Join our webinar on Thursday 15 July 2021 (12.00 – 13.00 BST) to hear our technology & outsourcing specialists talk about the top 5 trends they have been seeing in respect of outsourcing and third party technology contracts in the financial services sector.
1. Note the timings!
The self-assessment must be completed by 31 March 2022. Given the new and novel concepts in the Operational Resilience requirements, and the need to involve senior management in the key decisions, firms should not delay commencing work in this area.
2. Log all business services first
We recommend listing all business services first before focusing on which are important. The definitions are awkward and regulatory guidance is sparse, deliberately so because the PRA and FCA want firms to determine these issues for themselves. It will be very difficult for firms to assess impact and materiality without first identifying and agreeing the totality of business services they provide.
3. Sensible collaboration
The lack of guidance obviously creates risks. Very similar firms might identify different important business services and different impact tolerances. Variation is to be expected because business and operating models differ, but firms will not want to be extreme outliers. Trade and industry bodies are an important source of benchmarking information.
4. Work with suppliers
Mapping involves assessing the people, processes and technology used to deliver the firm's important business services. This will include third party suppliers of products and services. For firms with high or even moderate dependency on outsourcing this may be a demanding task. Some key industry suppliers may have considered carefully how they will respond to queries from their regulated clients. Some may find the sheer number of enquiries very difficult to deal with. Early supplier engagement – i.e. getting to the front of the queue - is one important reason for not delaying progress on the self-assessment.
Be wary and be aware! The self-assessment document creates risks in itself. Regulators expect that firms will identify their key vulnerabilities to shock events, but not all mitigation measures will have been put in place when the document is produced. Note also that, although there is no requirement to send it to a firm's regulators, they can of course request it. Given the very tight timeframes some considerable variability in quality is expected.
At Addleshaw Goddard we are producing a self-assessment decision tool and reporting format. Please contact Steven Francis below if you would like more information or even a demonstration.