On 25 May 2022, Duncan Mackinnon (Executive Director for Supervisory Risk Specialists) gave a speech at the City and Financial 9th Annual Operational Resilience for Financial Institutions Summit. In his speech Mr Mackinnon discusses where the PRA expects firms to focus on as they work towards building operational resilience by March 2025. By this time, firms will need to ensure they are resilient to disruption of their important business services, which if disrupted, could pose a risk to their safety and soundness or in certain cases to the financial stability of the UK.
At the beginning of his speech Mr Mackinnon refers to earlier comments from David Bailey (Executive Director for UK deposit takers) covering some of the PRA’s initial findings from its assessment of UK deposit takers in the 12 months since the policy was published. In particular, Mr Mackinnon makes the point that firms have further work to do setting impact tolerances and boards and senior managers should engage closely on operational resilience to ensure this work is completed. Firms will also have to justify how they came to the conclusions they have, and demonstrate that the tolerance they have set will protect safety, soundness and financial stability.
Mr MacKinnon outlines the ways in which the regulator expects firms to take their work forward to 2025 and beyond:
- Implementing operational resilience policy – It is expected that firms’ mapping should include all critical resources and consider internal and external dependencies. Mapping should also become more sophisticated, in line with firms’ potential impact, enabling firms to identify vulnerabilities and inform the development of scenario testing. Testing itself should also be evolving, so that firms may assure their boards they can deliver important business services within impact tolerances through severe but plausible scenarios by end-March 2025.
- Scenario testing – Firms should use scenarios which assume disruption has occurred, whilst also including data integrity scenarios and incorporate third party disruption. Scenarios should consider the evolving risk environment and include cases where multiple parts of the organisation are disrupted simultaneously. For high impact, important business services within systemic firms, desktop testing is ultimately unlikely to be sufficient. Finally, firms should ensure full coverage of important business services in their testing.
- Building resilience – Firms may have to build substitutability into the way services are delivered. In addition, firms may also need to review and adapt outsourcing arrangements, ensuring that if a third party supplier is disrupted, this does not lead to disruption of the service as a whole. In sum, firms should use this time to address vulnerabilities and build capabilities.
- International – The Financial Stability Board (FSB) is driving greater convergence in practices related to incident reporting as well as continuing to work with EU partners through the European Systemic Cyber Group (ESSG) and the G7 Cyber expert group, in order to increase the resilience of the global financial system, and reduce the likelihood of conflicting requirements for firms operating in multiple jurisdictions.
- Embedding operational resilience – It is expected that operational resilience becomes a major consideration in firms’ investment programmes, reflecting firms’ awareness of their role in the wider system. Firms are still expected to manage their risks effectively and reduce the likelihood of disruption. Furthermore, if existing testing does not provide a firm with an end-to-end view of the resilience of its important business services, more work will have to be done.
Going forward, there are a number of initiatives in the pipeline. The Bank of England, PRA, FCA and HM Treasury are working together to develop measures to manage the systemic risks posed by critical third parties (CTP) to UK financial institutions – including, but not limited to cloud service providers. Furthermore, a joint discussion paper is intended to be published in 2022 , informing future regulatory proposals relating to CTPs.