In our second post pandemic webinar, Shoosmiths’ partners Susie Wakefield, John Hartley and Sam Tyfield considered key questions around the governance and regulation of Operational Resilience (OR) with guest speaker Charles Taylor (partner at Aldbury International).
Who needs to be operationally resilient?
- It is good business practice for regulated and non-regulated firms to be operationally resilient and all businesses should be thinking about their OR.
- Third-party suppliers to regulated firms, such as telecommunications systems or artificial intelligence providers, may find it particularly important as regulated clients will now need to be looking at the resilience of their supply chains.
How does a firm ensure its suppliers are operationally resilient?
- This is likely to be a challenge for many firms where OR has been internally focused in the past.
- A good starting point is to compare your business continuity plan (BCP) with your supplier’s BCP to see if they align. For example, if maintaining communication with clients or customers form part of a firm’s BCP, it would be prudent to compare the recovery times in the relevant supplier’s BCP, analyse any disconnects and address them appropriately.
Why is it important to be operationally resilient?
- The Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) have stated it is ‘not mandated but expected’ that regulated firms are compliant by the deadline of 31 March 2022.
- This means that regulated firms are expected to have carried out mapping and testing to demonstrate they are operationally resilient. Whilst this is not mandated the regulators have said that if business have not done the work then action and investigations may follow.
- Firms should look at ‘near misses’ that have taken place in their industry and consider these when mapping and testing.
What are the penalties imposed by the regulators?
- The FCA and PRA can employ their existing punitive powers on regulated firms that are found to be non-compliant. Their powers are broad and include the softer side of enforcement, such as skilled worker reports, as well as the full scale of financial penalties and warrants for seizures during dawn raids, which can result in follow-up investigations and proceedings.
- The Senior Managers and Certification Regime (SMCR) means senior individuals may ultimately be held responsible for failings in a firm’s OR.
What is operational resilience as far as the FCA is concerned?
- The FCA expects firms to take steps to work out their tolerance levels for failure and then look to ameliorate the risks over the identified level of tolerance.
- Both the FCA and PRA expect to see a high level of tolerance for failure by the introduction of redundant systems. Firms should think about their ‘second XI’ (see below).
- The FCA wants to see that firms can demonstrate their OR. The challenge for firms is that they will have to:
- Produce a ‘holistic view’ of the firm and the key risks it faces; and
- Evidence their OR at the granular level required to overcome disruption to a particular business service
How can firms develop OR?
- The focus should be on minimising disruption to clients.
- Firms should not be tempted to ‘boil the ocean’. There is a tendency for firms to over-identify business services. Instead, the firms should look to break down the business into key silos in order to examine and discover which business services are truly vital.
- Equally, it is important that firms stand back and understand the interconnectedness of the silos as a whole and understand which ones will have a knock-on effect on others when disrupted.
- Firms should avoid being introverted and need to consider how external factors and suppliers will affect their resilience.
- Testing, considering lessons-learned and then re-testing is key to enabling firms to understand what its tolerances are. For example, a ‘second XI’ trial where key individuals are taken out of the equation to see how well the firm can operate when facing a disruptive event.
- Firms should think about how they would deal with a fast-moving disaster where they do not have time to prepare as they did for Covid-19.
- Firms will need to be able to document and demonstrate the steps they are taking in order to prove their OR to regulators.
Will the PRA apply a different operational resilience standard to the FCA?
- Whilst there may be differences in the detail, broadly both regulators expectations for OR are the same.
- The PRA oversees the prudential regulation of a wide range of market participants and all firms (despite size) will be held to the same operational standard. Unfortunately for some, there is no proportionality as far as the PRA is concerned.
- Another challenge, particularly for dual-regulated firms, is the lack of a clear consensus on the standard required for demonstrating when and how risks have been identified. The FCA seems to be taking a holistic approach to OR, but the PRA may not take the same approach.
- Firms should try to document everything and ensure they can demonstrate their OR planning.
What about firms’ human capital?
- Operational resilience is the responsibility of senior management but should form part of a firm’s overall culture. A good litmus test of this is successful ‘second XI’ test scenarios.
- Scenarios should be stress-tested to ensure that the people on the ground will be able to deal with a situation that has not formed part of the training.
- It is also vital to identify and build in scenarios that are relevant to the business and increase the stress level during testing to breaking point.
Who gets to decide what is ‘resilient’ and what is not?
- Regulators are ‘judge, jury and executioner’, it is paramount to document the OR process in order to demonstrate resilience. The onus is on firms to maintain these records.
- Senior management must be aware of the policies, procedures and practices that are involved in OR or risk facing penalties.
- Prevention is better than cure – it is important to ensure robust policies and procedures are in place in advance and that these can be easily demonstrated.
- If a firm can demonstrate OR well, it can be a valuable marketing tool as it places the firm as a market contender for consistently weathering scenarios of extreme duress.
- For unregulated firms like third-party suppliers, adhering to the same expectations as regulated firms may offer a valuable advantage over competitors when looking to supply a key business service to a regulated entity.
- If done right OR builds resilience within a business leading to happy clients and growth.
- If firms believe they are operationally resilience, document the details. If they are not, they need to remedy this.
- The penalties for falling foul of the FCA/PRA expectations are wide-ranging and could seriously harm a firm’s business, including its reputation.