Who is in scope for the UK’s new operational resilience regulatory mandate?
The new operational resilience regulatory rules will apply to all the following financial organisations in the UK:
PRA-designated investment firms
recognised investment exchanges
enhanced scope SM&CR firms / entities authorised and registered under the Payment Services Regulations 2017 or Electronic Money Regulations 2011
When does the new operational resilience rulebook come into force?
The new rulebook is set to come into force on 31st March 2022. The timeline set-up includes a one-year implementation period, during which firms would have to identify their “important business services” and define “impact tolerances” for those services and start operationalising the framework.
From 31st March 2022, firms must ensure that, in the event of severe but plausible disruption, the resilience strategies, systems and processes they have in place are sufficient to remain within their impact tolerances to operational disruption. Whilst this is expected to be a gradual process, organisations will have to become fully compliant by 31st March 2025.
What is an ‘important business service’?
An “important business service” is defined as a service provided by a firm, or by another person on behalf of the firm, to one or more clients which, if disrupted, could:
1) cause intolerable levels of harm to one or more of the firm’s clients, or
2) pose a risk to the soundness, stability, or resilience of the UK financial system or the orderly operation of the financial markets.
How do you define or set an ‘impact tolerance’?
Firms are responsible for setting ‘impact tolerances’ for each ‘important business service’. According to the new operational resilience rulebook, impact tolerance is the maximum tolerable level of disruption to an important business service, as measured by a length of time in addition to any other relevant metrics. This should also reflect the point at which any further disruption to the important business service could cause intolerable harm to one or more of the firm’s clients, or pose a risk to the stability of the entire UK financial system or the orderly operation of the financial markets.
To put this into perspective, let’s take a look at what business services and impact tolerances would be for an asset management company.
Business services of asset managers could be:
Technology platforms for order management, relationship management and trading
Third parties such as custodians and fund administration companies
Operational information including customer details and authorisation requirements
Impact tolerance thresholds could then be calculated for one or more of the above in terms of both financial and reputational risk using the number of services impacted and the length of time each service was affected by an event.
What’s the connection between operational resilience and governance?
Governance is key to the success of the board’s operational resilience strategy – boards must ensure they have appropriate management information to inform decisions that have consequences for the firm’s operational resilience. Senior management will be more accountable than ever for ensuring the effectiveness of a company’s resilience strategy and its execution. Firms should, therefore, establish clear accountability measures and internal controls for the management of operational resilience, using existing committees and roles, or establishing new ones, if necessary.
Given the depth and scope of the new operational resilience mandate, it’s clear that many firms will be facing a major regulatory burden, in a relatively short timeline. Ironically, the COVID-19 pandemic and rising cyber tensions have galvanised firms into making this a top priority. The “big four” have published several informative papers on the subject:
EY – “Building and improving enterprise resilience is no longer a choice. It’s an imperative”
KPMG – “Operational resilience in financial services. Seizing business opportunities”
PwC – “Operational resilience, crisis and continuity”
Deloitte – “Final UK policy on Operational Resilience – financial regulators reimagine resilience for the sector”
One theme prevalent throughout all those publications is the role of emerging technology and how it could facilitate the overall compliance process. In fact, it’s clear technology will be instrumental not only in building resilience but also in managing operations across the board. Indeed. Deloitte has set out 8 predictions about the adoption of digital technology in financial services in the next few years. Entitled “Finance 2025”, it looks at, amongst other things, “the finance factory: transactions will be touchless as automation and blockchain reach deeper into finance operations”.
The prediction about blockchain is particularly interesting as we, at Cygnetise, have developed a Blockchain-based application which revolutionises how firms manage both their own, their customers and their counterparts’ authorised signatories. Central to any firms’ contract management or governance protocols, the effective management of authorised signatories (including banking authorities) will undoubtedly be part of the future operations resilience planning, implementation and best practices.
The Cygnetise application has already enabled some of the world’s biggest financial institutions to add security and efficiency to their authorised signatory procedures during the enforced remote working caused by the ongoing COVID-19 pandemic. Business continuity and ESG have also been enhanced for firms adopting the application as it removes the requirement for paper or spread-sheet based processes.