The FCA operational resilience guidelines: an overview
Released in March 2021, the FCA operational resilience policy provides a framework for financial services firms to strengthen their resilience against operational disruptions. To do this, the policy required firms to establish robust plans for ‘severe but plausible’ risks earlier this year.
Created alongside the Bank of England and the Prudential Regulation Authority (PRA), the policy came about in response to Covid-19. The pandemic, as you will be all too aware, caught many businesses off-guard, and the FCA want to prevent a similar situation from occurring. The global financial crisis and the recent rise in cyber-attacks also prove the need for firms to achieve operational resilience.
To understand the regulator’s operational resilience framework in more detail, let’s first go back to basics. Exactly what is operational resilience?
What is operational resilience?
The FCA and PRA define operational resilience as the ability of financial services firms and the finance services sector to:
prevent, adapt, respond to, recover, and learn from operational disruptions.
Essentially, it is all about ensuring that your organisation has contingency plans and risk mitigation strategies in place. Why? So that you are as prepared as possible for adverse scenarios. This should prevent harm from manifesting or will help you to recover more easily if something does go wrong.
The importance of building operational resilience goes beyond protecting your organisation from becoming victim to operational risk. It is also in the public interest. By being prepared for unfavourable situations, financial firms are better placed to protect consumers and the wider financial industry.
Operational resilience is also about changing your organisation’s mindset. Instead of thinking about operational disruption as something that could happen, firms should assume it will happen. This shift in attitude should propel your organisation to make operational resilience a priority and will help to drive cultural change within the industry.
So, what are the FCA operational resilience guidelines?
If you are not already familiar with the FCA operational resilience policy, it focuses on five key areas:
- Important business services – This refers to services that would cause intolerable damage to consumers or the market if they were disrupted.
- Impact tolerances – This is the maximum level of disruption that can be endured whilst still being able to deliver important business services. Disruption to important business services beyond this level would cause intolerable harm to consumers, the UK financial system, and financial markets.
- Transitional arrangements – Firms had until the 31st of March 2022 to implement the new requirements. Following this, the FCA have outlined a 3-year transitional period where firms must ensure they are remaining within their set impact tolerances.
- Mapping and scenario testing – Mapping involves establishing what resources are needed to continue to deliver important business services, from people and processes to technology and facilities. Scenario testing requires firms to assess whether they can remain within their impact tolerances under different harmful yet possible situations.
- Communication and self-assessment – In the instance that important business services are disrupted, the FCA expect firms to have internal and external communication plans ready. Firms should also self-assess their operational resilience and document this.
While the regulator’s operational resilience requirements may seem complex, in essence they are about ensuring firms are prepared for the worst. That way, severe operational disruption, as well as harm to consumers and the market, can be avoided.
“We need to know that you have planned for the worst and are able to continue to deliver your important business services when the worst does happen.”
The FCA operational resilience framework applies to banks, building societies, PRA-designated investment firms, insurers, Recognised Investment Exchanges, enhanced scope SMCR firms, and entities that are authorised and registered under the Payment Services.
If you fall under one of these categories, you should now have an operational resilience strategy in place that meets the new requirements.
Building your operational resilience strategy
Considering all of the above, what steps should you have taken to ensure that your firm strengthens its operational resilience to meet the FCA’s framework?
- First, identify your important business services. Which services, if disrupted, could cause severe damage?
- Set impact tolerances, so that you can plan what actions are needed to stay within them.
- Spot vulnerabilities in your operational resilience. It is important that you learn from any operational disruptions.
- Carry out appropriate mapping and testing. At present, this only needs to be conducted to a level that enables you to properly perform the previous steps.
- Regularly update your operational resilience self-assessment; the FCA may ask to see this document at any time.
- Put a robust communication plan in place, so that you are prepared for adverse scenarios and can minimise further disruption if risk occurs.
- At least once a year, or when there is a significant change in your organisation or the market, review your important business services and impact tolerances. Update these as required, so that nothing is missed.
- Take all possible actions to ensure you remain within the impact tolerances for each important business service.
Operational risks are constantly evolving. With Covid-19 and the rise in cyber-attacks, the past couple of years has made this clearer than ever. It is no wonder, then, that the regulators have introduced this operational resilience framework to help firms in the financial sector prepare for the worst. One firm who did successfully prepare for the worst, however, is the Admiral Group.
Now you have a better understanding of the FCA operational resilience policy, download our free e-book to discover a great example of operational resilience: the Admiral Group's response to Covid-19.
What we can learn from the Admiral Group’s pandemic response
Our free e-book explains how Admiral mitigated the risk of Covid-19 and achieved operational resilience. Find out what made their approach successful.