The Financial Conduct Authority (FCA) has issued Policy Statement 21/3 (PS21/3) on March 29th confirming the rules first proposed in Consultation Paper 19/32 (CP19/32) to assist firms focusing and enhancing their operational resilience activity. Similarly, the Prudential Regulatory Authority (PRA) has published Policy Statement 6/21 (PS6/21) which confirms the rules drafted in their Consultation Paper 29/19 (CP29/19).
Overall, there is little deviation between the initial Consultation Papers and the Policy Statements however both regulators have provided useful clarification throughout on the back of substantial feedback across the industry. In addition, the regulators have taken the opportunity to align on key terminology and definitions where relevant.
Our initial analysis has identified the following:
- Important Business Services – Both regulatory bodies have focused on clarifying the criteria for understanding what constitutes an Important Business Service (and what doesn’t in so far as internal support services in general are concerned). We don’t see any material change in the Policy Statement language that would force firms to re-think their approach to defining their inventory of Important Business Services.
- Impact Tolerances – Unfortunately but unsurprisingly there is no significant further detail provided on ‘intolerable’ harm, so firms still need to work through their own understanding of this as a factor in setting their Impact Tolerances. There is useful clarification however, around how dual regulated firms should think through the potential of setting two Impact Tolerances (one aligned to each policy goal) – with the PRA setting clear criteria to identify firms who are required to assess the impact on financial stability as part of the tolerance setting process. Additionally, the PRA has also clarified that where IBS only pose a risk to consumer harm then it would not be necessary to set a PRA Impact Tolerance.
- Mapping – Most significant here is the emphasis on producing mapping that can support the identification of IBS, setting of Impact Tolerances and identification of vulnerabilities by 31st March 2022. The regulators envisage that further mapping may be then required to support the understanding of the ability of IBS to remain within Impact Tolerance by 31st March 2025.
- Scenario Testing – There is little that is fundamentally new in the context of scenario testing but it is useful to note the regulators' explicit call out of the requirement to understanding pan-IBS scenarios and the implications for Impact Tolerances, as well as the testing of individual IBS in their own right. Clarification around the frequency of scenario testing is helpful particularly for those smaller firms with no current capability to call upon in any meaningful way but it remains abundantly clear that the regulators will place a considerable emphasis on the understanding and action that is driven out of scenario testing, hence firms need to give careful consideration to how they will execute that testing in a robust manner.
- Governance and Self-Assessment – Clarifications around the role of the Board in reviewing and approving the underlying mapping and ultimately the Self-Assessment substantially reinforce the extent to which this Policy Statement places an onus on the Board to become significantly involved in the ownership and approval of operational resilience strategy. Beyond that, there is very little further definition or guidance on the nature and extent of the Self-Assessment document but there is a telling nod to the fact that the regulators could come knocking for a review of the document from 31st March 2022.
For all firms the Policy Statements do provide some useful clarity on existing points of contention however they also mark the start of a countdown to compliance that is fast approaching.
For organisations who are at the beginning of their journey, there is a lot of critical thinking and internal discussion required to ensure the implementation is effective and efficient. The clarifications and detail contained within the Policy Statements should prove useful inputs however, transitioning requirements into operational activity takes time and effort.
For firms who have already begun their implementation journey there is now an opportunity to pause and reflect on whether the scope and approach of their programmes is sufficient to enable them to meet the requirements within the stated timelines. Some of the clarifications provided in the policy statement may enable firms to tackle previously impassable hurdles or require firms to revisit work they have already completed.
If you would like to discuss this, or broader operational risk and resilience in more detail, please contact OpResilience@baringa.com