The FCA is doubling down on the centrality of operational resilience. Regulators are keen to emphasise the importance of operational resilience not only in terms of protecting consumers, but also the wider market and firms themselves.
Against the backdrop of enhanced cyber risk and the significant disruptions caused by Covid-19, regulators have upped the ante and have started requesting specific details of firms’ efforts to implement PS21/3.
This latest request slots into the wider timeline for PS21/3, whereby all those affected are required to have mapped, tested, and made the necessary investments to enable them to operate consistently within their impact tolerances by 31st March 2025 at the absolute latest.
What is the survey asking?
Firms that are in-scope will be required to answer 107 questions, whilst those not in-scope will need to answer 96. A survey issued at the tail-end of 2022 required those engaged in the Wealth and Stockbroking sector to detail the number important business services they had, as well as any outages that impacted customers’ ability to access services. Whilst this survey was not solely dedicated to operational resilience, the emphasis of the regulators is clear: operational resilience is as important as financial resilience.
A few points are particularly important:
The survey covers 10 areas of operational resilience – Firms will need to be able to provide significant detail on all aspects of their operational resilience frameworks. This includes cyber risk and critical third-parties.
- The SMF 24 has direct responsibility for operational resilience programme – It is crucial that independent assurance is provided by market-leading SMEs who can benchmark their efforts to those of their peers.
- The FCA and PRA are taking operational failures seriously – In December 2022, a leading bank was fined a total of £48.65m for significant failures in operational risk management and governance.
Next Steps
With the heightened regulatory emphasis on operational resilience in mind, Firms need to take extra precaution not only to avoid fines and enhanced regulatory scrutiny, but also to ensure that they are able to withstand the full suite of potential operational disruptions. Independent assurance is crucial to ensuring that operational resilience frameworks are up to scratch.
At Novatus, we have market-leading experience across all facets of risk advisory. We can provide a rapid health check of your operational resilience programme and support in the implementation of enhancements required to ensure compliance. This ranges from project and stakeholder management to mapping and testing.
If you would like to discuss our offerings further, please contact Hugo Warner – hwarner@novatusadvisory.com.