News & Analysis
Operational Resilience
The FCA’s policy statement PS21/3 “Building operational resilience” (the Policy), is a focal point for the UK financial sector on managing operational resilience. The Policy sets out the key areas for firms to focus on; prevention, adaption, responsiveness to, recovery and learning from disruptions. This Policy builds on consultation paper CP19/32 ” Building operational resilience: impact tolerances for important business services and feedback to DP18/04“, which outlined proposals focusing on how firms can strengthen their operational resilience and thereby, consumer trust.
The policy framework, which took effect on 31st March 2022, mandates that by 31st March 2025, firms must ensure they have undertaken the necessary mapping and testing in order to ensure they remain within established impact tolerances, to limit the acceptable level of disruption, for each of their critical business services.
Prior to the Policy, the approach to operational resilience was less structured and formalised. This transition marks a significant shift towards standardising and improving how firms test and identify risks that could threaten their functionality and viability. It also aims to protect consumers from undue harm.
Where firms have identified “severe but plausible” disturbances, it is crucial to identify important business services that must continue, ensuring firms are able to continue to provide these essential services regardless of disruptions. These “severe but plausible” disruptions (such as natural disasters or cyberattacks (for example UK financial services firms reported more than a threefold increase in the number of cyber security breaches to the Information Commissioners Office (ICO) in 2023 compared to the previous year)), have the potential to cause extended interruptions or impact multiple operations..
To manage these disruptions effectively firms will need to undergo rigorous risk assessment and conduct scenario testing to regularly assess their resilience capabilities. Encouraging firms to take a more proactive stance on risk management, requiring continuous monitoring, mapping and re-mapping of processes and to track such changes with regular reporting.
In addition, the Policy also emphasises the need to assess and scrutinise the contingency plans of third-party providers, especially as the FCA makes clear that if a third-party provider supplying an important business service to a firm fails to remain within impact tolerances, that failure is the responsibility of the firm. Where necessary, firms may need to allocate resources to enhance their operational resilience capabilities in order to meet the policy’s minimum standards.
At the centre of the Policy framework is a cultural shift to embed operational resilience considerations into all actions across a firm. A proportionate approach is adopted in the new rules, recognising that firms of varying sizes and complexities will have different operational set ups and business models.
Moreover, under PS21/3, firms must establish clear governance and ownership structures, ensuring senior managers are accountable for operational resilience, in line with the requirements of the Senior Managers and Certification Regime (SM&CR) to have clear and proper apportionment of responsibilities.
With less than six months to go, firms need to act quickly to ensure their systems, processes and arrangements will be compliant with the impending requirements. Objectivus specialises in helping financial market participants navigate complex regulatory changes. Our team provides bespoke solutions and can assist in breaking down the requirements of PS21/3.
If you need support or have any questions about operational resilience or other compliance related issues, feel free to contact us at info@objectivus.com.
For further guidance or to discuss how these changes affect your firm, please contact Bhavisha Patel at bp@objectivus.com or Robert Hudson at rfh@objectivus.com or call Objectivus at +44 (0)2034 573 283