Who does the operational resilience regime apply to?
The regime applies to most banks, investment firms, exchanges, insurers and payment service/electronic money firms.
Why is it significant?
Firms will have to carry out substantial analysis of important business lines, and assign impact tolerances to these business lines by March 2022 (as well as stress test/scenario plan these - although there is a longer transition period for these tests).
It is likely that key pinch points will be legacy IT systems, how to monitor and integrate third-party providers, and the appropriate level of tolerance assigned to delays, outages or other failures.
In some cases, individuals (private persons) can bring a right of action (litigation) against the firm for breaching these rules. This will be more relevant to retail focused firms/ business lines.
What do firms have to do?
- Identification. A firm must identify important business services. Getting identification right in terms of the important business lines is key/foundational to the project. These should be carried out on a service/by service approach.
- Mapping. A firm must identify and document the necessary people, processes, technology, facilities and information required to deliver each of its important business services. Much of this mapping work could draw on current policies and procedures, in particular those used to implement/operationalise SMCR.
- Setting tolerance levels. For each of the important business services, a firm must set an impact tolerance and ensure it can continue to deliver important business services. The tolerance level/threshold is one which causes "intolerable harm" to clients. This appears to be intentionally vague and left to firms to determine.
Key points to note:
- the tolerance levels have to take into account relevant variables, particularly timing/duration. For example, the time tolerance level on outage/order processing system failing, or the quantum of loss on trades submitted due to OMS poorly functioning;
- firms need to carry out tolerances and third-party suppliers; and
- tolerance levels need to be disaggregated to service line, rather than aggregating service lines together to give a single tolerance level for each.
- Communication. A firm will be required to have internal and external communication strategies in place for internal and external stakeholders.
- Governance. The process will require approval by the governing body in some areas and clear lines of responsibility. Where it exists, the regulators expect the Chief Operations Senior Management Function (SMF) 24 to have overall responsibility.
Action: the above needs to be completed by March 2022.
- Scenario testing. A firm must carry out regular scenario testing of its ability to remain within the impact tolerance for each of its important business services in the event of a severe but plausible disruption of operations. Scenario testing has a transitional attached to it. Firms can, therefore, focus on scenario testing their important business services initially and will have until March 2025 to continue performing scenario testing, with a view to being able to remain within impact tolerances for each important business service by this date.
- Self-assessment. A firm must prepare and regularly update a written self-assessment of its compliance with requirements and be able to provide the relevant regulator when requested.
