Operational resilience - the road to industry implementation

Strengthening the financial sector's operational resilience is a key regulatory focus. UK regulators' consultations on their resilience proposals have now closed and we can expect finalised policy early next year.

In a nutshell, those proposals place the customer front and centre. Firms need to identify the most important business services relied on by customers, and then to map and test impact tolerances and dependencies for these services to identify and remediate vulnerabilities. This brings together key disciplines already in place in the sector: incident prevention, business continuity, operational risk management, and outsourcing and vendor management. Where traditionally firms may have taken a bottom-up view in their response planning, these operational resilience proposals call for a top-down readiness by boards to focus the entire organisation toward continued service provision in the face of disruptions.

UK Finance has submitted the industry's response after extensive member consultation, highlighting a number of implementation challenges.

Implementation challenges ahead

On the face of it, operational resilience should sit relatively straightforwardly within the regulatory and business environment. But there are going to be significant implementation challenges. For the industry to get this right, it will need clarity and flexibility from the regulators.

In our submission, UK Finance has asked the regulators to be clearer around the customer harm nexus within the different operating models of our members. We need clarity around the terminology adopted; around what level of detail to apply when identifying important business services; and where to place impact tolerances in customers' contact with the firm. The industry has a number of open questions around the resource intensive and time-consuming requirements to map important business services, in particular on the level of granularity the regulators will expect when firms map their dependencies on outsourced and third-party providers. Similarly, the time and expertise that will be needed for designing, agreeing and then executing meaningful scenario exercises should not be underestimated. To avoid false starts, members also need clarity on the design and parameters for scenario testing.

Regulatory alignment

We have called on the regulators to consider four overarching principles when finalising their policy: proportionality, collaboration with industry, a commitment to providing ongoing guidance and information, and - crucially -  regulatory alignment.

Many of our members operate across multiple jurisdictions in the global financial services industry, relying on numerous end-to-end process and shared services. UK policy must align with international standards and principles if firms are to avoid having to meet duplicative, different or conflicting requirements.

Equally, the UK requirements would benefit from more cross-referencing and common language to clarify the interlinkage between operational resilience and, for example, recovery and resolution planning. UK regulators' own approaches need to be closely coupled to avoid the UK's 'twin peaks' architecture imposing unnecessary complexity and cost on the industry.

A roadmap for industry implementation

The Prudential Regulation Authority (PRA)'s separate proposals on outsourcing and third-party risk management envisage a phased approach to implementation. We recommend that the regulators adopt the same phased approach to implementing the operational resilience requirements.

One size does not fit all. Implementing the requirements could take the form of a road map with firms meeting appropriate checkpoints in agreement with their supervisors based on feasibility and proportionality. Such a phased approach would allow our heterogenous industry to learn from disruptions in a meaningful way and would also promote collaboration between industry players and the regulators. Staged gateways for the separate components of the operational resilience framework could operate as standard "deadlines" across the industry or be firm-specific.

How can AG help?

Addleshaw Goddard has partnered with UK Finance members to explore the key implementation challenges. Contact the AG Operational Resilience Team for help with issues around risk control, change management pitfalls, framework development, or operationalising governance requirements.




Digital Innovation Summit:  2-20 November - Free for members
Register now for the 2020 Digital Innovation Summit, UK Finance's flagship technology event with seven streams of content for members across Mortgages, Payments, Ethical AI, Economic Crime, Digital Strategy and more. 

Over three weeks a huge variety of content will be delivered via interactive debates, broadcasts, podcasts, lightning talks, videos, and interviews with senior decision makers. Every day, fresh content will be made available to delegates.

Register now and join the innovators and game changers that are reimagining financial services.



Area of expertise:

Digital Innovation Summit

The full agenda for the Summit is now available to download. Visit our event page to view.

View the agenda Read more