Final rules and guidance on #operationalresilience have been published by the #FCA, #PRA, and #BankofEngland.
31st March 2022 – The Deadline for Financial Services firms to have mapped their Important Business Services, set the Impact Tolerances and tested these against plausible scenarios. So, by now your firm should be into the guts of the project and if you are not sure whether your firm is covered by the regulation or how you will identify and set the materiality of an Important Business Service then you will definitely need to get started now.
So, in this paper we are not going to spend a lot of time telling you in detail who is covered by the regulation (but if you want to be reminded have a look in the appendix at the end). The same goes for the following: The definition of Operational Resilience, key dates and timeline
With the budget season upon us, other Q4 2021 pressures and Christmas that the deadline will come about quickly and that many firms still have much to do. There is a lot to do to build a sustainable framework, involving all the right stakeholders, mapping the processes that underpin the Important Business Services and identifying the operational enablers (Facilities, Technology, People and Information (Data) that facilitate the processes, while understanding how operational disruptions may impact each of these.
This paper will focus on what must be done to meet the 31st March 2022 deadline, how best to set up a sustainable Operational Resilience Framework that will facilitate the continuing activities through the transition period to 31st March 2025 and enable an efficient and embedded framework to deliver value and the regulatory requirement after the transition period and how to ensure that you can get all your Important Business Services mapped and kept up to date accurately, with less disruption by using tools and accelerators to do this more quickly than using traditional mapping techniques.
What must be done by the 31st March 2022……. and how to get it done faster, better and with less disruption.
By the first deadline of 31st March 2022 each firm must have:
- Identified all their Important Business Services
- Mapped the processes and the enablers (people, technology, facilities and Information) that facilitate the Important Business Services
- Set the acceptable impact tolerances for each Important Business Service
- Identified and tested impact tolerances against severe but plausible scenarios
- Identified lessons learnt and remediating vulnerabilities
- Developed self-assessment documentation to be signed off by the board.
For this paper we will assume that the Important Business Services have been identified and focus on the other must do tasks but if your firm has not done this yet there is a lot more involved than may initially meet the eye, for example, a service may be considered important in one part of the business but not in another due to the customer demographic and/or volume of business.
Mapping the processes and the enablers that facilitate the Important Business Services
Traditional process mapping can trigger a huge amount of effort and involves coordination across multiple stakeholder groups, functions, business units, third party partners and suppliers, and geographies. For the same service, there may be multiple process variations and differences in their enablers, not to mention the variations in how work is done by individuals themselves. Luckily, the regulators have given some leeway on this and have stipulated that, for the 31st March 2022 deadline, the Important Business Services need only be mapped to a level of sophistication that enables the impact tolerances to be identified and tested – this however is not the end state and further detail will need to be captured and appended during the transition period if not done in the first round. Usually, it is less work to capture everything in one go than to revisit the same ground several times; firms will have to decide between a stage-wise approach or a single baseline mapping activity.
Typically, a mapping exercise will involve a team of Business Analysts running workshops, holding interviews and observing work of many different subject matter experts (SMEs) and then adding metrics and attributes. The issue with this method is that it is time consuming, hard to coordinate, inaccurate by design and disruptive to the operations of the firm. This alone, may force firms to adopt a longer and more costly multi-stage timeline.
Another option is to use Automated Process Modelling to capture the process faster, more accurately and with little disruption. This method involves using data from core systems to build an end to end process (Process Mining) and then supplementing this with task information from recording the ‘live’ actions of the SMEs and operatives whilst working at their desk tops (Robotic Process Discovery). Software tools are then used to analyse the processes to find vulnerabilities, unnecessary variation, and rework due to failures; the optimum process can then be identified and properly documented and embedded. This is more efficient and accelerates the mapping activity; thus, making a one-stage approach easier to manage.
The key advantage of using automation to capture processes within the Operational Resilience journey is that this then allows the team to focus these insights into setting impact tolerances, identifying scenarios and setting up the testing methodology and identifying where the vulnerabilities may be – moving the effort from data collection to value driven tasks and relieving pressure on meeting the 31st March 2022 deadline.
Whichever way the processes and enablers are captured it will be key for these processes to be mapped and stored into a robust process management tool. These tools enable a single view of the Importaant Business Services and all their processes, enablers and metrics to be available to all required stakeholders, while delivering accurate analysis and reporting capability of the Operational Resilience framework. The temptation may be to capture processes in a flat modelling tool, however, this will create issues with standards, future assessment and the ability to derive insights from the information captured to be able to set and maintain the Operational Resilience Framework.
Setting Impact Tolerances for each Important Business Service
The key aim of Operational Resilience is to ensure that when disruption occurs that firms’ operations are resilient enough not to impact their customers, the wider financial sector or the firm itself to an intolerable level. Therefore, there is a need to understand the maximum tolerable disruption and this will differ for each Important Business Service and stakeholder, so understanding your customer and the effects of a disruption to the process and enablers that underpin the Important Business Service will be imperative. There are a number of factors that will need to be captured and understood to be able to make an objective decision on where the maximum tolerable disruption point is and how this point should be measured. Usually this will be time, however other factors such as the vulnerability of the customer or systemic impact on the market may need to be taken into account.
It is important to note that this is not a onetime exercise and will need to be reviewed at least annually, so ensuring rigour in how the tolerances are derived should be focused on early and this is where the use of a governance tool will play a key part in making Operational Resilience sustainable going forward. The difficulty that many firms will have is that different stakeholder groups e.g., Operational Risk, Business Continuity, onboarding etc. may have different tools in place that work for their own needs and there is a balance to overlaying this with a governance tool that pulls information together from all the relevant stakeholder groups or replacing these with a firmwide tool. Each firm will be different and there is no answer that fits all, however making an informed decision early will benefit the progress to 31st March and the sustainability of the Operational Resilience Framework going forward.
Identifying and testing impact tolerances against severe but plausible scenarios
Operational Resilience regulation requires firms to identify severe but plausible scenarios that may impact the operations. These scenarios will then need to be tested to show that the firm has built in resilience to ensure that the impact tolerance level is not breached. Prior to the 31st March 2022 deadline these scenarios should be identified for each Important Business Service, a testing methodology defined and scenario testing started. There are a number of areas here where teams could be driven down rabbit holes in defining these scenarios, so the key will be to keep this logical by aligning them to the enablers and noting that the regulators are only looking for individual scenarios to be tested rather than complex variations.
As is the theme across the Operational Resilience regulation this is not a onetime exercise and therefore building in the ability to sustain a testing regime and ability to review scenarios and tweak these as the business evolves will be key and again this is another reason to look at governance tools that will facilitate the embedding of the rigour of the scenarios and the testing of them, making compliance and insight into Operational Resilience efficient, less disruptive and actively managed.
Identifying Lessons learnt and remediating vulnerabilities
This is an area that needs to be started before the 31st March 2022 deadline but should be the core focus for the transition period to 31st March 2025. So, the key work required now is to put in place a robust Lessons Learnt method that will enable any vulnerabilities to be identified from the scenario testing and remediation and improvement of these processes to be tracked, fixed and retested to ensure that by 31st March 2025 that there is resilience across all the Important business Services.
Reporting of the remediation and tracking of progress to close vulnerabilities is a key element of the self-assessment and is facilitated by the use of governance tools.
Developing self-assessment documentation to be signed off by the board
Ultimately, the responsibility to comply with the Operational Resilience regulation sits with the board and they will be required to sign off the self-assessment annually and when there is change in the business, this documentation must be available to the regulator for a minimum of three years. The first self-assessment must be completed by 31st March 2022.
As with all attestations there is a need to build a robust process to ensure that the board are given all the relevant information and that they understand and are able to rely on the work that has been carried out by the operational leaders to ensure Operational Resilience and the requirements of the regulators. This requires clear documentation of decisions made, an audit trail of how they were made and the justification for the decisions and as this is not a onetime exercise this reporting needs to be able to be built off the first self-assessment foundation each subsequent time. The sooner that this process is developed and programme information becomes business as usual information the smoother the transition period and beyond will be. Therefore, the adoption of a governance tool early to facilitate this is a worthwhile investment in time and cost prior to 31st March 2022, even if in reality the firm will not be in a position to use all the functionality by then due to potential project constraints.
Conclusion
Before the first deadline of 31st March 2022 there is a lot to do and a great deal of the resource effort will be focused on mapping the processes and enablers that underpin the ability to deliver the Important Business Services. However, this should not distract from the need to develop a robust, sustainable and embedded Operational Resilience Framework, so the investment into thinking how the governance of this can be maintained and the use of technology to enable this will set a strong foundation and facilitate the delivery by the deadline by enabling faster, more accurate mapping of the processes, sustainability through the use of an enterprise process management tool and governance tools to ensure ongoing compliance and audit trail of decisions made.
Ownet are able to support you through the full lifecycle of your Operational Resilience programme, advise on the best tools to support you and offer Mapping as a Service using our Automated Process modelling solution. For further information on how we can help please contact: Jeremy.James@ownet.co.uk
Appendix
Definition and scope
Operational Resilience is: “The ability of Firms and Financial Market Infrastructures (FMIs) and the Financial Sector as a whole to prevent, adapt, respond to, recover and learn from operational disruptions”.
The scope covers all UK registered and regulated firms so this can include overseas firms, if registered in the UK.
Firms covered include banks, building societies, investment firms, Insurers, solvency / society of Lloyd’s firms, recognised investment exchanges (RIEs), enhanced scope senior managers and certification regime firms, entities registered under PSRs 2017 and/or EMRs 2011, outsourcing partners and third parties.
Introduction and timescale
The three UK Financial Services regulators; the Bank of England, Prudential Regulatory Authority (PRA) and Financial Conduct Authority (FCA) concluded the Operational Resilience consultation process in October 2020 and issued the Operational Resilience Instrument in March 2021.
References
Operational Resilience Policy Statement PS 6/21 (PRA), Supervisory Statement SS1/21 (PRA), Outsourcing & Third-Party Supervisory Statement SS2/21 (PRA) and Operational Resilience Policy Statement PS 21/3 (FCA).
The key dates
- Consultation period concluded October 2020
- Policy implemented March 2021
- Rules come into force on 31st March 2022
- Transitional period ends on 31st March 2025
