lighthouse crashing waves

Building operational resilience

Key messages from the March 2021 Policy Statements

Justin Elks, Managing Director, Madeline Betts, Manager and Daniel Spreckley, Manager – Risk Consulting Financial Services
29/03/2021
lighthouse crashing waves
"The unprecedented COVID-19 pandemic is a powerful reminder of our interconnectedness and vulnerabilities”

So said the G20 Leaders’ Summit statement of 26 March 2020, days before the publication of the Policy Statements on operational resilience from the UK regulators. The pandemic has clearly illustrated the importance of operational resilience and, while in many cases organisations responded well, many found they were less well prepared. This has reinforced the importance of building enhanced operational resilience. 

Our viewpoint

While UK financial services companies can take some comfort from dealing well with COVID-19, it is important not to be complacent. Organisations should not rely on a future stress being the same as the current pandemic. To be resilient, organisations need to be prepared, not just for today’s crises, but also for tomorrow’s challenges.

In this context, we are pleased that UK regulators have retained an outcome-focused approach in their Policy Statements, and continued with the direction of travel set out in previous Discussion and Consultation Papers, providing clarification while resisting being over-prescriptive in policy. We think this will give firms greater potential to tailor their operational resilience approaches to their businesses.

This, coupled with pragmatism of a transition period, should help all firms to develop a practical approach to operational resilience, which fits their businesses and will enable them to build confidence in the resilience of their operating models.

Summary of timelines and requirements 

The Policy Statements on operational resilience and outsourcing, released on 29 March 2021, clarify the timeline for implementation.

By no later than 31 March 2022, firms are required to have completed the following actions.

  • Identify their important business services - in line with the regulators’ revised definitions, and with additional criteria and clarity provided in the Policy Statements, including the requirement for at least an annual review.
  • Set impact tolerances for each important business service – with refined definitions, firms are required to set time-based impact tolerances, consider the value of defining additional metrics and understand the impact of compounding effects across multiple important business services.
  • Map the chain of resources that delivers each important business service - end-to-end, at sufficient depth to identify vulnerabilities in operational resilience, with at least annual review but on the understanding that mapping sophistication will improve over time.
  • Commence a programme of scenario testing, and develop testing plans - for assessing the ability to remain within impact tolerances, noting that annual testing is not a requirement for each impact tolerance or resource type.
  • Develop and produce a first self-assessment – describing the operational resilience journey, and how policy requirements have been met.
  • Develop, agree and sign off a plan - detailing how compliance with new requirements and expectations will be achieved.
  • Implement new requirements on outsourcing and third-party risk management - including for all new arrangements entered into after 31 March 2021, with more time to align legacy agreements.
 

Timeline of key events



July 2018

Discussion Paper

UK regulators take a strong and consistent approach to increase resilience across the financial services sector, and introduce operational resilience as a regulatory concept.

arrow_drop_down_circle_24px

December 2019

Consultation Papers

Set out proposed policy to ensure financial institutions can continue to provide key services, with only limited interruption, when faced with severe but plausible operational events.

arrow_drop_down_circle_24px

March 2021

Policy Statements

Set out implementation timeline for regulated firms to meet policy requirements.

arrow_drop_down_circle_24px

March 2022

Implementation

Firms expected to have implemented foundational elements of their operational resilience approach.

arrow_drop_down_circle_24px

March 2025

Transition ends

Firms expected to be operating within impact tolerances for their important business services.

Following initial implementation, companies have a transition period to ensure they can operate their important business services within the impact tolerances set, as soon as is reasonably practicable. This period will end no later than 31 March 2025.

A consistent direction of travel

The requirements set out in final Policy Statements remain largely consistent with the consultation phase. For the most part, changes provide additional clarity to support firms to effectively implement their operational resilience approaches, while not over-specifying what is required.

This approach means that firms that have made significant progress on operational resilience over the last few years will be well-placed to continue to develop, refine and embed their approaches, without having to make wholesale changes.

For those organisations which still have work to do, the publication of Policy Statements marks the point where it is now necessary to move quickly to accelerate efforts and put a practical approach in place. This will be helped by the regulators explicitly expecting firms to take a proportionate approach, only considering extra layers of complexity where there are significant benefits in building operational resilience.

Taking a practical approach

Based on our practical experience of working with clients in this area, we recommend firms concentrate their efforts on seven key areas.

  • Focus on what’s important to you as a business: having a deadline just under 12 months away may encourage firms to approach this work as if it were a ‘tick box’, regulatory compliance exercise. However, the regulators don’t want a one size fits all approach. While it can be useful to understand the approaches of other firms, operational resilience needs to work in the context of your organisation and its operating model.
  • Understand your current position: to focus on what’s important, there is a requirement to understand your current position. In our experience we find that spending some time completing a gap analysis, to understand how existing capabilities can be leveraged to support the operational resilience approach, leads to a more efficient, cost-effective approach.
  • Engage the Board: the approach firms develop to operational resilience should help Boards to engage with strategic decisions about significant operational changes and investments. Board members have in the past struggled to engage in operational risk and resilience areas in the right way; they often see operational resilience as a positive initiative, and engaging them early can help to shape approaches to meet their needs.
  • Iteration and evolution are key to embedding: where firms have approached projects iteratively — for example, developing an initial approach, doing a pilot exercise to test it, and then applying these learnings to refine their approaches further — they have tended to have the most impact on their businesses.
  • Engage the wider business: approaching projects iteratively helps build understanding and engagement, and ultimately helps to embed approaches in the business. Project teams have found it is very difficult to make good progress and add value unless they have the active engagement and input from the wider business. If done well, operational resilience can help to break down business silos.
  • Don’t get bogged down in the detail: we have seen organisations struggle and get lost in the detail of mapping. Regulators have now clarified that mapping and testing of impact tolerances to a full level of sophistication are not seen as crucial within the first year. Firms should concentrate on the identification and testing of key resource constraints and service vulnerabilities which impact the ability to service customers, and not fall in to the trap of getting lost in the detail during this initial phase.
  • Consider the extended enterprise: effective operational resilience includes engaging beyond the boundary of a business, and the management of third parties is central to many firms’ ability to remain resilient to disruption and external change. Operational resilience provides an effective lens for firms to assess and manage their exposure to third parties and material sub-outsourcing. Regulators have recognised that rules in this area have not kept pace with technological change, suggesting that outsourcing and third party risk management will be an increasing focus of regulatory activity.

Do not miss the opportunity to add value

This next year provides a good opportunity to build strong foundations in operational resilience. By taking a practical approach, and engaging the business to understand what works in your firm, you can enhance operational risk management and decision making, and increase your organisation’s ability to react faster and more effectively to disruption.

In doing this, it’s important not to lose sight of the business value that can be gained if operational resilience activity is done well. Building operational resilience in an organisation should result in the outcome that customers can trust the business to adapt to changing circumstances; that it can deal with stresses and disruptions whilst delivering on promises, achieving business objectives and operating within agreed tolerances. Operational resilience is important to customers, and they are more likely to select and be loyal to firms that are more resilient and respond well to operational disruption.

From what we’ve seen to date, our view is — done well — operational resilience can be an area where the cost of compliance is significantly exceeded by the organisational benefits gained and value realised.

Next steps

Where firms have already made significant progress, we anticipate changes will be easily integrated into existing approaches, as core policy elements remain largely unchanged. For companies just beginning to mobilise, final Policy Statements provide additional clarity to help them to move forward.

Irrespective of their stage of development, all firms must now focus on overcoming the practical challenges of implementation, learning lessons from their activity to date, and collaborating with external experts and their partners to develop an effective operational resilience approach.

 

business people meeting

How can Crowe help?

Crowe has been working with clients to develop, iterate and embed practical operational resilience approaches that are relevant and proportionate to their businesses. This has involved supporting them in establishing and embedding methodologies across all aspects of operational resilience, including identifying important business services, setting impact tolerances, completing end-to-end service mapping at the right level, and undertaking pilot reviews - to enhance effectiveness and achieve real business benefits.

For more information, please contact Justin Elks, Madeline Betts or Dan Spreckley.

Contact us

Daniel Bruce
Daniel Bruce
Partner, Risk Consulting
London
Justin Baxter
Justin Baxter
Partner, Risk Consulting
London