The latest resilience news from around the world

UK financial regulators publish operational resilience policy documents

The Bank of England, the Prudential Regulation Authority (PRA), and the Financial Conduct Authority (FCA) have published policy documents on operational resilience, which are the results of a long-running consultation period.

The regulators issued a number of documents on March 29th 2021, including:

  • Operational Resilience Statement of Policy: this clarifies how the PRA’s operational resilience policy affects its approach to four key areas of the regulatory framework: governance; operational risk management; business continuity planning; and the management of outsourced relationships. Read the document (PDF)
  • PS6/21 ‘Operational resilience: Impact tolerances for important business services’. This Policy Statement provides feedback on responses to the Bank of England, PRA, and FCA consultation documents on this area and also contains final policy in this area. Read the document (PDF)
  • Individual Policy Statements and Supervisory Statements on the Bank of England’s operational resilience expectations for Central Counterparties (CCPs) and Central Securities Depositories (CSDRs). 
  • A Policy Statement, Supervisory Statement and operational resilience chapter of the Code of Practice for Recognised Payment System Operators (RPSOs) and Specified Service Providers (SSPs).

Documents for the above two areas can be downloaded from here.

The policies become effective on Thursday 31st March 2022.

The FCA’s parallel operational resilience Policy Statement, PS21/3 ‘Building operational resilience: Feedback to CP19/32 and final rules’ also comes into force on 31st March 2022. The FCA says that by then regulated firms must have identified their important business services, set impact tolerances for the maximum tolerable disruption and carried out mapping and testing ‘to a level of sophistication necessary to do so’. Firms must also have identified any vulnerabilities in their operational resilience. As soon as possible after 31st March 2022, and no later than 31st March 2025, firms ‘must have performed mapping and testing so that they are able to remain within impact tolerances for each important business service. Firms must also have made the necessary investments to enable them to operate consistently within their impact tolerances’. 

The PRA also published SS2/21 ‘Outsourcing and third party risk management’, a Supervisory Statement that sets out the PRA’s expectations of how PRA-regulated firms should comply with regulatory requirements and expectations relating to outsourcing and third party risk management. This complements the requirements and expectations set out in the above operational resilience documents.



Want news and features emailed to you?

Signup to our free newsletters and never miss a story.

A website you can trust

The entire Continuity Central website is scanned daily by Sucuri to ensure that no malware exists within the site. This means that you can browse with complete confidence.

Business continuity?

Business continuity can be defined as 'the processes, procedures, decisions and activities to ensure that an organization can continue to function through an operational interruption'. Read more about the basics of business continuity here.

Get the latest news and information sent to you by email

Continuity Central provides a number of free newsletters which are distributed by email. To subscribe click here.