Operational Resilience Checklist

What is the Backdrop?

In the intricate world of banking, financial stability is a widely acknowledged pillar. Yet, a new emphasis has emerged—operational resilience. This concept extends beyond disaster recovery and into the realm of a bank’s capacity to endure, adapt, and even thrive amidst the relentless onslaught of both internal and external disruptions.

Operational failures are a costly reality, with a recent Gartner study estimating they result in an average downtime cost of $5,600 per minute for enterprises, underscoring the severe financial impact for banks.

While financial crises like the 2008 meltdown exposed the fragility of capital reserves, evolving threats put the spotlight squarely on operational resilience. Cyberattacks, technological breakdowns, natural disasters, and even pandemics threaten to derail core banking functions. Operational resilience is the ability to identify these threats, mitigate their impact, and bounce back quickly, preserving the integrity of the financial system.

The Operational Resilience Journey

FCA (Financial Conduct Authority) regulation PS21/3: Building operational resilience, published in March 2021, outlines expectations for organisations to build resilience against operational disruptions and ensure they can prevent, respond to, recover, and learn from operational disruptions to important business services.

PS21/3 covers various aspects of operational resilience, including:

• • Identification of important business services that if disrupted, could cause harm to consumers or market integrity.

• • Setting impact tolerances for each important business service, which is the maximum tolerable level of disruption.

• • Mapping the resources, including people, processes, technology, and information, needed to deliver these important business services.

• • Conducting scenario testing to ensure organisations can remain within their impact tolerances during severe but plausible disruptions.

• • Developing internal and external communication plans for when disruptions occur.

• • Having governance arrangements in place to manage operational resilience.

This policy statement applies to UK banks, building societies, PRA-designated investment firms, insurance companies, and all FCA-regulated firms, including payment firms, electronic money institutions, and others, emphasising the importance of resilience in the financial sector.

Here’s an overview of the steps you need to take to meet the requirements from the FCA & PRA:

1. Identify Important Business Services

• • Begin by identifying and mapping out the important business services your organisation provides. These are services that, if disrupted, could cause harm to clients or the financial markets, or risk the firm’s viability.

• • Potential Action: Conduct a thorough analysis of your business activities to determine which services are critical to your operational integrity and the wider financial system.

2. Set Impact Tolerances

• • Impact tolerances are the thresholds for disruption that an organisation can withstand before causing intolerable harm to consumers or risks to market integrity.

• • Potential Action: For each important business service, set clear, measurable impact tolerances. Consider factors like time to recovery, financial impact, and reputational damage.

3. Map and Test

• • Document the people, processes, technology, and information that support your important business services. Understand the end-to-end journey, including third-party dependencies.

• • Potential Action: Regularly test your ability to remain within impact tolerances through a variety of severe but plausible disruption scenarios.

4. Scenario Testing

• • Develop scenarios that could potentially disrupt your business services, considering a wide range of causes, including cyber attacks, physical security breaches, and system failures.

• • Potential Action: Test these scenarios to evaluate your firm’s readiness and ability to respond effectively. Use the findings to refine your resilience strategies.

5. Communication Plans

• • Effective communication is critical during disruptions to ensure stakeholders are informed and reassured.

• • Potential Action: Develop and regularly update communication plans for both internal and external stakeholders, including employees, clients, regulators, and the public.

6. Governance and Oversight

• • Senior management and the board must have oversight of the operational resilience framework and ensure it is integrated into the organisational risk management strategy.

• • Potential Action: Establish clear roles and responsibilities for operational resilience. Regular reports should be made to the board and senior management to ensure continuous improvement.

7. Continuous Improvement

• • Operational resilience is not a one-time effort but requires continuous monitoring and improvement.

• • Potential Action: Implement processes for regularly reviewing and updating your operational resilience strategies, testing scenarios, and impact tolerances. Incorporate lessons learned from both internal and external incidents.

8. Regulatory Reporting and Compliance

• • Compliance with FCA and PRA regulations requires regular reporting and transparency with regulators.

• • Potential Action: Ensure timely and accurate reporting of operational incidents and resilience testing outcomes. Be prepared to demonstrate how your firm meets regulatory expectations for operational resilience.

Implementation

• • Start Small: Begin with a pilot project focusing on a critical business service to refine your approach.

• • Engage Stakeholders: Involve all relevant stakeholders across the organisation and third parties to ensure buy-in and effective implementation.

• • Leverage Technology: Utilise technology solutions to automate processes, improve data analysis, and enhance communication effectiveness.

Interested in speaking with our consultants? Click here to get in touch

 

Some sections of this article were crafted using artificial intelligence technology