Final UK regulatory policy on operational resilience – a time for change or business as usual for business continuity?
- Published: Friday, 16 April 2021 08:40
Following the publication of the final policy in March 2021, the operational resilience framework does not depart significantly from the December 2019 CPs – but does include some important clarifications says Steve Dance.
In a 2018 Continuity Central article, I identified a number of factors within the ‘Building the UK financial sector’s operational resilience’ discussion paper that could affect business continuity specialists in the financial sector. The final operational resilience policy clarifies these factors and now provides financial sector business continuity specialists with specific guidance for change. These are discussed below:
Adopting a customer and market driven approach to designing a ‘joined up’ resilience and contingency strategy based on the prioritisation of services and market integrity
For many institutions this may require a rework of existing impact assessments to ensure that they focus on the ‘three lenses’ of impact:
- Financial stability, this applies to large, systemically important financial firms where operational disruption could cause a ‘ripple’ effect throughout financial markets.
- Financial Viability – where a disruption could cause an existential threat to the organization.
- Potential harm to customers.
The latest policy re-enforces this perspective and will require that financial firms consider these wider impacts when designing their operational resilience framework and when considering BIAs and risk assessments that have been developed for business continuity purposes.
The concept of important business services (IBS)
This aspect of the policy requires firms to identify how customer facing and service delivery activities can cause risk sensitivity to the three impact lenses mentioned above. Further clarification is provided in terms of the level of detail required to identify and map the constituent parts of important business services. Regulated organizations will be required to identify vulnerabilities to its delivery of each IBS and this needs to include both internal and external services. They also confirm that this mapping exercise should be iterative and reviewed at least annually and, additionally, when substantial operational change has occurred – such as the introduction of new systems and technology.
The regulator is expecting the mapping exercise to be detailed enough for financial firms to clearly establish vulnerabilities, mitigations, and testing for each distinct ‘node’ in the map. For many organizations this will be a large and, possibly, complex task.
This has been one of the most challenging aspects of the operational resilience initiative since the publication of the original discussion papers. It is an area that is likely to receive significant attention when regulators begin their assessment of the preparation and progress made by financial firms.
Regulators make it clear that there is an expectation that impact tolerances will need to be expressed as something more than just duration of a disruption. Such metrics could include the volume of disruption, levels of impairment, damage or denial of data, or the number of customers affected. Impact tolerances are required to create clear metrics so that organizations can identify the level of resilience which needs to be established for important business services. Again, for many, this will create a wider perspective than has previously been adopted under ‘traditional’ business approaches.
The regulatory policy also states the need for firms to undertake scenario stress testing to demonstrate that the resilience of each important business service is in line with stated impact tolerances.
The important word here is ‘stress’ testing – a walkthrough will not do. Stress testing means exposing a service to the level of pressure that would likely occur in an operational situation under a particular scenario. This means simulating, as realistically as possible, a given impact scenario on a business service.
Whilst the final policy broadly confirms the overall direction of travel contained in the preliminary discussion and consultation papers, the clarifications made in the final policy make it clear that a business continuity framework based on business continuity good practice is unlikely to provide the required level of compliance with the new operational resilience regulatory policy.
For financial organizations hoping to use their current business continuity framework as a starting point for their operational resilience framework some significant rework will be required to extend to meet the ‘three lenses’, mapping, impact tolerances, and testing requirements of the operational regime.
Coupled with an initial requirement for an implementation deadline of March 2022 and the achievement of full compliance with identified impact tolerances by March 2025, there is much work to be done by many firms.
Additionally, whilst a number of the concepts of operational resilience will be familiar to business continuity specialists the wider concepts of impact tolerances and stress testing may require the development new skills that currently lie outside of familiar business continuity practices.
Steve Dance is Managing Partner of RiskCentric.