Operational Resilience: What next?
By Simon Tweddle
Ensuring that firms can prevent, respond to, recover, and learn from operational disruptions is something worth investing in. With the Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) at the forefront in the UK, and the European Banking Authority (EBA) and the Digital Operational Resilience Act (DORA) setting the stage in the EU, understanding, and aligning with these requirements is crucial for financial institutions. Operational resilience is more than just having a business continuity plan. Joining the dots between various requirements in the UK and EU can lead to operational efficiencies which create inherent resilience that ultimately reduces the total cost of ownership and ensures regulatory compliance in multiple jurisdictions.
FCA and PRA Requirements
The FCA and PRA have jointly introduced operational resilience frameworks, focusing on the ability of firms to continue to deliver critical operations through disruptions. These frameworks require firms to identify their important business services, set impact tolerances for each service, map and test the resources that support these services, and take action to remain within their impact tolerances.
Looking back to March 2022
By March 31, 2022, regulated firms in the UK were required to have identified their important business services, set impact tolerances, and completed initial mapping and testing of the resources supporting those services. They also had to identify vulnerabilities that might take them beyond impact tolerances and cause “intolerable harm”. This deadline marked the first major milestone, emphasising the identification of vulnerabilities within firms' operational resilience frameworks.
Looking ahead to March 2025
By March 2025, regulated firms in the UK are expected to be fully compliant with the FCA and PRA requirements, demonstrating their ability to stay within impact tolerances for each identified important business service under a range of severe but plausible disruption scenarios. This involves detailed scenario testing, continuous mapping, allocating resources to remediate vulnerabilities, as well as the development of communications plans for customers and other stakeholders during disruptions.
Link to the EBA Guidelines and DORA
The operational resilience requirements in the UK share common objectives with the EBA guidelines for Information and Communication Technology (ICT) security risk management, and the requirements laid down by DORA in the EU.
EBA Guidelines for ICT Security Risk Management
The EBA guidelines provide a comprehensive framework for managing ICT and security risks. They require financial institutions to implement robust governance, risk management, and incident reporting mechanisms. These guidelines align with the FCA and PRA's emphasis on resilience in ICT systems, mapping, and testing the resources that support important business services. The FCA have (since before March 2022) required authorised payment and e-money institutions in the UK to comply with EBA guidelines when preparing their operational and security risk form (REP018), specifically calling out the following in SUP 16 Annex 27H Notes on completing REP018.
a list of business functions, processes and information assets supporting payment services provided and classified by their criticality;
a risk assessment of functions, processes and assets against all known threats and vulnerabilities;
a description of security measures to mitigate security and operational risks identified as a result of the above assessment; and
conclusions of the results of the risk assessment and summary of actions required as a result of this assessment.
Digital Operational Resilience Act (DORA)
DORA aims to harmonise digital operational resilience requirements across the EU financial sector. It focuses on ICT risk management, incident reporting, digital operational resilience testing, and third-party risk management. DORA's comprehensive approach to resilience testing and third-party risk management complements the requirements set by the FCA and PRA, reinforcing the importance of a resilient ICT infrastructure and the management of outsourcing risks.
Strategic Alignment and Compliance
Financial institutions need to strategically align their operational resilience frameworks to comply with both UK and EU regulations. This involves:
Risk Identification and Management: Firms should conduct thorough risk assessments, focusing on ICT security and operational vulnerabilities. Alignment with the EBA guidelines will facilitate compliance with both sets of regulations.
Scenario Testing: Conducting a wide range of disruption scenarios, as mandated by the FCA, PRA, and DORA, will ensure firms can withstand severe but plausible disruptions.
Third-Party Risk Management: Given the increasing reliance on third-party providers, firms must ensure their partners also comply with operational resilience requirements, particularly in line with DORA's provisions.
Continuous Improvement: Adhering to the dynamic nature of operational resilience, firms should adopt a culture of continuous improvement, learning from past incidents and adjusting their resilience practices accordingly.
As we move towards the March 2025 deadline, financial institutions must prioritise their operational resilience frameworks, ensuring they are prepared to meet and in some cases exceed the regulatory requirements in the UK. Why? Although DORA will not apply in the UK, it will be relevant for many UK-based entities, either because they are financial firms who (directly, or indirectly through their group) offer their services in the EU, or because they are ICT service providers who offer services in the EU.
The alignment with EBA guidelines and DORA emphasises the global shift towards a more resilient financial services sector, capable of withstanding and rapidly recovering from operational disruptions. By focusing on risk management, scenario testing, third-party risk management, and continuous improvement, firms can not only comply with regulatory requirements but also enhance their overall operational resilience, safeguarding their services and stakeholders in an increasingly online or digital ecosystem.
