FCA Consulting on Building Operational Resilience

The Bank of England (the Bank), Prudential Regulation Authority (PRA) and the FCA have published a shared policy summary and co-ordinated consultation papers on new requirements to strengthen operational resilience in the financial services sector.

A discussion paper on operational resilience was published in July 2018 explaining the FCA’s aim of increasing firms’ investment in operational resilience where they provide important products and services, and explained that building operational resilience is in the public interest.

The FCA is now consulting on new requirements on firms to help strengthen operational resilience.

So, what is operational resilience?

The FCA defines operational resilience as, “the ability of firms and the financial sector as a whole to prevent, adapt, respond to, recover and learn from operational disruptions.”

There are many factors which can cause operational disruption – for example, cyber-attacks, power failure, changes to systems and technology failure. This disruption may be outside of a firm’s control.

While it is proposed that this new guidance will apply to Enhanced SM&CR firms – not Core or Limited Scope – arguably it is something that all firms should consider in order to ensure that their business is robust and prepared in the event of disaster. The FCA states that, “firms not subject to this Consultation Paper should continue to meet their existing operational resilience obligations and may want to consider our proposals.”

Once it has published its final rules, the FCA will consider whether the proposals should be applied to other firms.

In this consultation, the FCA outlines its proposals for firms, which are:

  • identifying their important business services i.e. those which if interrupted have the potential to cause harm to consumers or market integrity
  • undertaking a mapping exercise to identify and document the people, processes, technology, facilities and information that support a firm’s important business services
  • setting impact tolerances for each important business service
  • testing their ability to remain within their impact tolerances through a variety of possible disruption scenarios
  • conducting lessons learned exercises in order to identify, prioritise and invest in their ability to respond and recover from disruptions as effectively as possible
  • developing internal and external communications plans for when important business services are disrupted
  • creating a self-assessment document

The consultation now closes on 1 October 2020.

All feedback will be considered and finalised rules will be published in a Policy Statement next year.

About the author

Lisa joined RWA in 2014 as an e-Learning Assistant, designing training material for the Aviva Development Zone e-learning platform.

Her role as Head of Content and Communications involves the editorship of RWA Insight. It also includes reviewing e-learning content as well as providing proofreading, copywriting and standards support across the business.

Get RWA Insight In Your Inbox

Regular business news and commentary delivered direct to your inbox each week. Sign up here