This page contains a Flash digital edition of a book.
In Focus Risk


Operating plans


The next steps of proposals to improve lenders’ operational resilience have been released


Andrew Rogan Director, operational resilience, UK Finance


On 5 December 2019 the UK authorities published their long-awaited operational resilience consultation papers. The proposals develop many of the concepts originally put in the 2018 joint discussion paper, and represent a statement of intent by the Bank of England (BoE), Prudential Regulation Authority (PRA), and Financial Conduct Authority (FCA) as to what is expected of firms going forward. Firms that fail to recognise and respond to this message can no doubt expect to be held to account by their supervisors, customers and clients. Three papers addressing operational


resilience were published, each laying out the authorities’ expectation firms understand their vulnerabilities and take active steps to protect firms, consumers, and the market from an operational disruption. A fourth paper addressing outsourcing was also published and should be read in conjunction with those focused on operational resilience. What is different from the 2018 joint-discussion paper is that only one of these papers is a joint publication between the PRA, BoE, and FCA; the remaining two are stand-alone publications by the FCA and the BoE/PRA respectively, with each approaching the key principles through the prism of their respective strategic objectives. Navigating these proposals and


understanding how they fit within existing frameworks will be key if firms are to successfully implement the proposals, but there is no doubt that many UK Finance members will find some of the consultation papers’ concepts more familiar than others. Whilst still thematically aligned with the 2018 discussion paper’s principles of business services, impact tolerances, and the importance of a customer-centric definition of harm, the consultations take many of them one level further. These include:


40


l Business services – the authorities have further defined a ‘business service’ as being a service that a firm provides to an external end user or participant which should be distinguished from lines of business (such as ‘retail and commercial mortgages’). It goes on to define what is an ‘important business service’ and links this concept specifically to whether a disruption would cause an ‘intolerable’ level of harm to a customer.


their resilience, whether they be people, processes, resources, or third-party suppliers. This explicitly requires firms to make operational resilience considerations a factor when considering investment and upgrade programmes. To meet this obligation, firms will be required to undertake rigorous mapping exercises and ensure data flowing to boards allow them to make informed, demonstrable decisions as to how they ensured their firm is operationally resilient. The PRA and FCA consultations delve


Navigating these proposals and understanding how they fit within existing frameworks will be key if firms are to successfully implement the proposals


l Impact tolerances – the CPs specify firms are required to set impact tolerances for each important business services at the first point that a disruption poses an intolerable risk of harm to consumers or market participants; harm to market integrity; policy-holder protection; the firm’s safety and soundness; or financial stability. The documents go on to clarify the relationship and differences between a firm’s risk appetite and impact tolerances: impact tolerance is not a recovery time objective or a recovery point objective. It also outlines how a board could chose to decide their impact tolerance through things such as scenarios specification and testing. l Firms must take action to address identified threats to operational resilience – the CPs establish that firms must proactively address operational resilience through the identification and mitigation of threats to


www.CCRMagazine.com


deeply into these and other areas and seek to establish clear expectations as to how firms can meet these standards. Banks, building societies, PRA-designated


investment firms, Solvency II firms, recognised investment exchanges, enhanced scope SMCR firms, entities authorised or registered under the Payment Services Regulations 2017 (PSRs 2017), and Electronic Money Regulations 2011 are all in scope of what is a determined effort by the UK’s regulatory authorities to put operational resilience considerations at the forefront of firms’ investment decisions. While the principles underpinning the changes are not new – firms have long been subject to strong operational resilience requirements by a combination of legislation, FCA and PRA rules, and practical supervisory expectations – they do represent the first concerted attempt by regulators and policy makers to address operational resilience holistically. Customer interests are paramount, and


a resilient, robust financial system is critical to the health of the UK economy UK Finance looks forward to working with members and the authorities in responding to these consultations and their eventual implementation. CCR


Edited from a blog on the UK Finance website January 2020


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52