business continuity as well as allocation of roles and resources are vital. In addition, the policy states that testing business continuity plans complement the testing of disruption scenarios which relate to impact tolerances.

The final outsourcing section states that firms remain responsible for their obligations when any function is outsourced to a third party. It is important during the process of mapping important business services that any vulnerabilities are identified. This could mean any operation relating to a third party and considering the extended enterprise as part of risk and resilience strategy.

The Risk and Resilience Academy from KRisk and UK Finance provides more information on the recommendations of the operational resilience approach. The principles of risk and resilience underly the programme to develop skills, knowledge and awareness during interactive workshops and blended learning activities.

The academy aims to develop innovative thinking and facilitates discussions and thought sharing between different firms, leading to an improved approach to risk and resilience management. Following the release of the policy statement in March 2021, the Academy meets the recommendations in the four key areas discussed here through its learning objectives and content.