Rebecca recently joined us in 2024 as a Senior Content Writer and has experience researching and creating multimedia content. With a keen interest in current and emerging industry affairs, Rebecca responds through a critical lens and, by promoting thought and discussion, aims to increase awareness of UKGI’s work.
8 ways to boost your firm’s operational resilience
Operational resilience—a firm’s capacity to quickly and smoothly recover from, or adjust to, changes or difficulties—is more than having a business continuity plan or disaster recovery. True resilience is a planned, long-term, ever-evolving process.
This article explores how firms can build operational resilience, why it is important, and how it aligns with other regulatory and ethical obligations.
The FCA’s view
The FCA has placed an enduring focus on operational resilience. Recently, it published webpage outlining insights and observations for firms working towards the deadline for compliance with new operational resilience rules, introduced by Policy Statement PS21/3: “Building operational resilience” on 31st March 2022.
The regulator is particularly concerned with the level of governance, oversight, and contingency planning on outsourced services in firms where, if a problem occurs, customers could suffer harm because adequate controls and contingency plans are not in place.
The value of operational resilience
Whilst the FCA’s operational resilience rules and guidance apply only to Enhanced Scope Senior Managers and Certification Regime firms, the regulator’s related observations and insights are valuable to all firms seeking to ensure operational resilience.
Ensuring operational resilience is critical to fulfilling other important regulatory and ethical obligations. For instance, operational resilience is key to supporting the regulator’s objectives; the ongoing availability of key business services reduces the risk of consumer harm, risk to market integrity, and resilient firms can help to promote effective competition.
It also aligns with fundamental regulatory requirements, such as Principle 12, the Consumer Duty Consumer Principle to work to achieve good outcomes for customers, and the FCA’s Threshold Condition 4 requirement, to maintain adequate resources.
Key things for firms to consider in relation to Operational Resilience
Below are 8 key areas firms should focus on when building operational resilience:
1. Identify and safeguard important business services
Firms should identify important services, safeguard every step of its process chain (including outsourced processes), and implement alternative solutions and workarounds to ensure it can avoid interrupting the supply of services to its clients and that risks to financial markets or integrity or resilience of the UK financial system are mitigated- regardless of the type and intensity of potential scenarios.
According to the FCA, appropriate identification of important business services remains varied, and some firms exclude certain services due to a belief that competitors would be able to substitute services and meet client/consumer needs in the event of disruption. However, important business services should be determined and safeguarded independently to response or recovery capabilities.
2. Ensure impact tolerances are understood & rationalised
Firms must ensure that their impact tolerances are fully understood and rationalized. The FCA has noted a lack of rationale for many identified impact tolerances and that these are often set as time-bound tolerances. Firms should consider additional metrics, such as customer type, transaction values, criticality, and estimated losses, to complement time measures.
3. Effectively identify, map & manage third parties
Mapping is essential to identifying vulnerabilities that could lead to a breach of impact tolerance during disruptions. Firms should document the people, processes, technology, facilities, and information necessary to deliver important business services, including third-party relationships. Actively managing third-party providers ensures that they can support the firm’s ability to remain within impact tolerances.
4. Scenario test to accurately assess resilience
Firms should develop and update testing plans for each important business service which identify a range of severe but plausible scenarios and detail how the firm will remain within impact tolerances. Scenario testing should evolve from judgment-based to empirical data-based tests, including penetration tests, disaster recovery tests, simulations, and lessons learned from real scenarios. Including third parties in testing helps to assess their capability to remain within impact tolerance.
5. Actively think about vulnerabilities & remediation
Mapping and scenario testing help identify vulnerabilities that could cause firms to breach impact tolerance. The FCA expects remediation plans to be approved, fully funded, and governed to ensure delivery, with repeated scenario tests verifying that vulnerabilities are resolved.
6. Ensure response and recovery plans are understood & tested
According to FCA reviews, many firm self-assessments showed limited evidence that response plans had been tested, and firms commonly relied on recovery to understand if they could remain within their impact tolerance.
It is important to understand your firm’s response plan should a disruption occur; such plans provide alternative actions to buy time for recovery plans and help avoid breaching impact tolerance.
7. Strengthen your self-assessment
Firms should self-assess operational resilience and document its journey to becoming operationally resilient. A firm’s governing body is required to approve and regularly review the self-assessment, so this must provide sufficient information and justifications on the determinations, decisions, and plans to ensure your continued resilience.
The assessment should also include an overview of identified vulnerabilities, the action required to remedy them, scenarios tests (and outcomes), remediation plans, and the firm’s strategy to ensure that they can remain within impact tolerances for all important business services.
8. Embed operational resilience throughout your firm
Firms should embed operational resilience in their overall culture, risk frameworks, change management, and strategic planning. Operational resilience should also be a core consideration when assessing the risk of transformation and change; horizon scanning is vital to understanding new and emerging risks, ensuring appropriate testing, and having controls in place to detect, respond to, and recover from, disruptions.
By focusing on these key areas, firms can enhance their operational resilience, safeguarding consumers, market integrity and the stability, growth, and competition of the sector.
.