Operational resilience, third party risk management and impact tolerance in the time of Coronavirus
10 min read
On 5 December 2019 the Bank of England (Bank), UK Prudential Regulation Authority (PRA) and UK Financial Conduct Authority (FCA) published coordinated consultation papers and policy1 on new requirements to strengthen operational resilience in regulated financial services firms and financial market infrastructures (FMIs).
These build on market participants' responses to the three supervisors' July 20182 discussion paper on the same topic and aim to address risks to operational resilience, including those arising from the interconnectedness of the financial system. The papers were published soon after the Treasury Select Committee's report on IT failures in the Financial Services Sector.3
The PRA also published on the same day a further consultation on outsourcing and third party risk management, aiming ultimately to facilitate greater resilience and adoption of the cloud and other technologies, as set out in the Bank's response to the June 2019 Future of Finance report4, and reminding firms to ensure that their important business services are able to remain within their impact tolerances even when they rely on outsourcing or third party providers. It will also implement the EU Banking Authority's (EBA) Guidelines on Outsourcing Arrangements5. The FCA's paper on operational resilience also covered outsourcing. The consultation period closes on 3 April 2020.
The focused regulatory attention on operational resilience, third party management and impact tolerance is particularly relevant at present, as regulated firms and FMIs get to grips with the impact of the Coronavirus on the global financial markets as well as their day-to-day operations.
Supervisors' messages on how to prepare for maximum resilience in times of operational disruption
Bank, PRA and FCA December 2019 consultation papers
The papers define operational resilience as an outcome: the ability of firms and FMIs to prevent, adapt, respond to, recover and learn from operational disruptions.
They are clear that firms, central counterparties, central securities depositories, payment system operators and specified service providers must identify their important business services which, if disrupted, could cause harm to wholesale or retail clients or market integrity, threaten the viability of firms or cause instability in the financial system.
Regulated firms and FMIs must set impact tolerances for each important business service, quantifying the maximum tolerable level of disruption necessary for continued consumer protection and market integrity. The people, processes, technology, facilities and information supporting their important business services must be mapped, identified and documented. They must take action to be able to remain within their impact tolerances through a range of severe but plausible disruption scenarios.
They must develop internal and external communications plans for times of disruption to important business services, during which they are expected to communicate clearly, providing clients with advice about alternative means of accessing services. And firms and FMIs are expected to continue their regular fire drills in order to identify vulnerabilities in their operational resilience, and prioritise investment in their ability to respond and recover from disruptions as effectively as possible.
FCA statement on Coronavirus
The FCA's 6 March 2020 statement on Coronavirus6 also makes clear the supervisors' expectation that all firms will have contingency plans in place to deal with disruption. These are currently actively under review by both firms and supervisors, assessing operational risks, the ability of firms to continue to operate effectively, and the steps firms are taking to serve and support their customers. The FCA specifies its expectations for trading floor compliance where firms are moving staff to back-up sites or home-working, including that orders and trades should be promptly entered into the relevant systems and recorded lines should continue to be used when trading.
The FCA has also said7 that it will ask Chairs and CEOs of firms and FMIs to detail their strategic decisions and investment choices to build operational resilience and maintain the supply of important business services in the event of a major incident. It wants evidence of firms' planning for the worst which demonstrates that firms are able to continue to deliver their important business services should the worst happen.
Bank statement on Coronavirus
The Bank's statement8 on 3 March 2020 noted that the Prudential Regulation Committee (PRC) and its own FMI supervisors were reviewing the contingency plans of banks, insurers and FMIs in light of Coronavirus, including assessing operational risks and their ability to serve clients and markets with split teams and remote working.
The EBA's November 2019 Guidelines on ICT9 and security risk management,10 scheduled to apply from 30 June 2020, similarly set out the EBA's expectations with regard to banks', payment services firms' and investment firms' business continuity management. They also cover the development of business impact analyses, short- and long- term response and recovery plans, including testing, and their consequent updating based on the test results. Financial institutions are required to ensure that they have effective crisis communication measures in place so that all relevant internal and external stakeholders can be informed in a timely manner. The EBA's view is that ICT business continuity management processes are an integral part of a financial institution's overall business continuity management process and should not be separated.
European Central Bank (ECB) statement on Coronavirus
The ECB published a letter11 to key business continuity staff at supervised financial institutions on 3 March 2020 noting its expectation that they will review their business continuity plans and consider what actions to take to enhance preparedness for the spread of Coronavirus. Suggested preparations include assessing and urgently testing whether large-scale remote working or other flexible working arrangements for critical staff can be activated and maintained to ensure business continuity, testing the capacity of existing IT infrastructure for higher reliance on remote banking services, assessing the risk of increased cyber security-related fraud, and engaging with critical service providers on service continuity. ECB bank supervisors are monitoring banks' actions and expect them to contact their supervisor immediately if significant shortfalls or developments are identified during their checks. Banks are also required to give their supervisor the contact details of the team and key person responsible for business continuity.
Important business services
Important business services which must be identified under the December 2019 consultations are those provided to clients, participants and end users where disruption to firms' and FMIs' provision could cause intolerable harm to clients and market participants, the soundness, stability or resilience of the UK financial system, or the orderly operation of the financial markets. Firms and FMIs are asked to determine their most important business services, based on regulator guidance.
Mapping underlying resources
The three supervisors reference the interconnectedness of markets and the technology-driven ecosystem in which firms and FMIs operate as increasing the risk of a major disruptive event spreading quickly, in highlighting the need for them to map out the underlying resources which support and deliver their important business services. They propose that regulated firms collaborate to engage with their important suppliers in order to gain a proper understanding of their resilience arrangements.
Testing impact tolerances
The requirement for firms to identify the maximum tolerable level of disruption to an important business service, including its duration, is intended to produce different thresholds from those already in firms' established risk appetite frameworks and risk tolerance metrics. It is not a recovery time or recovery point objective, since these do not take account of the necessary wider elements such as potential harm to clients and the market. Supervisors will specifically look out for impact tolerances set at excessively high levels which would entail no action by firms.
Fire drill results should drive investment choices
Firms should use the results of fire drills and impact tolerance tests to identify resilience gaps and align these with investment choices which both increase their ability to continue to provide important business services in severe disruption events within their impact tolerances and also limit the impact on clients.
What does this mean for market participants?
Firms and FMIs will need to plan to set up project teams under the aegis of Senior Managers and their Board to assess and implement their compliance with the proposals, once published in final form this Autumn, and allocate budget for their investment strategy to plug any gaps or weaknesses identified in testing.
The proposals are not intended to conflict with or supersede existing requirements to manage operational risk or business continuity12 planning, but instead aim to set new requirements enhancing operational resilience. The supervisors intend firms and FMIs to address resilience gaps and build resilience and thus become able to continue to supply their most important business services during even severe operational disruption. They accept that operational incidents happen, but expect firms to prevent them from impacting clients, financial markets and the UK financial system. They should consider replacing outdated or weak infrastructure, increasing system capacity, or addressing key person dependencies, bearing in mind that the resilience outcome is more important to supervisors than a firm's ability to demonstrate compliance.
Where firms and FMIs rely on services supplied by third parties, including those outside the regulatory perimeter where firms retain responsibility for the delivery of their regulated services, the focus extends to the resilience of these third party services and any dependencies on these.
Good governance standards will continue to be an important component in supervisors' assessment of firms' operational resilience capability. Under the Senior Managers & Certification Regime, every Senior Manager should have a clear picture of their own accountability and responsibility, which includes clear lines of responsibility for the management of operational resilience.
Final policy and rules are due to be published in the second half of 2020. All three supervisors will continue to collaborate with the aim of developing an aligned approach for firms and FMIs. They will also be keeping operational resilience policy under review in order to assess any required changes due to new arrangements arising as a result of UK/EU Brexit negotiations.
Click here to download 'Operational resilience, third party risk management and impact tolerance in the time of Coronavirus' PDF
Coronavirus: Managing business impact and legal risks
9 information and communication technology
12 e.g. Business Continuity rules in FCA Handbook SYSC 4.1.6R and 4.1.7R at https://www.handbook.fca.org.uk/handbook/SYSC/4/1.html
This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2020 White & Case LLP