IMPROVING YOUR RESILIENCE CAPABILITIES
New Operational Resilience requirements came into force 31 March 2022. Firms should have produced their initial self-assessment documents.
The regulators' aims are clear: to place firms into a state where they can anticipate, prevent, adapt, respond to, recover from and learn from operational disruptions. The self-assessment requirements however, are not so clear and regulatory guidance is sparse.
Most firms will now have produced their initial self-assessments, but regulators expect these to be improved over time and to show increasing sophistication of approach, in particular in the areas of process mapping and testing.
DO NOT BE TEMPTED TO AVOID REVIEWS!
Reviews should be less demanding than the initial assessment, but nonetheless will be demanding.
Note that reviews should be more frequent where:
- You have new key suppliers
- You have undergone structural change, rapid expansion or entry into new markets
- New types of complaint or poor performance have highlighted concerns about resilience
- You have new stakeholders to consider
- Testing or operational incidents bring into question previously held assumptions
We are now in the crucial three-year transitional period. We are helping clients:
- Review and improve their self-assessments
- Ensure that their outsourcing and third party arrangements meet regulatory requirements and the expectations set out in the self-assessment
- Make new applications for authorisation where they are producing self-assessments for the first time
- Deal with client, audit and regulatory queries about their initial self-assessments
- Put in place more demanding process testing frameworks and liaise more closely with their suppliers over joint testing frameworks
Our team of specialists, led by Steven Francis (ex-FCA and regulatory lawyer) and Jonathan Steward (ex-KPMG & Deloitte and a risk and compliance professional), are here to help with the demands of this new regulation. With a deep understanding of the issues we have created a proprietary decision analysis tool (DAT) as well as self-assessment templates and trackers. These resources will enable firms to identify their important business services, the internal and external resources required to deliver them, and crucially set their impact tolerances (the time-based metric indicating the maximum tolerable level of disruption to unimportant business service). Many of these are new concepts, raising complex definitional points. The onus is on firms to produce reasoned self-assessments of appropriate quality. AG can help.
Want to know more about our helpful tools?
Aside from our advisory capabilities, we can also literally lend a hand. If resourcing this under such time pressure is a challenge, let us know. We have trained support teams in preparation to help those who need it alongside our multi-disciplinary team of Regulatory Lawyers, Risk and Compliance Advisers, Technology Support, and Commercial lawyers adept in dealing with outsourcing arrangements and third and fourth party risks.
With Steven and Jonathan's unique experience from the FCA and the Big 4, coupled with assisting UK Finance and the International Banking Federation in their responses to regulators' consultation exercise, we have a deep understanding of this topic. We have also partnered with benchmark providers, consultancy firms and trade bodies to provide the highest quality operational resilience service to our clients.
WHAT TO FOCUS ON NOW
- Ensure that current self-assessments remain relevant
- Start reviews now. Even those with only few service lines will find the requirements complex
- Make sure that the programme of work required to review and revise self-assessments has board level support
- Allow enough time for senior management engagement and challenge
- Consider again the approach taken to 'important business services'. Has anything changed since the last self-assessment? Have you entered new markets or indeed exited markets?
- Ensure that the rationale and justification for key judgments is documented
- Supplier mapping is lengthy, you will need to show that this is being done to more refined levels of granularity
- Use the greatest care when identifying current vulnerabilities and short-comings. You will be at risk
- When setting impact tolerances make as much use as possible of existing operational risk measures and controls that the firm has in place
- If you are interested in any of our support, leave your details here and we'll be in touch.
If you're interested in any of our support, leave your details here and we'll be in touch.