| UK & Europe | Articles
With less than six months until new operational resilience rules come into force, many firms are only now realising how much they will need to do to prepare.
In March 2021, UK regulators set out their final rules and guidance on new requirements to strengthen operational resilience in the financial services sector. By March 2022 firms must have identified their important business services, set impact tolerances for the maximum tolerable disruption, and carried out mapping and testing to a level of sophistication necessary to do so. Firms must also have identified any vulnerabilities in their operational resilience.
As soon as possible after 31 March 2022, and no later than 31 March 2025, firms must have performed mapping and testing so that they are able to remain within impact tolerances for each important business service. Firms must also have made the necessary investments to enable them to operate consistently within their impact tolerances.
As the countdown begins, it is important to remember that operational resilience is not Business Continuity Management 2.0. It requires much deeper thinking from financial services firms. We have seen already the many inherent challenges in preparing for the new rules. With six months to go, many firms are not as far along the road as they should be.
Allocate resource and personnel effectively
A common barrier to preparing adequately for the new rules is an over-reliance on those with other roles within a firm. The scope of the regime is wide and significant time and resource needs to be spent on ensuring compliance. Individuals with dedicated roles within a firm should therefore be tasked with implementing the required preparations to avoid delays or missteps.
Similarly, many of the individuals who have been tasked with implementing firms’ preparations lack the required specialist or technical knowledge to do so. For example, some firms have been relying solely on their COOs to ensure they are ready for the new rules. Though they may seem like the obvious choice, firms should not always assume that the COO will be the best person to assess the detailed requirements, across all areas. Particularly for firms with split CTO/COO responsibilities, or large outsourced relationships. Equally, there should be an expectation of collective responsibility/effort across the Board/Exco. An “it’s the COO’s job” attitude will not deliver the right results.
Properly delegating tasks internally and making sure that those overseeing the preparations have the appropriate knowledge is therefore essential. These individuals must also understand what a ‘good’ end state for their firm looks like in the context of the new regime. This will help drive forward a coherent strategic framework, without which preparations are likely to be implemented ineffectively.
Bottom-up beats top-down
We’re also seeing many firms taking a top-down approach to identifying their important business services. Whilst those heading up an organisation might on the face of it seem to be best placed to do this, this is not always the case. Those ‘on the ground’ across different areas of the business often have better informed and nuanced perspectives that should be considered. A ‘bottom-up’ approach will thereby produce a more accurate picture of those services which should be identified under the rules, giving the regulator less ammunition with which to question you later.
Within this, it is important to demonstrate that you can show a clear understanding and assessment of those services which are delivered by outsourced providers.
Show your working
Keeping records of the process is critical. However, we have found that firms often misplace key evidence of the processes they are undertaking. Back-filling information after the fact is likely to be patchy and inaccurate. Keeping a robust, real-time record of what is being done to prepare for the new operational resilience rules should therefore be central to firms’ approach. Show your working to avoid being caught out by the regulator down the line.
In particular, firms must be able to demonstrate (and evidence) how senior management have overseen the process and satisfied themselves that the approach is correct. Without clear evidence of this challenge and review, it will be difficult to substantiate that the process is built on strong foundations.
Test, test, test
The same applies to stress-testing. Firms should be testing their methodology now to ensure it is effective. Without that level of assurance early in the process, there is a risk of running into significant challenges further along the journey once the rules come into force.
From challenge, opportunity
Compliance with operational resilience rules is an essential process that must be undertaken carefully. Firms have a few months left to ensure they have properly delegated tasks and resources, applied adequate stress-testing and record keeping, and have brought in perspectives from all levels of their organisation. No one said it would be easy. But equally, this is an opportunity to significantly increase your understanding of your business, reassess strategy and priorities, and to enhance your competitive advantage in the process.