Are you ready for the new operational resilience requirements? You have until the 31st March 2022
New Operational Resilience requirements, coming into force 31 March 2022, will have a major impact on UK financial services firms. The aim is clear – to enable firms to anticipate, prevent, adapt, respond to, recover from and learn from operational disruptions – but will be achieved through some novel regulatory concepts. The period before 31 March 2022 must be used by firms well, to ensure that their self-assessments are ready and fit for purpose. The timetable is a demanding one.
Our approach is to support clients using multi-disciplinary teams, Operational Resilience projects are likely to require broad team capabilities. We envisage deploying Regulatory Lawyers, Risk and Compliance Advisers, Technology Support, and Commercial lawyers adept in dealing with outsourcing arrangements and third and fourth party risks. We envisage that all of these specialisms will be required as firms undertake their self-assessments.
Supporting tools on the horizon
We are currently working on an Self-Assessment Decision tool that will enable firms, to an appropriate level of sophistication, to identify their important business services, the internal and external resources required to deliver them, and crucially set their impact tolerances – the time-based metric indicating the maximum tolerable level of disruption to unimportant business service. Many of these are new concepts, raising complex definitional points. The regulators have deliberately put the onus on firms to produce reasoned self-assessments of appropriate quality, but the lack of guidance is causing a concern.
Who we partner with
We have been assisting UK Finance and the International Banking Federation in their responses to regulators' consultation exercise and have also been helping our clients to consider what the new rules require. We are therefore in an ideal position to discuss what is happening on this topic more generally with clients. We have also been partnering with benchmark providers, consultancy firms and trade bodies to provide a high quality operational resilience service to our clients. We fully recognise that there will often be projects where we need to work with clients' internal teams or other external advisers.
What you need to focus on now
- Commence self-assessments now. Even firms with few service lines will consider the requirements demanding
- Make sure that the programme of work required to create the self-assessment is approved at board level
- Allow enough time for senior management engagement and challenge. It will take boards a considerable period to understand some of these new concepts
- Confirm all business services before identifying Important Business Services
- Ensure that the rationale and justification for key judgments is documented
- When mapping, note also the input of external suppliers, and also 4th party suppliers
- Use the greatest care when identifying current vulnerabilities and short-comings
- When setting impact tolerances make as much use as possible of existing operational risk measures and controls that the firm has in place
If you would value advice on the key steps in the lead up to the new requirements, please don't hesitate to contact us.