United Kingdom (and EU regulation)

PRA speech on operational resilience

By Simon Lovegrove (UK) on May 6, 2021 Posted in Regulation and compliance, United Kingdom

On 5 May 2021, the PRA published a speech by Lyndon Nelson (Deputy CEO and Executive Director, Regulatory Operations and Supervisory Risk Specialists) entitled Operational resilience – outcomes in practice.

Key points in the speech include:

Mr Nelson believes that the publication of the PRA’s operational resilience final policy paper on 29 March 2021 will provoke a profound change.
Operational resilience is a very different risk when compared to financial resilience. Not least because of the size of the regulatory and central bank toolbox to deal with problems. In financial resilience the PRA has developed a tool kit that can be extensive. This contrasts with operational resilience. There is no bail out option if a firm is unable to function because of an operational incident. All firms will seek to be self-reliant, but for many there will be an increasing realisation that investment in collective action is a better way forward for many of the challenges that they face. The work of authorities such as the Cross Market Operational Resilience Group, the Finance Sector Cyber Collaboration Centre and the Financial Services Information Sharing and Analysis Center have shown what can be done when the industry works together.
In terms of the PRA’s policy on operational resilience, one issue is the timeline for implementation. The PRA is asking and expecting firms to have done quite a bit by 31 March 2022, but it is not expecting firms to have done everything. The PRA understands that tasks such as mapping and testing will evolve and will grow in sophistication over time. By 31 March 2022, the PRA will expect firms to be able to set out a compelling gap analysis. Firms should know where their major shortcomings are and therefore what areas need more work.
The PRA has seen a substantial increase in firms informing it of plans to advance digitization strategies. One consequence of this is the change in pace for firms’ plans to migrate functions to the Cloud. These plans might have been stretched out over five years but are not being spoken of in terms of a much shorter timeframe.
At the same time as the PRA published its operational resilience policy, it also published its policy on outsourcing and third party risk management. Whilst the PRA has retained its technologically neutral position, it has addressed some of the specific nuances and challenges involved in outsourcing to a Cloud service provider. For example, there is a renewed emphasis on data security, the management of sub-contractors and the supply chain and the importance of testing robust business continuity and contingency plans. Given some of the contractual and practical difficulties that financial institutions may face in getting appropriate assurance from Cloud service providers, the PRA’s updated policy also recognises a range of proportionate assurance mechanisms. For example, the use of what are known as ‘pooled audits’ where groups of firms work collaboratively to assess the control environment of a common service provider.