On 14 March 2019, the Bank of England (BoE) published a speech given by Nick Strange, BoE Director, Supervisory Risk Specialists, providing a progress report on operational resilience.
Operational resilience is defined in the speech as “the ability of firms, FMIs [financial market infrastructures] and the sector as a whole to prevent, respond to, recover and learn from operational disruptions”.
Key takeaways from the speech include:
- the BoE’s proposed approach to operational resilience is built on two key concepts: impact tolerance and business services;
- impact tolerance is a firm’s tolerance for disruption – in the form of a specific outcome or metric. Tolerance is built on the assumption that disruption will occur and that the tolerance remains the same irrespective of the precise nature of the shock. The tolerance is cause-agnostic. Rather than limiting risk mitigation efforts solely towards minimising the probability of a disruptive event occurring, impact tolerance focuses the board and senior management on minimising the impact, the actual disruption that would occur;
- business services are the products and services that a firm provides to its customers. By attaching an impact tolerance to a business service, the BoE provides a focus for firms’ efforts to enhance their operational resilience. The BoE’s focus is on business services not IT systems. So long as firms can continue to provide a service, the BoE is impartial as to how firms do this;
- the BoE will publish a consultation paper later this year to set out its proposed policies and explain its approach to supervising operational resilience;
- the BoE does not expect firms to able to withstand the most extreme forms of disruption. It recognises that disruption will happen and it is unrealistic to expect that the BoE should have a zero tolerance for disruption;
- the BoEs’ current operational work programme is twofold: (a) developing the supervisory approach to operational resilience in line with discussion paper 01/18 (building the UK financial sector’s operational resilience – our blog is here) and as part of that, (b) developing a cyber stress testing programme; and
- regarding a cyber stress testing programme, later in 2019, the BoE will hold an impact tolerance test for payments in a hypothetical scenario where firms’ IT systems supporting their payments function become unavailable. It will work with a small number of firms to test this approach and to gather initial information on whether an end-of-value date tolerance for this service would be appropriate from a financial stability point of view.