So said the G20 Leaders’ Summit statement of 26 March 2020, days before the publication of the Policy Statements on operational resilience from the UK regulators. The pandemic has clearly illustrated the importance of operational resilience and, while in many cases organisations responded well, many found they were less well prepared. This has reinforced the importance of building enhanced operational resilience.
While UK financial services companies can take some comfort from dealing well with COVID-19, it is important not to be complacent. Organisations should not rely on a future stress being the same as the current pandemic. To be resilient, organisations need to be prepared, not just for today’s crises, but also for tomorrow’s challenges.
In this context, we are pleased that UK regulators have retained an outcome-focused approach in their Policy Statements, and continued with the direction of travel set out in previous Discussion and Consultation Papers, providing clarification while resisting being over-prescriptive in policy. We think this will give firms greater potential to tailor their operational resilience approaches to their businesses.
This, coupled with pragmatism of a transition period, should help all firms to develop a practical approach to operational resilience, which fits their businesses and will enable them to build confidence in the resilience of their operating models.
The Policy Statements on operational resilience and outsourcing, released on 29 March 2021, clarify the timeline for implementation.
By no later than 31 March 2022, firms are required to have completed the following actions.
Timeline of key events
UK regulators take a strong and consistent approach to increase resilience across the financial services sector, and introduce operational resilience as a regulatory concept.
Set out proposed policy to ensure financial institutions can continue to provide key services, with only limited interruption, when faced with severe but plausible operational events.
Set out implementation timeline for regulated firms to meet policy requirements.
Firms expected to have implemented foundational elements of their operational resilience approach.
Firms expected to be operating within impact tolerances for their important business services.
Following initial implementation, companies have a transition period to ensure they can operate their important business services within the impact tolerances set, as soon as is reasonably practicable. This period will end no later than 31 March 2025.
The requirements set out in final Policy Statements remain largely consistent with the consultation phase. For the most part, changes provide additional clarity to support firms to effectively implement their operational resilience approaches, while not over-specifying what is required.
This approach means that firms that have made significant progress on operational resilience over the last few years will be well-placed to continue to develop, refine and embed their approaches, without having to make wholesale changes.
For those organisations which still have work to do, the publication of Policy Statements marks the point where it is now necessary to move quickly to accelerate efforts and put a practical approach in place. This will be helped by the regulators explicitly expecting firms to take a proportionate approach, only considering extra layers of complexity where there are significant benefits in building operational resilience.
Based on our practical experience of working with clients in this area, we recommend firms concentrate their efforts on seven key areas.
This next year provides a good opportunity to build strong foundations in operational resilience. By taking a practical approach, and engaging the business to understand what works in your firm, you can enhance operational risk management and decision making, and increase your organisation’s ability to react faster and more effectively to disruption.
In doing this, it’s important not to lose sight of the business value that can be gained if operational resilience activity is done well. Building operational resilience in an organisation should result in the outcome that customers can trust the business to adapt to changing circumstances; that it can deal with stresses and disruptions whilst delivering on promises, achieving business objectives and operating within agreed tolerances. Operational resilience is important to customers, and they are more likely to select and be loyal to firms that are more resilient and respond well to operational disruption.
From what we’ve seen to date, our view is — done well — operational resilience can be an area where the cost of compliance is significantly exceeded by the organisational benefits gained and value realised.
Where firms have already made significant progress, we anticipate changes will be easily integrated into existing approaches, as core policy elements remain largely unchanged. For companies just beginning to mobilise, final Policy Statements provide additional clarity to help them to move forward.
Irrespective of their stage of development, all firms must now focus on overcoming the practical challenges of implementation, learning lessons from their activity to date, and collaborating with external experts and their partners to develop an effective operational resilience approach.
Crowe has been working with clients to develop, iterate and embed practical operational resilience approaches that are relevant and proportionate to their businesses. This has involved supporting them in establishing and embedding methodologies across all aspects of operational resilience, including identifying important business services, setting impact tolerances, completing end-to-end service mapping at the right level, and undertaking pilot reviews - to enhance effectiveness and achieve real business benefits.
For more information, please contact Justin Elks, Madeline Betts or Dan Spreckley.