United Kingdom (and EU regulation)

PRA policy statement on operational resilience

By Lisa Lee Lewis (UK) and Simon Lovegrove (UK) on March 31, 2021 Posted in Regulation and compliance, United Kingdom

On 2 December 2019, the PRA published Consultation Paper 29/19: Operational resilience: Impact tolerances for important business services (CP29/19). CP29/19 set out the PRA’s proposal for PRA rules, a Supervisory Statement and a Statement of Policy designed to improve the operational resilience of firms and protect the wider financial sector and UK economy from the impact of operational disruptions. The draft rules and expectations sought to embed the concepts of the July 2018 Discussion Paper 1/18: Building the UK financial sector’s operational resilience, into the PRA’s prudential framework. CP29/19 proposed a set of requirements and expectations for firms to:

identify their important business services by considering how disruption to the business services they provide can have an impact on PRA objectives;
set an impact tolerance for disruption for each important business service; and
ensure they can continue to deliver their important business services and are able to remain within their impact tolerances during severe but plausible scenarios.

On 29 March 2021, the PRA published Policy Statement PS6/21: Operational resilience: Impact tolerances for important business services (PS6/21). PS6/21 provides:

new Operational Resilience Parts of the PRA Rulebook (Appendix 1);
amendments to the Group Supervision Part of the PRA Rulebook (Appendix 1);
a new Supervisory Statement 1/21: Operational Resilience: Impact tolerances for important business services (SS1/21); and
a new Statement of Policy – Operational resilience

PRA has grouped the feedback responses into the following categories:

important business services;
impact tolerances;
implementation timelines and remaining within impact tolerances;
mapping;
scenario testing;
governance;
self-assessment;
groups;
international alignment;
alignment with other policy areas; and
other responses.

The Operational Resilience Parts will be effective from 31 March 2022. The PRA states that to comply with the rules, firms should contact their supervisors to agree their plans for meeting the policy requirements.

SS1/21 will be effective from 31 March 2022.

We have a number of resources available to help you develop and strengthen your firm’s operational resilience. We can partner with you at any point across your operational resilience journey including:

interpretation and application of the new rules;
assessing governance, accountability, committee structure and reporting lines;
helping you prepare for regulatory change and advising on the design and implementation of the overall operational resilience programme;
carrying out independent assurance reviews;
identifying any deficiencies in areas such as digital, outsourcing, and third-party resilience; and
simulating impact scenarios for key stakeholders in a testing environment, including developing a bespoke training module around lessons learned.

For further information please get in touch with Lisa Lee Lewis or Simon Lovegrove.