The 31 March 2022, deadline has passed for financial firms to carry out the UK Financial Conduct Authority’s (FCA) requirement to complete a self-assessment document setting out their approach to operational resilience.
But while firms have now tested their ability to recover from potential disruptions and received the board’s sign off on the document, this is not the time to take the foot off the accelerator. In fact, the countdown has already begun to the next deadline of 31 March 2025, for firms to act on the findings of this first stage.
Companies cannot leave this to the last minute; the FCA expects organisations in scope to undergo a thorough process to address any issues identified during the initial stage, further test their operational resilience, and build it into the overall framework and governance of their business.
In this blog, we look at five actions you should take to meet the regulator’s expectations and, perhaps more importantly, to become truly operationally resilient.
Assessing operational resilience: the story so far
The FCA’s recent push on operational resilience in the financial sector is driven by the harm disruptions to business operations can cause to consumers and the wider financial system. The regulator says the impact of Covid-19 on firms further illustrates the importance of resilience.
Its new rules (see Policy Statement PS21/3) came into force on 31 March 2022. You can read more about the requirements of the initial stage in our previous blog but, in short, firms had to complete a self-assessment document which:
- Identified their important business services.
- Set impact tolerances for the maximum tolerable disruption to business operations.
- Carried out initial mapping and testing of operational resilience, including critical processes, technologies and third parties.
- Spotted any vulnerabilities in their resilience and considered the resources needed to mitigate them.
While this first deadline has passed, the hard work starts now. To borrow from Winston Churchill, this is not the end of the regulatory focus on operational resilience. At best, it’s the end of the beginning!
The next step: five requirements for firms by 31 March 2025
The assessment and mapping stage was not just a desktop exercise, but it was designed to give firms a clear course of action to strengthen their operational resilience. The FCA’s rules says this work should be done “as soon as possible” and no later than 31 March 2025. The requirements include:
- Remediate vulnerabilities
Firms need to remediate any weaknesses within the operational framework which were identified in the first stage. Without mitigation, these vulnerabilities could damage companies, their customers and the wider markets.
- Ramp up resilience testing
Firms should further develop their mapping and testing to ensure they remain within their impact tolerances for each important business service. This includes regular testing of different scenarios which could disrupt operations.
- Invest in operational resilience
By March 2025, the FCA expects firms to have “made the necessary investments to operate consistently within their impact tolerances”.
- Refine and embed operational resilience
Firms are expected to build operational resilience into their overall framework. It should be interlinked with their frameworks around business continuity, cyber resilience, risk management and process management. Operational resilience is critical to the company’s success and survival and should not be treated as an add-on.
- Operationalise governance
The FCA wants firms to operationalise the governance of operational resilience within the organisation. This should involve regular reviews of the firm’s resilience and applying the outcomes of these tests to their approach. Companies should also adapt the framework as appropriate to meet changes in the organisation and the financial markets.
A path to resilience: our advice for companies
We know improving operational resilience is a top priority for financial services firms: at our recent webinar about the UK’s regulatory outlook for 2022, 62% of participants picked it as their main area for improvement this year.
Firms can meet and exceed the FCA’s expectations with a properly resourced and planned approach that builds on what you have done before. Based on our work with clients in this area, we recommend building on the knowledge, experience and work already completed across your business. A lot of components of operational resilience exist in functions across the company.
Three years can pass quickly so the best time to start this work is now, and it should not simply be a tick-box exercise to satisfy the regulator. Firms will benefit in myriad ways from shoring up their operational resilience.
If you would like assistance with your operational resilience compliance, contact us today.
This post contains a general summary of advice and is not a complete or definitive statement of the law. Specific advice should be obtained where appropriate.
