UK financial services institutions and firms now have less than six months to identify their ‘important business services’, set impact tolerances and carry out mapping and testing ahead of the new UK Regulatory Operational Resilience Requirements coming into force on March 31, 2022.
The new requirements are being ushered in by the Bank of England, the Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) in a bid to protect the wider financial sector and UK economy from the impact of operational disruptions. According to the FCA, the disruption caused by Covid-19 has shown “why it is critically important for firms to understand the services they provide and invest in their resilience.”
Operational resilience software and service provider Fusion Risk Management is encouraging institutions to start preparing now for the new requirements or risk missing the March 2022 deadline. Fusion has introduced an operational resilience self-assessment to help firms implement a scalable framework and is working directly with clients to “ensure they are on track to meet the deadlines and exceed the new requirements.”
In addition, Fusion says it has continued to strengthen its offerings to help firms ensure compliance with the new rules and as such have accelerated firms’ progress by 80%. Rich Cooper, Principal of Financial Services at Fusion Risk Management, says that in comparison to existing requirements, firms will find the key difference is around alignment of the various disciplines. “One of the key challenges firms will face when tackling operational resilience is the collapse of silos,” he says. “To achieve resilience, the walls must be broken down between business continuity, incident and crisis management, disaster recovery, and various risk disciplines as they work together. True business continuity is a cultural shift across an organisation, where everyone is working together towards a common goal.”
However, Cooper says that going through this process will be good for firms, resulting in a true understanding of their operations and the impact of an incident to employees, suppliers, stakeholders and customers. He adds that a strong resilience programme also provides a strong culture of teamwork and cooperation vs. traditional siloed programmes and disciplines like risk and continuity. “The transition to resilience is a marathon and not a sprint. As firms understand their important business service and the associated data points, they will continue to refine the process. The regulators understand this and are working with firms over a three-year period to smooth out the process,” Cooper says.
Michael Campbell, CEO, Fusion Risk Management, adds that many institutions have done the work to identify and map their important business services and are on a journey to set impact tolerances for each important business services ahead of the March 2022 deadline. But he warns that as they look for ways to integrate resilience into the operating fabric of their organizations, they are being challenged by the regulators to look at impacts beyond their own commercial interests. “Fusion provides a framework that anticipates, prevents, prepares for, responds to, and learns from risks and disruption over time, ensuring customers can manage to the desired outcomes set forth by regulators,” Campbell says. “This is not just a checkbox exercise; this is an operating model for the modern institution.”
Guy Warren, CEO of operational resilience technology and services provider ITRS Group, notes that the rules come into force just under two years since a UK Parliamentary Committee called on regulators to intervene following TSB’s IT meltdown. He argues that far from moving towards greater operational resilience in that time, businesses’ IT estates have only grown larger and more unwieldy, adding that the resilience of IT systems should no longer fall to the back office.
“To meet requirements on time and avoid punitive consequences, including hefty fines on individual senior managers, the UK’s financial C-suite must put operational resilience at the top of the agenda by committing serious investment towards data analytics and estate monitoring technology and making sure there is personal, senior responsibility for the operational resilience of their firms,” says Warren. “There will be no excuses made for shortcuts or sub-par capabilities. While it might seem costly at a time when most businesses are operating on small margins, the bottom line is this: if you say you can’t afford to prioritise the operational resilience of your systems, then you can’t afford to be in business.”
By the time the new rules come into force in March 2022, firms must have identified their important business services, set impact tolerances, carried out mapping and testing and identified any vulnerabilities in their operational resilience. Firms must also have performed mapping and testing so that they are able to remain within impact tolerances for each important business service and made the necessary investments to enable them to operate consistently within their impact tolerances as soon as possible after the March 31 deadline and no later than March 31, 2025.