On 6 October 2020, the PRA published a speech by Nick Strange (Senior technical advisor, supervisory risk specialists) entitled Resilience in a time of uncertainty.

Key points in the speech include:

  • The PRA expects to publish its final policy on building operational resilience following Consultation Paper 29/19 in Q1 2021.
  • Whilst it is too early to give detailed feedback on the consultation there are some high-level messages coming through. Respondents:
    • remain supportive of the UK supervisory authorities’ approach on operational resilience, particularly the focus on the resilience of important business services;
    • support what many have called a ‘paradigm shift’ for firms to assume disruption will occur, which encourages the development of response and recovery capabilities;
    • want the PRA to find effective ways to share what it sees as good practice and to encourage firms towards consistency of application of the rules and guidance;
    • want the UK supervisory authorities to remain consistent both in principle and in practical implementation of the new operational resilience policy. They also want consistency with other policies such as those related to recovery and resolution which will help firms implement strategic solutions; and
    • they also want consistency internationally, between different regulatory jurisdictions and global standard setters.
  • As firms have changed their way of working they have faced a changed operating environment and heightening of risks. In particular, many firms have also had to adjust their risk appetites and relax their controls, sanctioning ways of working they would not have accepted previously. This does increase fraud and insider trading risks, or the risk of confidential data leaks, but keeps important services running. Firms are actively looking at how they can enhance their controls given the potential long-duration of the current arrangements. This necessitates clear remote access policies, detailed risk assessments of new solutions and real time security monitoring and patch management.
  • The Basel Committee on Banking Supervision recently issued a consultative document setting out ‘Principles for Operational Resilience’. Looking at the Basel Committee consultation and the PRA consultation, despite some differences in terminology, it is clear that both are aligned on the following core principles: distinction between operational resilience and operational risk; operational resilience as an outcome, albeit defined in different ways; financial stability and safety and soundness lenses for operational resilience; identification of what firms do that’s important to both; the concept of a risk or impact tolerance to define what might be acceptable (and not zero failure); and the use of scenario testing to assure resilience.
  • Different jurisdictions will probably have different views on what they consider critical or important. This is not fragmentation, this is just accepting reality. The key thing for international cooperation is that jurisdictions respect each other’s judgement of what is critical and important.